Overview

overview

10

Static

static

1

002776c37d...a2.exe

windows7-x64

10

002776c37d...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2023, 23:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    002776c37d85fcca57dfea495f529bceb725f280e2fefdaad8cf98601f9ab8a2.exe

  • Size

    1.3MB

  • MD5

    62cab663d218c152d00ef98f1b4a4cf7

  • SHA1

    435a083ebfed6445e8ee1d487fad1a1ffdd3c9a1

  • SHA256

    002776c37d85fcca57dfea495f529bceb725f280e2fefdaad8cf98601f9ab8a2

  • SHA512

    963f73b7bdca3ac9edad11554e19a0bd89eefcea9ebc6c794506c2efa7443dc07249279639bd979cabdc5d06ac58fbd204e33095d2c16c87a2c1d78e0114f88f

  • SSDEEP

    24576:4yvwJJmioZPBAU7mUyv9pDk6Bz3TpSy3oc0aMm7shAXzeHMrbV761:/wJ4MWmUyFpDkez3Tp935Mm7s+jeHMHp

Score
10/10
redlinerouchevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rouch

C2

193.56.146.11:4162

Attributes
  • auth_value

    1b1735bcfc122c708eae27ca352568de

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\002776c37d85fcca57dfea495f529bceb725f280e2fefdaad8cf98601f9ab8a2.exe
    "C:\Users\Admin\AppData\Local\Temp\002776c37d85fcca57dfea495f529bceb725f280e2fefdaad8cf98601f9ab8a2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBk1509sJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBk1509sJ.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptEC5145xi.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptEC5145xi.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptHy8694oO.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptHy8694oO.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptQP8092Yh.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptQP8092Yh.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptdj6654mk.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptdj6654mk.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:3676
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beBb76xg18.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beBb76xg18.exe
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Executes dropped EXE
                • Windows security modification
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1060
              • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuWy67ym81.exe
                C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuWy67ym81.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1568

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    210.81.184.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.81.184.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.104.205.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.104.205.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.238.32.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.238.32.23.in-addr.arpa
    IN PTR
    Response
    97.238.32.23.in-addr.arpa
    IN PTR
    a23-32-238-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    64.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.13.109.52.in-addr.arpa
    IN PTR
    Response
  • 193.56.146.11:4162
    cuWy67ym81.exe
    260 B
     5
  • 40.79.141.153:443
    322 B
     7
  • 193.56.146.11:4162
    cuWy67ym81.exe
    260 B
     5
  • 193.56.146.11:4162
    cuWy67ym81.exe
    260 B
     5
  • 173.223.113.164:443
    322 B
     7
  • 193.56.146.11:4162
    cuWy67ym81.exe
    260 B
     5
  • 193.56.146.11:4162
    cuWy67ym81.exe
    260 B
     5
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    210.81.184.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    210.81.184.52.in-addr.arpa

  • 8.8.8.8:53
    58.104.205.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    58.104.205.20.in-addr.arpa

  • 8.8.8.8:53
    97.238.32.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    97.238.32.23.in-addr.arpa

  • 8.8.8.8:53
    64.13.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    64.13.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBk1509sJ.exe
    Filesize

    1.2MB

    MD5

    d012a754a22114dabcc026d1454e4a57

    SHA1

    f5f944b9a67846f8693d809b2283761f96582ceb

    SHA256

    15687588a64caddf2e8b8a2c6848a029cd3af94a162734383532d83df58b5b59

    SHA512

    c631361eef9226c60385e4e6255ab0fb502af98f5baf1c80c6e8a3b51a17372d648a52fed67d63b33eba455381e695bf808750713d95fa19b91959803ec32a21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBk1509sJ.exe
    Filesize

    1.2MB

    MD5

    d012a754a22114dabcc026d1454e4a57

    SHA1

    f5f944b9a67846f8693d809b2283761f96582ceb

    SHA256

    15687588a64caddf2e8b8a2c6848a029cd3af94a162734383532d83df58b5b59

    SHA512

    c631361eef9226c60385e4e6255ab0fb502af98f5baf1c80c6e8a3b51a17372d648a52fed67d63b33eba455381e695bf808750713d95fa19b91959803ec32a21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptEC5145xi.exe
    Filesize

