Overview

overview

10

Static

static

Impulse.exe

windows7-x64

10

Impulse.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2023 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Impulse.exe

  • Size

    243KB

  • MD5

    3ec84ba5702734f2437bc253031d956f

  • SHA1

    3e8d961af62a30750c4aa7e60ed1b1a75201ab82

  • SHA256

    1e2085bb3e6b9e2daf2b4e72a376aa135e8b56c565ce9f5d62cb0744f4b1870f

  • SHA512

    227e5e70bb7954c1654b550c8ec79bccc39cc6d2faccc730e28a23a35e7719d8b2a2a5187697b445355d803d5866c01add9657f62d7b1b670119c19e3d7390e0

  • SSDEEP

    6144:pPg0X7R2qaFlWfBo+lguIHqyYkn9jCcaREeF0Kjprewfg:p7R2Z/kBo9qyb9jCcaRE+fg

Score
10/10
redline6impulsdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

6impuls

C2

167.235.233.35:16621

Attributes
  • auth_value

    339578445a7d0df5895e9a1a8d4f16cb

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Impulse.exe
    "C:\Users\Admin\AppData\Local\Temp\Impulse.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\Impulse.exe
      "C:\Users\Admin\AppData\Local\Temp\Impulse.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2512

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2512-138-0x00000000052C0000-0x00000000053CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2512-140-0x0000000005490000-0x00000000054F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2512-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2512-135-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2512-136-0x00000000057D0000-0x0000000005DE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2512-137-0x0000000002CB0000-0x0000000002CC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2512-146-0x0000000008010000-0x000000000853C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2512-139-0x0000000002D10000-0x0000000002D4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2512-145-0x0000000007910000-0x0000000007AD2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2512-141-0x0000000006090000-0x0000000006122000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2512-142-0x0000000006130000-0x0000000006180000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2512-143-0x0000000006280000-0x00000000062F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2512-144-0x0000000006070000-0x000000000608E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3044-132-0x0000000000CB0000-0x0000000000CF4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3044-133-0x0000000005B80000-0x0000000006124000-memory.dmp

    Filesize

    5.6MB

    Download