Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2022 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    355KB

  • MD5

    2d497f4c12f1f0167fc10ecf35f723d4

  • SHA1

    96a8d7fead7f50bcc39ff986b289e9cc240a8f20

  • SHA256

    0d09a4ab3e8ceb83ed61d72f369dafe02bcfee6e57551b3a9077aee0a718aee8

  • SHA512

    9efb947c9bab3a0e29f80b0697ab621728f92b1fd08e6bea4143bf421634397ffd7ad5020f3b7314aca2818df1355f8986e9389fa8b006e660c14ad4381564a3

  • SSDEEP

    6144:K3e/3W0KIVKIV41+YlMQxQHyeNnCm0AO0MRll/UGk2YLJK2iRdh:KW3W0KIVKL+YlJFZtnpk2YLJmdh

Score
10/10
redlinelogsdiller cloud (tg: @mr_golds)infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @mr_golds)

C2

51.89.201.21:7161

Attributes
  • auth_value

    4b2de03af6b6ac513ac597c2e6c1ad51

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1748
      • C:\Users\Admin\AppData\Local\Temp\setu2p.exe
        "C:\Users\Admin\AppData\Local\Temp\setu2p.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          4⤵
            PID:1612

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      d15aaa7c9be910a9898260767e2490e1

      SHA1

      2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

      SHA256

      f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

      SHA512

      7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a9732977535cab08f7aed04c09231b90

      SHA1

      bae4367f80ad42fbf7da4683f24dfb2c5dd8e11a

      SHA256

      0b7879561c33a4af8fa97937479e0abdf00d0ade4d25db96097f621e4fd96f0e

      SHA512

      dac0cc0d93e8674946a524389815dca569860b80f2e0ffdb1238b9689543bd4dd491ce7d52a0eb7ed1be9b7934decadf94cf181d478edd6b844a80432b2dea0b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\setu2p.exe
      Filesize

      344KB

      MD5

      fcca5d8a8af3426aeb3adde55b63bd56

      SHA1

      add2df1738a6400f80b25f2ba1c2d4b9df1b3c64

      SHA256

      f1962300bb7fe971f5fa288a5ae9bf4c6c0ae848481d150eb23d9dccbb61847b

      SHA512

      c367496d785aee0183b0a6aaa6bb4c99468ad5efe7be61ed06884607451093173909ee384f208e2379508c35a4e853b7505182cf4bd4919c9e86f374f14c5fd7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\18T9BPX2.txt
      Filesize

      603B

      MD5

      b56360687a06cbc1f23175ab66392966

      SHA1

      d6de2465ad748758ace404e9541167817afe4495

      SHA256

      a44b7ab6a211f3229acfd2fa8c9df41da27f65bcc640b526cc4653fd182d7d07

      SHA512

      c1fbafc8638a224d47013d56660f764e87f8d4229b6a22febc23b041176305260507acb0203180bf4a92582fa56029f31b6d180d056c832899e28ffdd89a618f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\setu2p.exe
      Filesize

      344KB

      MD5

      fcca5d8a8af3426aeb3adde55b63bd56

      SHA1

      add2df1738a6400f80b25f2ba1c2d4b9df1b3c64

      SHA256

      f1962300bb7fe971f5fa288a5ae9bf4c6c0ae848481d150eb23d9dccbb61847b

      SHA512

      c367496d785aee0183b0a6aaa6bb4c99468ad5efe7be61ed06884607451093173909ee384f208e2379508c35a4e853b7505182cf4bd4919c9e86f374f14c5fd7

      Download Submit
    • memory/1064-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-80-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-76-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-85-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-84-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-82-0x0000000140003E0C-mapping.dmp
      Download
    • memory/1612-70-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-71-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-73-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-75-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-81-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-78-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-79-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1916-54-0x0000000000270000-0x00000000002CC000-memory.dmp
      Filesize

      368KB

      Download
    • memory/1916-63-0x0000000000270000-0x00000000002CC000-memory.dmp
      Filesize

      368KB

      Download
    • memory/2044-66-0x00000000753C1000-0x00000000753C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2044-64-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2044-65-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2044-62-0x000000000042217A-mapping.dmp
      Download
    • memory/2044-57-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2044-55-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download