    1.0MB

    MD5

    474f424f4aadf8e4d697b57e00a55709

    SHA1

    ccccd9a03e149610f8a24ab358ef675120909d1a

    SHA256

    fea441550b126056661a0d297fb09bf7e17655f91edf0e5663048a76163c6331

    SHA512

    e7b11038c6e3d36571f636e6351fd2b8a9b973fc68d22861350b04f57c8a581ff1d2be1adca4f1f3a8462158c3858b7bd37c793e0cbe04391af8f592c25f3878

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptEC5145xi.exe
    Filesize

    1.0MB

    MD5

    474f424f4aadf8e4d697b57e00a55709

    SHA1

    ccccd9a03e149610f8a24ab358ef675120909d1a

    SHA256

    fea441550b126056661a0d297fb09bf7e17655f91edf0e5663048a76163c6331

    SHA512

    e7b11038c6e3d36571f636e6351fd2b8a9b973fc68d22861350b04f57c8a581ff1d2be1adca4f1f3a8462158c3858b7bd37c793e0cbe04391af8f592c25f3878

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptHy8694oO.exe
    Filesize

    935KB

    MD5

    3e41d36efb2e9c26dc9f35bd057b8ea7

    SHA1

    471f1c72bb88aecfc4ca661e35e3ba6ea4fe0418

    SHA256

    1c5a6c6683d2d3b995f5d5ff6e22aa18c38d4d2552a19f27ca5b5b7dd88e88d4

    SHA512

    9343d101c37045d507aed058d2b9e14930ddcf42dc664e1ff95d8ab7999c02a0998de3e462f3b776130863cd3d2dfab989fe77cdc01aecc17e05aefac5df070f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptHy8694oO.exe
    Filesize

    935KB

    MD5

    3e41d36efb2e9c26dc9f35bd057b8ea7

    SHA1

    471f1c72bb88aecfc4ca661e35e3ba6ea4fe0418

    SHA256

    1c5a6c6683d2d3b995f5d5ff6e22aa18c38d4d2552a19f27ca5b5b7dd88e88d4

    SHA512

    9343d101c37045d507aed058d2b9e14930ddcf42dc664e1ff95d8ab7999c02a0998de3e462f3b776130863cd3d2dfab989fe77cdc01aecc17e05aefac5df070f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptQP8092Yh.exe
    Filesize

    666KB

    MD5

    28b4c5e70eee3019e5482fe12310d8ad

    SHA1

    2461e053ba54c6ae186ef2ffd79599d0a7338cb8

    SHA256

    7d1c2617f9cb41cf0e30d7251496f3d0eae53d596a6b385eeaf9545234963d22

    SHA512

    7b70c540fcdbe6cd83474b0ef4f8b3ceccc0e9357f7a3b7bb374311d3f1fab82744eb0fa30246f123b8eaeeb9fb91dcd380c2c661c1b24654d3684e04b6fc1bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptQP8092Yh.exe
    Filesize

    666KB

    MD5

    28b4c5e70eee3019e5482fe12310d8ad

    SHA1

    2461e053ba54c6ae186ef2ffd79599d0a7338cb8

    SHA256

    7d1c2617f9cb41cf0e30d7251496f3d0eae53d596a6b385eeaf9545234963d22

    SHA512

    7b70c540fcdbe6cd83474b0ef4f8b3ceccc0e9357f7a3b7bb374311d3f1fab82744eb0fa30246f123b8eaeeb9fb91dcd380c2c661c1b24654d3684e04b6fc1bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptdj6654mk.exe
    Filesize

    391KB

    MD5

    1e0f8ecb339f0e9fecdc45c885507a67

    SHA1

    0e12114090dadb4244084eedd2cea5f79eb95a9a

    SHA256

    db886d48ee3cb46a07c55908bcf01af03d3f3e4baff9ecef1bd12848064aaab2

    SHA512

    673cd445c86696d8031f150c9b23bd036553a40583b6a7767109bc17fd02bd29e8ce08c67b008531b64b8c578e719910bf8b45ecd51e4257e267e95f3751f102

