Overview

overview

10

Static

static

1

Bonk_Deskt...cr.exe

windows7-x64

10

Bonk_Deskt...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2023, 07:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Bonk_Desktop-2.5.1-win64.scr.exe

  • Size

    1.6MB

  • MD5

    d611f6db4e89addeec8353aa6bf1ba73

  • SHA1

    56ada47afb2425c56f0cb406f52bcefcfe99cc6a

  • SHA256

    cdc7fec4fe988cddbe0c2cc63610d2503c0205ff47ae7cad7f08ae36c3d84498

  • SHA512

    d22eb5dbe843f6d61d8e40218862c86418f6f1f9350f085169c358b18372f420807536b2d35dd14e969648fe540bfcbd6920b1df0a2f45a9770febbfd4fadf68

  • SSDEEP

    12288:ms5WXho3nTu7FOeBKpHmM7ShW0sJLAltXy6GkJROHRnz+y+W:55XeoHmNhW002tlG7D

Score
10/10
redline11.03.bonkinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

11.03.BONK

C2

94.130.181.125:37659

Attributes
  • auth_value

    0bba02a10b2737292331dae660c844c0

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bonk_Desktop-2.5.1-win64.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\Bonk_Desktop-2.5.1-win64.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 120
      2⤵
      • Program crash
      PID:1224

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1204-54-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/1204-58-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/1204-56-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/1204-59-0x0000000000200000-0x0000000000206000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1204-60-0x0000000004A20000-0x0000000004A60000-memory.dmp

          Filesize

          256KB

          Download