Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16-02-2023 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc0d5b37125864e9c1567612373b54fc84642c21b1c48eb4d55641b144dbe1af.exe

  • Size

    500KB

  • MD5

    fe38008e6d81346e69bcb54e62b5f8b8

  • SHA1

    ad9bf96ba806c12a347f7805004856550f87de76

  • SHA256

    dc0d5b37125864e9c1567612373b54fc84642c21b1c48eb4d55641b144dbe1af

  • SHA512

    d2dc99fef5b240a8c4d51e9047c6d81d9b09a2691222095bc6616e8faed6562aeffe9fb3f9d4c7e44bc547b1a1c9c8d7c866fb92bac8d4fcb75403bf7b9aaa63

  • SSDEEP

    12288:ZMrcy90yTKfltNecyIObkK5/2LprRWJkXTxGOHxe:ByR+ocRObkaOLlMJkjU60

Score
10/10
redlinefukiadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc0d5b37125864e9c1567612373b54fc84642c21b1c48eb4d55641b144dbe1af.exe
    "C:\Users\Admin\AppData\Local\Temp\dc0d5b37125864e9c1567612373b54fc84642c21b1c48eb4d55641b144dbe1af.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq79xc59.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq79xc59.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyr33EM.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyr33EM.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXG87HA.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXG87HA.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fxe51Xe.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fxe51Xe.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fxe51Xe.exe
    Filesize

    175KB

    MD5

    a5f5c5d6291c7ae9e1d1b7ed1e551490

    SHA1

    3d06413341893b838549939e15f8f1eec423d71a

    SHA256

    1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

    SHA512

    d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fxe51Xe.exe
    Filesize

    175KB

    MD5

    a5f5c5d6291c7ae9e1d1b7ed1e551490

    SHA1

    3d06413341893b838549939e15f8f1eec423d71a

    SHA256

    1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

    SHA512

    d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq79xc59.exe
    Filesize

    355KB

    MD5

    54dac0ddc806c65d9541f8be3f206cf1

    SHA1

    6fb38e9b2fd47825f06e86cea71bfbffc55e03fb

    SHA256

    d998ec79c95653cfa381769da112666870fef2856913cde1627bc734d9ed84b7

    SHA512

    36d2131302821da55da300ec4b3140a278b871ba9a2a63152c24b377501231b80b5db389e3b038c6dc341c32fec970dadf54cf2baed88e2a12013aef2b47c3b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq79xc59.exe
    Filesize

    355KB

    MD5

    54dac0ddc806c65d9541f8be3f206cf1

    SHA1

    6fb38e9b2fd47825f06e86cea71bfbffc55e03fb

    SHA256

    d998ec79c95653cfa381769da112666870fef2856913cde1627bc734d9ed84b7

    SHA512

    36d2131302821da55da300ec4b3140a278b871ba9a2a63152c24b377501231b80b5db389e3b038c6dc341c32fec970dadf54cf2baed88e2a12013aef2b47c3b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyr33EM.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dyr33EM.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXG87HA.exe
    Filesize

    295KB

    MD5

    304766f61a677814af31d2737d118b6f

    SHA1

    213a7e70d4f7d13e17ddff12152bcfe2c1cc2de4

    SHA256

    07c33396ed7ec1b40808aae921c50c552dc21b08beabbd5541b9fc9f062e08ac

    SHA512

    08c9202e988e4f6518a14f37b19eefc8b5901a2c07472140303c48535b67830e956759db3738b3bf63559220cb1e59f8045a2fad5d84530e9cb2e670740441ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXG87HA.exe
    Filesize

    295KB

    MD5

    304766f61a677814af31d2737d118b6f

    SHA1

    213a7e70d4f7d13e17ddff12152bcfe2c1cc2de4

    SHA256

    07c33396ed7ec1b40808aae921c50c552dc21b08beabbd5541b9fc9f062e08ac

    SHA512

    08c9202e988e4f6518a14f37b19eefc8b5901a2c07472140303c48535b67830e956759db3738b3bf63559220cb1e59f8045a2fad5d84530e9cb2e670740441ea

