Overview

overview

10

Static

static

1

install.exe

windows7-x64

10

install.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2023 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    install.exe

  • Size

    455.6MB

  • MD5

    e978d748e3b129089e278595339c9107

  • SHA1

    efebeb35cc9dba6eea6b375315db46d3c9729755

  • SHA256

    914a521462d40365f01e6adbeca888ce6e8da477c69f9711d567408493ecf0e6

  • SHA512

    d069c77dd867efe232ae6933a610dfcb98066918786d25835c708b8afb8eefae600d1c67448e1497182476b8efb79a4503d1baecb6936b9e404b03d143f86b7f

  • SSDEEP

    24576:60EmWf5YB0BsfB5Mjr3Cn5YZk4qMWPmpFld4SKvpHNw:6ifYjr3o5YZyPil5KvpHa

Score
10/10
redline11discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

11

C2

179.43.180.18:22733

Attributes
  • auth_value

    ea25d6e2e1b88bada14c3c0e27499d81

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\install.exe
    "C:\Users\Admin\AppData\Local\Temp\install.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\install.exe
      "{path}"
      2⤵
        PID:392
      • C:\Users\Admin\AppData\Local\Temp\install.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3592

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\install.exe.log
      Filesize

      1KB

      MD5

      e7473990edf901c1e1bef76f6095f55b

      SHA1

      f03b370492bbcc5280982886f9688eb8da762c8f

      SHA256

      5fea4747d97c0dbc097902818ae754eaca7214913a52d3bb1372a6274ce0292a

      SHA512

      ab93f14371dfae858bbad7d98c95055186f60b30937057f71b3d1ad17ab08b5ab7820a33bc5b3e74c485ec38e6b7a1772077add591d313175c10b4ff94bcb689

      Download Submit
    • memory/392-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2012-132-0x0000000000080000-0x00000000001B0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2012-133-0x0000000004B10000-0x0000000004BAC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2012-134-0x0000000005270000-0x0000000005814000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2012-135-0x0000000004CC0000-0x0000000004D52000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2012-136-0x0000000004C40000-0x0000000004C4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2012-137-0x0000000004EA0000-0x0000000004EF6000-memory.dmp
      Filesize

      344KB

      Download
    • memory/3592-140-0x0000000000400000-0x0000000000432000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3592-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3592-142-0x0000000005560000-0x0000000005B78000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3592-143-0x00000000050E0000-0x00000000051EA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3592-144-0x0000000005010000-0x0000000005022000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3592-145-0x00000000050A0000-0x00000000050DC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3592-146-0x0000000005380000-0x00000000053E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3592-147-0x00000000061E0000-0x00000000063A2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3592-148-0x0000000006F20000-0x000000000744C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3592-149-0x0000000006BB0000-0x0000000006C26000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3592-150-0x0000000006C30000-0x0000000006C80000-memory.dmp
      Filesize

      320KB

      Download