Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2022, 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.4MB

  • MD5

    155ff01ee14dcaed6b0c933480a94326

  • SHA1

    8e703da3aeeb9194c3bc428a4ff41af246b10df3

  • SHA256

    bc0537a76eb2d88ea3d7a16560ec75d1c15d6a5408106d2e0e739db99477004d

  • SHA512

    ca0e4e9cf4a985f651cfbfad2fcaca8d94d4cdcbfc259996b15041981111b8ea5c6a2eaec5430f51f5b214361fc776ff15bb89c5f9d655de3e6508eba6cd6c2b

  • SSDEEP

    49152:cYiUzPiU7RRWgtvGg5QMiWCYbVmJ4Z6zfCpj8SLF4:di0PieWgtvrfxFZ6DdB

Score
10/10
redline1310infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

1310

C2

79.137.192.57:48771

Attributes
  • auth_value

    feb5f5c29913f32658637e553762a40e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/5076-138-0x0000000000410000-0x0000000000438000-memory.dmp

    Filesize

    160KB

    Download

  • memory/5076-137-0x0000000000412000-0x0000000000433000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5076-141-0x0000000005820000-0x0000000005E38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5076-142-0x00000000071B0000-0x00000000072BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5076-143-0x00000000057F0000-0x0000000005802000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5076-144-0x0000000005080000-0x00000000050BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5076-145-0x0000000007870000-0x0000000007E14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5076-146-0x00000000072C0000-0x0000000007352000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5076-147-0x0000000007360000-0x00000000073C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5076-148-0x00000000075A0000-0x0000000007762000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5076-149-0x0000000008350000-0x000000000887C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5076-150-0x00000000077F0000-0x0000000007866000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5076-151-0x0000000007770000-0x00000000077C0000-memory.dmp

    Filesize

    320KB

    Download