Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2023, 07:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    878KB

  • MD5

    f221c06953a4fa1b25d42e34c34d383e

  • SHA1

    2830b735d7b26bce4a2e169b28d7b674a08e6e45

  • SHA256

    5166ac823f2d02351bdc7ee1787d3ba6bb6c15a79f27f3e7e7bd93e8f41410f8

  • SHA512

    00c65c5ca34c8afe83367019696c2fddfebeb596837d97ae428b66a49172ceb889c7b1cca5a95ddfa8b619abb27bcb475cc62b032dc7db17ed2abb89ea15f2c7

  • SSDEEP

    12288:v2iNWQJsgW2DuJ/lwmz4aidxGcX6J+1mW8e6XR78jmepZ12os43xmI8HSQ+3VH32:v1GgWuuJ/Gmz4air8Y0e6NdKZEb

Score
10/10
redline491discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

491

C2

49.12.247.184:18430

Attributes
  • auth_value

    e4a04ba28aeade46783239bdcf8e881f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4252

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
          Filesize

          1KB

          MD5

          84e77a587d94307c0ac1357eb4d3d46f

          SHA1

          83cc900f9401f43d181207d64c5adba7a85edc1e

          SHA256

          e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

          SHA512

          aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

          Download Submit

        • memory/2264-133-0x00000000053B0000-0x0000000005954000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2264-134-0x0000000004EA0000-0x0000000004F32000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2264-135-0x0000000004F40000-0x0000000004FDC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2264-136-0x0000000004E80000-0x0000000004E8A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2264-132-0x00000000003E0000-0x00000000004C2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/4252-140-0x00000000059D0000-0x0000000005FE8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4252-138-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4252-141-0x0000000005510000-0x000000000561A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4252-142-0x0000000005440000-0x0000000005452000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4252-143-0x0000000005620000-0x000000000565C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4252-144-0x0000000005880000-0x00000000058E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4252-145-0x0000000006480000-0x00000000064F6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4252-146-0x0000000006500000-0x0000000006550000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4252-147-0x0000000006D20000-0x0000000006EE2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4252-148-0x0000000007420000-0x000000000794C000-memory.dmp

          Filesize

          5.2MB

          Download