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\fxe51Xe.exe
    Filesize

    175KB

    MD5

    a5f5c5d6291c7ae9e1d1b7ed1e551490

    SHA1

    3d06413341893b838549939e15f8f1eec423d71a

    SHA256

    1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

    SHA512

    d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\fxe51Xe.exe
    Filesize

    175KB

    MD5

    a5f5c5d6291c7ae9e1d1b7ed1e551490

    SHA1

    3d06413341893b838549939e15f8f1eec423d71a

    SHA256

    1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

    SHA512

    d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq79xc59.exe
    Filesize

    355KB

    MD5

    54dac0ddc806c65d9541f8be3f206cf1

    SHA1

    6fb38e9b2fd47825f06e86cea71bfbffc55e03fb

    SHA256

    d998ec79c95653cfa381769da112666870fef2856913cde1627bc734d9ed84b7

    SHA512

    36d2131302821da55da300ec4b3140a278b871ba9a2a63152c24b377501231b80b5db389e3b038c6dc341c32fec970dadf54cf2baed88e2a12013aef2b47c3b6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\nUq79xc59.exe
    Filesize

    355KB

    MD5

    54dac0ddc806c65d9541f8be3f206cf1

    SHA1

    6fb38e9b2fd47825f06e86cea71bfbffc55e03fb

    SHA256

    d998ec79c95653cfa381769da112666870fef2856913cde1627bc734d9ed84b7

    SHA512

    36d2131302821da55da300ec4b3140a278b871ba9a2a63152c24b377501231b80b5db389e3b038c6dc341c32fec970dadf54cf2baed88e2a12013aef2b47c3b6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\dyr33EM.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\eXG87HA.exe
    Filesize

    295KB

    MD5

    304766f61a677814af31d2737d118b6f

    SHA1

    213a7e70d4f7d13e17ddff12152bcfe2c1cc2de4

    SHA256

    07c33396ed7ec1b40808aae921c50c552dc21b08beabbd5541b9fc9f062e08ac

    SHA512

    08c9202e988e4f6518a14f37b19eefc8b5901a2c07472140303c48535b67830e956759db3738b3bf63559220cb1e59f8045a2fad5d84530e9cb2e670740441ea

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\eXG87HA.exe
    Filesize

    295KB

    MD5

    304766f61a677814af31d2737d118b6f

    SHA1

    213a7e70d4f7d13e17ddff12152bcfe2c1cc2de4

    SHA256

    07c33396ed7ec1b40808aae921c50c552dc21b08beabbd5541b9fc9f062e08ac

    SHA512

    08c9202e988e4f6518a14f37b19eefc8b5901a2c07472140303c48535b67830e956759db3738b3bf63559220cb1e59f8045a2fad5d84530e9cb2e670740441ea

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\eXG87HA.exe
    Filesize

    295KB

    MD5

    304766f61a677814af31d2737d118b6f

    SHA1

    213a7e70d4f7d13e17ddff12152bcfe2c1cc2de4

    SHA256

    07c33396ed7ec1b40808aae921c50c552dc21b08beabbd5541b9fc9f062e08ac

    SHA512

    08c9202e988e4f6518a14f37b19eefc8b5901a2c07472140303c48535b67830e956759db3738b3bf63559220cb1e59f8045a2fad5d84530e9cb2e670740441ea

    Download Submit

  • memory/700-86-0x00000000012F0000-0x0000000001322000-memory.dmp

    Filesize

    200KB

    Download

  • memory/700-81-0x0000000000000000-mapping.dmp

    Download

  • memory/852-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1176-77-0x0000000000400000-0x00000000005C6000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1176-76-0x0000000000250000-0x000000000027D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1176-78-0x000000000070F000-0x000000000072F000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1176-79-0x0000000000400000-0x00000000005C6000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1176-75-0x000000000070F000-0x000000000072F000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1176-74-0x0000000000DD0000-0x0000000000DE8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1176-73-0x0000000000960000-0x000000000097A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1176-68-0x0000000000000000-mapping.dmp

    Download

  • memory/1272-65-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1272-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1292-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

    Filesize

    8KB

    Download