Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2023, 07:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    878KB

  • MD5

    f221c06953a4fa1b25d42e34c34d383e

  • SHA1

    2830b735d7b26bce4a2e169b28d7b674a08e6e45

  • SHA256

    5166ac823f2d02351bdc7ee1787d3ba6bb6c15a79f27f3e7e7bd93e8f41410f8

  • SHA512

    00c65c5ca34c8afe83367019696c2fddfebeb596837d97ae428b66a49172ceb889c7b1cca5a95ddfa8b619abb27bcb475cc62b032dc7db17ed2abb89ea15f2c7

  • SSDEEP

    12288:v2iNWQJsgW2DuJ/lwmz4aidxGcX6J+1mW8e6XR78jmepZ12os43xmI8HSQ+3VH32:v1GgWuuJ/Gmz4air8Y0e6NdKZEb

Score
10/10
redline491discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

491

C2

49.12.247.184:18430

Attributes
  • auth_value

    e4a04ba28aeade46783239bdcf8e881f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:876

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/876-65-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/876-59-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/876-60-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/876-62-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/876-64-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/876-68-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/876-70-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1544-55-0x0000000076201000-0x0000000076203000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1544-56-0x0000000000530000-0x000000000053E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1544-57-0x0000000004CB0000-0x0000000004D22000-memory.dmp

          Filesize

          456KB

          Download

        • memory/1544-58-0x0000000004240000-0x0000000004272000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1544-54-0x00000000002D0000-0x00000000003B2000-memory.dmp

          Filesize

          904KB

          Download