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptdj6654mk.exe
    Filesize

    391KB

    MD5

    1e0f8ecb339f0e9fecdc45c885507a67

    SHA1

    0e12114090dadb4244084eedd2cea5f79eb95a9a

    SHA256

    db886d48ee3cb46a07c55908bcf01af03d3f3e4baff9ecef1bd12848064aaab2

    SHA512

    673cd445c86696d8031f150c9b23bd036553a40583b6a7767109bc17fd02bd29e8ce08c67b008531b64b8c578e719910bf8b45ecd51e4257e267e95f3751f102

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beBb76xg18.exe
    Filesize

    11KB

    MD5

    d4d85643b7fac92d62acadf7b6f62310

    SHA1

    49f17fec10ce02b6f26635e1366661e5d92cdf4e

    SHA256

    bb9ded5e3e79f1ba1c44e9f7f2a802a0fbad93c867b83aaae439578efd65ece1

    SHA512

    364b640f8221fde7ab0865053406d468893b017f3ca5af54d2d9b08c4fecae5f9d1c53a9117baa392b02079727a30b3c251c41026d970198a918dc3c45c98f4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beBb76xg18.exe
    Filesize

    11KB

    MD5

    d4d85643b7fac92d62acadf7b6f62310

    SHA1

    49f17fec10ce02b6f26635e1366661e5d92cdf4e

    SHA256

    bb9ded5e3e79f1ba1c44e9f7f2a802a0fbad93c867b83aaae439578efd65ece1

    SHA512

    364b640f8221fde7ab0865053406d468893b017f3ca5af54d2d9b08c4fecae5f9d1c53a9117baa392b02079727a30b3c251c41026d970198a918dc3c45c98f4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beBb76xg18.exe
    Filesize

    11KB

    MD5

    d4d85643b7fac92d62acadf7b6f62310

    SHA1

    49f17fec10ce02b6f26635e1366661e5d92cdf4e

    SHA256

    bb9ded5e3e79f1ba1c44e9f7f2a802a0fbad93c867b83aaae439578efd65ece1

    SHA512

    364b640f8221fde7ab0865053406d468893b017f3ca5af54d2d9b08c4fecae5f9d1c53a9117baa392b02079727a30b3c251c41026d970198a918dc3c45c98f4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuWy67ym81.exe
    Filesize

    304KB

    MD5

    9c3e7c5879f2758bb2add2fbf488ed16

    SHA1

    c5a2662767f97a4860f33a9fe6cace435a3c1b02

    SHA256

    7ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf

    SHA512

    0808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuWy67ym81.exe
    Filesize

    304KB

    MD5

    9c3e7c5879f2758bb2add2fbf488ed16

    SHA1

    c5a2662767f97a4860f33a9fe6cace435a3c1b02

    SHA256

    7ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf

    SHA512

    0808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuWy67ym81.exe
    Filesize

    304KB

    MD5

    9c3e7c5879f2758bb2add2fbf488ed16

    SHA1

    c5a2662767f97a4860f33a9fe6cace435a3c1b02

    SHA256

    7ec2ec7a2ee43e8dc5523be5af507bcf31f19dfed1faa303314729d2fe456acf

    SHA512

    0808e8e4d00ffe2201f792095081c7fc1678ef3d75d8ae1e6d18363d1693a4bf3c1458252209a6ebd13255d8eb43c9eed45d8029a409ed511fbe3020e8b7ae8a

    Download Submit

  • memory/1060-175-0x0000000000230000-0x000000000023A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1568-181-0x00000000006E0000-0x000000000072B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1568-182-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1568-183-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1568-184-0x0000000004D40000-0x00000000052E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1568-185-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-186-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-188-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-190-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-194-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-196-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-192-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-200-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-204-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-202-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-206-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-198-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-210-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-208-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-216-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-214-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-212-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-218-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-220-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-222-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-226-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-230-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-228-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-224-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-234-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-232-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-239-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-237-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-241-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-236-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1568-243-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-245-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-249-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-247-0x00000000026F0000-0x000000000272E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1568-1092-0x00000000052F0000-0x0000000005908000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1568-1093-0x0000000005910000-0x0000000005A1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1568-1094-0x0000000004C80000-0x0000000004C92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1568-1095-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1568-1096-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1568-1098-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1568-1099-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1568-1100-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1568-1101-0x0000000004D30000-0x0000000004D40000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.