Overview

overview

10

Static

static

modest-menu.exe

windows7-x64

1

modest-menu.exe

windows10-2004-x64

10

Resubmissions

06-12-2022 02:26

221206-cw2b1agh66 10

05-12-2022 20:01

221205-yrjr2sed5t 1

Analysis

  • max time kernel
    151s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    modest-menu.exe

  • Size

    3.8MB

  • MD5

    5ff3e364b2c911a3a504db8ca8b357af

  • SHA1

    634576bc4beb40802faabc2832bf8966746d33e5

  • SHA256

    086cf9d70f774248002dd699663b21ffbff861b44068a1b468ae721b2813cf7a

  • SHA512

    9b6d4a06468818c707164c3e5389410e83cf10baaa1a4d8c5ea573681c241b565eef4ddca96066b0cb5a1277ce6ce7eab3416470dd7055d803f8cbe93af43b72

  • SSDEEP

    98304:73OMOXyx9YfGxGb1sPW7UHkvLw5mQTzd7W+HtdIOoQ7pCl:73OMay4fYasPfuL8ttdDoMpO

Score
10/10
redline@dxrkl0rdinfostealer

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

C2

193.106.191.160:8673

Attributes
  • auth_value

    9c8dd7353be7ed4b6832da21d8d0d902

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
    "C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"
      2⤵
        PID:1952
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"
        2⤵
          PID:4384
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"
          2⤵
            PID:3424
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3064 -s 240
            2⤵
            • Program crash
            PID:4548
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 408 -p 3064 -ip 3064
          1⤵
            PID:2672

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3064-132-0x00007FF722DB0000-0x00007FF723415000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/3064-135-0x00007FF722DB0000-0x00007FF723415000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/3064-138-0x00007FF722DB0000-0x00007FF723415000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/4384-137-0x000000000042219E-mapping.dmp
            Download
          • memory/4384-136-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/4384-139-0x00000000058E0000-0x0000000005EF8000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/4384-140-0x0000000005450000-0x000000000555A000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/4384-141-0x0000000005380000-0x0000000005392000-memory.dmp
            Filesize

            72KB

            Download
          • memory/4384-142-0x00000000053E0000-0x000000000541C000-memory.dmp
            Filesize

            240KB

            Download