Overview

overview

10

Static

static

9e9f78c11d...0a.exe

windows7-x64

10

9e9f78c11d...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e9f78c11d98add9862c8931b4dccd231d983e2500c6c4730a8f66406ad4700a.exe

  • Size

    675KB

  • MD5

    0b010d126dd498b74a84fd12a78a5d9f

  • SHA1

    d8c3f2111812f908a186e0b96049bcf482446625

  • SHA256

    9e9f78c11d98add9862c8931b4dccd231d983e2500c6c4730a8f66406ad4700a

  • SHA512

    4b089805bf0c11d1b711d6f088f251eb86d71b62611437e75c06e74eb9caa4fe6906f6f0a7f20e25f64d87a078fbb5691d083630fdb82ad3251ac46a4850deba

  • SSDEEP

    12288:SX+oASeSGEICzkHKYz4WeImE8C2Gu+6WG:qsCKn1zu+

Score
10/10
redlineadan tylorinfostealer

Malware Config

Extracted

Family

redline

Botnet

Adan Tylor

C2

91.211.251.112:3214

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e9f78c11d98add9862c8931b4dccd231d983e2500c6c4730a8f66406ad4700a.exe
    "C:\Users\Admin\AppData\Local\Temp\9e9f78c11d98add9862c8931b4dccd231d983e2500c6c4730a8f66406ad4700a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      2⤵
        PID:2204
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3508

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2204-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3508-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3508-137-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/3508-138-0x00000000052F0000-0x0000000005366000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3508-139-0x0000000005370000-0x000000000538E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3508-140-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/3508-141-0x00000000059B0000-0x0000000005FC8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3508-142-0x0000000005440000-0x0000000005452000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3508-143-0x00000000054A0000-0x00000000054DC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3508-144-0x0000000005740000-0x000000000584A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3736-136-0x0000000000AB0000-0x0000000000AB6000-memory.dmp
      Filesize

      24KB

      Download