Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2022 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    354KB

  • MD5

    d88420c2434798988676e6f9701366e3

  • SHA1

    cbc43218d94beb38e0af53ae7bcde9d8b60cb86b

  • SHA256

    0963fff5b1b19e7da2d72f54f54a5369ac466f0c8b76329ba70fd1c464858f9f

  • SHA512

    f40ecf553b25a4fdf4a88db37bb38866e09b2dbbc6807e0c4a1e66a807bca2fde775a44e3c512df8746347db279ca810892b63713ada65f58a4795e467fc338a

  • SSDEEP

    6144:2/3FwJdK4oe0M/+FPwFvE+eKp9nq0AOE553Bais8VFQ3nFYr7B5Rrh:QwJdK4oegFP4N+3BPtK3FWB7rh

Score
10/10
redlinelogsdiller cloud (tg: @logsdillabot)infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.89.201.21:7161

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1736
      • C:\Users\Admin\AppData\Local\Temp\setu2p.exe
        "C:\Users\Admin\AppData\Local\Temp\setu2p.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          4⤵
            PID:904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      d15aaa7c9be910a9898260767e2490e1

      SHA1

      2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

      SHA256

      f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

      SHA512

      7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      56bbd352af44437fec0272109a234941

      SHA1

      45fe990875cea4721f3d73195599b1cf9449253d

      SHA256

      24dbcfc362528f6aea0e1b0d93f614ef4e0c8d79207f8aaa37e4c8d8feb6c71a

      SHA512

      d9ed53c4435e7651210bb9a5bed169a71b31b4f6f6efb26f1997f9f5b8fd697eaff7ee1f0669c1983a7a369d91a1d38997d9c8932c4b7ddf9b8e0731754c2e18

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      18370121966c2232532349fd68cad039

      SHA1

      3cd48792b7b4192ae2ebdea2f930f41fc1e1cdd1

      SHA256

      7bbc550599a810bceb80495a099d10ea9ffe079aa4b822bd4fa519b0a2bc9dfe

      SHA512

      912262ce576ce5f1338905106826a99c7b083a7a4f3e86c885ebf1bac1cb17a082710e301969ae001ee1d116ac06e0d0ee1214f0d2d5cdde8c2f7024d85e050f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      8b2dd9cb5b0e1a83e23d28b526b1d6b7

      SHA1

      5d6b8832bebd0e7b31dc115faea2e77ca2327e74

      SHA256

      c480fbc90e12a31f3ccfef4f0b8c7df7c621db09ee7257acd06c263ef535c2cf

      SHA512

      fdf460021ee6643a4790aa399f564eae7df14145c00304ed3a2801254804ed66b88ad3f29b72644e7976147ea522efc97ad331dd571f0609b6e9f7042c58924d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\setu2p.exe
      Filesize

      344KB

      MD5

      3690cf078a73caed866daa16b8736379

      SHA1

      e3b003bb6b7cd55934db7adeb8fe7637d3551585

      SHA256

      75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831

      SHA512

      d7aa02e12541693abce188a34076fb415ec362fecae72b57702be69651645e75cdd5d59d255317c868ccd3f0b8dd387a19493bebefcb6bdb43be50ef5bf35f5b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2EEQUL7E.txt
      Filesize

      537B

      MD5

      0e9a73954fc8dc1c901d5744c0ca57ca

      SHA1

      cf43e76bdcea2a2f3b8e9d696fb2791745bb9a59

      SHA256

      2a12a437ad44e538cac99df7e378150d6b528021264ac0775f8314fedfeb162f

      SHA512

      a1513331e9a3f1f1c9314ede5eba105199a6927f3f2a6dfe2d038d5ee48d6e6e51ad9d9b76d90d07b02db5caf8d5963ea104eb519a8ea4e141365fb417bcfde5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\setu2p.exe
      Filesize

      344KB

      MD5

      3690cf078a73caed866daa16b8736379

      SHA1

      e3b003bb6b7cd55934db7adeb8fe7637d3551585

      SHA256

      75c3eec8fb73808a164306423f673479d794c8d34a7cf55ae38d63623201d831

      SHA512

      d7aa02e12541693abce188a34076fb415ec362fecae72b57702be69651645e75cdd5d59d255317c868ccd3f0b8dd387a19493bebefcb6bdb43be50ef5bf35f5b

      Download Submit

    • memory/576-62-0x0000000000170000-0x00000000001CC000-memory.dmp

      Filesize

      368KB

      Download

    • memory/832-61-0x000000000042218A-mapping.dmp

      Download

    • memory/832-65-0x0000000075911000-0x0000000075913000-memory.dmp

      Filesize

      8KB

      Download

    • memory/832-64-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/832-63-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/832-56-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/832-54-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/904-75-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-78-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-79-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-80-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-81-0x0000000140003E0C-mapping.dmp

      Download

    • memory/904-83-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-84-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-77-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-74-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-72-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-88-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

      Filesize

      8KB

      Download

    • memory/904-70-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/904-69-0x0000000140000000-0x0000000140022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1276-67-0x0000000000000000-mapping.dmp

      Download