Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2022 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    724KB

  • MD5

    06469b7e7904c634cdab3d3fe18a9ad3

  • SHA1

    bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7

  • SHA256

    fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734

  • SHA512

    3bcd23caa950b8fb06b9543de154a43263e125487bb3e033ad19f8ab66392cb5c6426b6b7f06080342ec0448a5578c1567d60366d976c3f0624627f3a087671e

  • SSDEEP

    12288:qQBRuwkLNx0mf0ZjwQsn7uFURmtEif3w74COR0oq7yGOVVuyUq0SWo0MLoimPMFP:qQBRtkLNx0I0Z9EivwECORR8Bo0MLQEp

Score
10/10
redlinelogsdiller cloud (tg: @logsdillabot)infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.89.201.21:7161

Attributes
  • auth_value

    3a050df92d0cf082b2cdaf87863616be

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1748
      • C:\Users\Admin\AppData\Local\Temp\setu2p.exe
        "C:\Users\Admin\AppData\Local\Temp\setu2p.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          4⤵
            PID:1040

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      d15aaa7c9be910a9898260767e2490e1

      SHA1

      2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

      SHA256

      f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

      SHA512

      7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e61d902729e889069cf5ea6dbe231b9c

      SHA1

      f8f0f164839f1ca2c20094dbe328e5906b038860

      SHA256

      db74a0f0550c7524435c7d8d9df4ba4fccfc9e2456dc82fb6a28117173f834d6

      SHA512

      73489ee2d3e5a534a7685458679cf622b8c6d6a30c194ef37d774f113fa1c190b2a4b9d7559b7acf81fb57b24d1c2a279a17c39e9a0c0cd7da44efc7efdf74f0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      894a366bcce56733eeba3f3272036955

      SHA1

      db00b73a802de37bb6d9c9e785ffc73af7841391

      SHA256

      300a0ec0e4fe450a39e4cd376626bf3fa0cccd67302da59abb317bb5fdea4177

      SHA512

      fb0c6dc2bcd90d760586065f6291eb47fd4ed7740ceb6e326ac070fa6a062e4e40978d002938e5b988cd0ab7aef00f08aef5349b78c99c790da6f58ee77518cd

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      f8ef649f23d91afae4297c2f64b6932e

      SHA1

      0dc4c00ec55c796e298aabb42218f32aa6be1074

      SHA256

      9b63cad6afb61ced5c9b9b25cd296443c4017b528b05d9c961b98bf65e323ae8

      SHA512

      9e5a409a1bd0adcfab15f8da9b451f93813bc0d57b6404ec5542226471bbc26a2143dc299fa6800b34ab05372625d9d07aec033b8a0d1c2a853d7b84181aa0dc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\setu2p.exe
      Filesize

      344KB

      MD5

      95230f05deb43f0adc402b128e331a9f

      SHA1

      2f732066b25f6c38b6d34d8cd5230cb0105aac9b

      SHA256

      feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb

      SHA512

      9fb99707ecb76268c6319b6f791fbb98b03e6fb86e26187c484df9c4cb2a255a7688aa5878b27c8c7ac2f31ddb44c36db2093002e0f01532862fb6753ebf662f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P8NYOF0B.txt
      Filesize

      608B

      MD5

      287d2aca4bbad71da084abdfe857d9dc

      SHA1

      1ba1eea8438dfe1afec664354e9a194ec72496a8

      SHA256

      4b479cd7f56e04263f66dcf7b7bb81b679150cc99c6530f7adc6cc1d63d648a3

      SHA512

      787d5287fafb5556ddd16c8ee6c30c750e1a4f9a29f5814e8ac814e89436814aadb5d7540548310ce010b6f4b71bd6b92f5061acd22d6c4cd3a0f9940c8b2f20

      Download Submit
    • \Users\Admin\AppData\Local\Temp\setu2p.exe
      Filesize

      344KB

      MD5

      95230f05deb43f0adc402b128e331a9f

      SHA1

      2f732066b25f6c38b6d34d8cd5230cb0105aac9b

      SHA256

      feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb

      SHA512

      9fb99707ecb76268c6319b6f791fbb98b03e6fb86e26187c484df9c4cb2a255a7688aa5878b27c8c7ac2f31ddb44c36db2093002e0f01532862fb6753ebf662f

      Download Submit
    • memory/768-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1040-75-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-78-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-70-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-72-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-74-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-69-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-77-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-88-0x000007FEFB801000-0x000007FEFB803000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1040-79-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-80-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-81-0x0000000140003E0C-mapping.dmp
      Download
    • memory/1040-83-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1040-84-0x0000000140000000-0x0000000140022000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1116-63-0x0000000000140000-0x00000000001F8000-memory.dmp
      Filesize

      736KB

      Download
    • memory/1472-54-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1472-64-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1472-62-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1472-65-0x0000000074D61000-0x0000000074D63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1472-61-0x000000000042218E-mapping.dmp
      Download
    • memory/1472-56-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download