Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2023 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    724KB

  • MD5

    0aa866014807c995498bc2bcbfd3c088

  • SHA1

    92f0336d4de6e186c65ec4dff95b3f84aa776b0f

  • SHA256

    440fcaf7f11dcb34e2ee9140c5ad940a85a23dd53fb7cada3fd8669ce08ed2d3

  • SHA512

    f675b647a85415077921e43cec5c00dcd543bfda4b57cb39c478780633c5e7929fab6a93689fa38280bac01482210029e85f00d99537893824ec29ec72bd2d4c

  • SSDEEP

    12288:vMrBy90OTj2smCQqomkEs3ZMu0H3eeJ7t5OYhDODWUPn2y:WyPffVQqZNs3ZMVPKZXv2y

Score
10/10
redlinedunmdiscoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes
  • auth_value

    352959e3707029296ec94306d74e2334

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gEq90dd.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gEq90dd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gop91Bd.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gop91Bd.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\acI32oi.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\acI32oi.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1464

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gEq90dd.exe
    Filesize

    620KB

    MD5

    1c6eeebbb7095e5343bbf243545bf317

    SHA1

    28be9388013c5049e0de2c4c2a416391450ca186

    SHA256

    5e0693840ae31eb67425da4d396afdcaeb7b1244327fe70b9e75593ab734eeeb

    SHA512

    980861befbd36f3d5aac24e00a29b9e855b29596c37a3ca90d9f4b9cb96e7f32fac02ca134771bbfb4ef6168a193db83941688da6d64d89b1ec7deaadd74f69d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gEq90dd.exe
    Filesize

    620KB

    MD5

    1c6eeebbb7095e5343bbf243545bf317

    SHA1

    28be9388013c5049e0de2c4c2a416391450ca186

    SHA256

    5e0693840ae31eb67425da4d396afdcaeb7b1244327fe70b9e75593ab734eeeb

    SHA512

    980861befbd36f3d5aac24e00a29b9e855b29596c37a3ca90d9f4b9cb96e7f32fac02ca134771bbfb4ef6168a193db83941688da6d64d89b1ec7deaadd74f69d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gop91Bd.exe
    Filesize

    286KB

    MD5

    de6cf3719213c0cb44e477d0bfac3c36

    SHA1

    60e760e7e1e616a1066d5f2b62e9d8e1630ecc6c

    SHA256

    beaed10894a137fdeb016beed485fc7df6198185d506fd65b557faabd4f48c0d

    SHA512

    4f9cf7258076e3f28cf0f3d842afd74bc07cf38dc5914751c388e64458c61f967b02f88ce2f40be14aa45e9c63fb5562d7dda878bba6c2435f6eadef74cade5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gop91Bd.exe
    Filesize

    286KB

    MD5

    de6cf3719213c0cb44e477d0bfac3c36

    SHA1

    60e760e7e1e616a1066d5f2b62e9d8e1630ecc6c

    SHA256

    beaed10894a137fdeb016beed485fc7df6198185d506fd65b557faabd4f48c0d

    SHA512

    4f9cf7258076e3f28cf0f3d842afd74bc07cf38dc5914751c388e64458c61f967b02f88ce2f40be14aa45e9c63fb5562d7dda878bba6c2435f6eadef74cade5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\acI32oi.exe
    Filesize

    175KB

    MD5

    69f79e05d0c83aee310d9adfe5aa7f2b

    SHA1

    485c490180380051a14316564fbda07723be11b1

    SHA256

    c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

    SHA512

    f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\acI32oi.exe
    Filesize

    175KB

    MD5

    69f79e05d0c83aee310d9adfe5aa7f2b

    SHA1

    485c490180380051a14316564fbda07723be11b1

    SHA256

    c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

    SHA512

    f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

    Download Submit

  • memory/1356-135-0x0000000000000000-mapping.dmp

    Download

  • memory/1464-142-0x0000000005460000-0x0000000005A78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1464-146-0x0000000002580000-0x00000000025E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1464-141-0x0000000000540000-0x0000000000572000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1464-152-0x0000000006090000-0x00000000060E0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1464-143-0x0000000004FE0000-0x00000000050EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1464-144-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1464-145-0x0000000004F80000-0x0000000004FBC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1464-138-0x0000000000000000-mapping.dmp

    Download

  • memory/1464-147-0x0000000005E60000-0x0000000005EF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1464-148-0x00000000064B0000-0x0000000006A54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1464-149-0x0000000006260000-0x0000000006422000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1464-150-0x0000000006F90000-0x00000000074BC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1464-151-0x0000000006110000-0x0000000006186000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1696-132-0x0000000000000000-mapping.dmp

    Download