Overview

overview

10

Static

static

1

51cf01a1b3...ff.exe

windows7-x64

10

51cf01a1b3...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2023 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51cf01a1b30d1835442e273ad768b7ff.exe

  • Size

    700KB

  • MD5

    51cf01a1b30d1835442e273ad768b7ff

  • SHA1

    24b6271e5a77d6ea10b7d98598ecf61b69408638

  • SHA256

    e7ab05b31c06d3b408344aca29a87032eea3b77e7734e4b8c30e593dbef095cb

  • SHA512

    6c201e09d64f5eb54bc143cad3fd0c5af210adb27cad042ddf581dcd9a20ec0095db706ddcff00ce5d5de0612a11eebe9292101c137216c127106bfd8cbc97a8

  • SSDEEP

    12288:+Mrny90T5X+h+NhIQSXu9DukcAoMiKwwpT7ZXv1SJjCAERzU:Ry5+4QSXkoMdww1jKj8RzU

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51cf01a1b30d1835442e273ad768b7ff.exe
    "C:\Users\Admin\AppData\Local\Temp\51cf01a1b30d1835442e273ad768b7ff.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730014.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730014.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1248
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si880483.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si880483.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1456

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si880483.exe
    Filesize

    175KB

    MD5

    0d5e4c45ee0d8f38b9bef529923c62d8

    SHA1

    ae52fb0a557f6b2a0bcebca35712ed7e8f88cd38

    SHA256

    4d728d888d172a52f4525249287178b1754affe474f607f019b4957186ca6b8a

    SHA512

    4be62a90eedd0cd3dbb8ad29446909f2af188310059fe5191e0c48e3eedaec21e8b0ab0d2827ab37cc1df200f7607d566c1f02693acc3070fa6f6a3ec2388d2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si880483.exe
    Filesize

    175KB

    MD5

    0d5e4c45ee0d8f38b9bef529923c62d8

    SHA1

    ae52fb0a557f6b2a0bcebca35712ed7e8f88cd38

    SHA256

    4d728d888d172a52f4525249287178b1754affe474f607f019b4957186ca6b8a

    SHA512

    4be62a90eedd0cd3dbb8ad29446909f2af188310059fe5191e0c48e3eedaec21e8b0ab0d2827ab37cc1df200f7607d566c1f02693acc3070fa6f6a3ec2388d2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730014.exe
    Filesize

    558KB

    MD5

    5db3924e6aac342a5d6bde6527871e86

    SHA1

    0fdac73db5532b40212c1a37718ed8f3de031128

    SHA256

    03b83f84e5077b76bc6d71b7056df8ebd14e3cc16bbd8bfac29dd1db46a7b7e8

    SHA512

    8e6a3a294539f7299e5dae37359919c60e07b9ea34a1fcc235dbee3d1a67b78e5e499c9e75536bb3f1b04aba4f8223cf41fec681786cb633e3e0b57ff6536e6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un730014.exe
    Filesize

    558KB

    MD5

    5db3924e6aac342a5d6bde6527871e86

    SHA1

    0fdac73db5532b40212c1a37718ed8f3de031128

    SHA256

    03b83f84e5077b76bc6d71b7056df8ebd14e3cc16bbd8bfac29dd1db46a7b7e8

    SHA512

    8e6a3a294539f7299e5dae37359919c60e07b9ea34a1fcc235dbee3d1a67b78e5e499c9e75536bb3f1b04aba4f8223cf41fec681786cb633e3e0b57ff6536e6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
    Filesize

    307KB

    MD5

    9a91cd22e62655b9a228ec17edf0a1da

    SHA1

    1d2188fd90c061bb7edc6694d0724a155f424a26

    SHA256

    b3fa333f4c69d12726d4192910261e4e5fa175a21e0c4f6eb8863eed1e7ae04f

    SHA512

    fa35876587944d6d67f8928f2800c9b8db92e073993a027a1d27daeaab6b2e0515aa266108be2f4cdb45c5b4f33338c004bb6570eebf1def1a19e3422a06bdc2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
    Filesize

    307KB

    MD5

    9a91cd22e62655b9a228ec17edf0a1da

    SHA1

    1d2188fd90c061bb7edc6694d0724a155f424a26

    SHA256

    b3fa333f4c69d12726d4192910261e4e5fa175a21e0c4f6eb8863eed1e7ae04f

    SHA512

    fa35876587944d6d67f8928f2800c9b8db92e073993a027a1d27daeaab6b2e0515aa266108be2f4cdb45c5b4f33338c004bb6570eebf1def1a19e3422a06bdc2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
    Filesize

    307KB

    MD5

    9a91cd22e62655b9a228ec17edf0a1da

    SHA1

    1d2188fd90c061bb7edc6694d0724a155f424a26

    SHA256

    b3fa333f4c69d12726d4192910261e4e5fa175a21e0c4f6eb8863eed1e7ae04f

    SHA512

    fa35876587944d6d67f8928f2800c9b8db92e073993a027a1d27daeaab6b2e0515aa266108be2f4cdb45c5b4f33338c004bb6570eebf1def1a19e3422a06bdc2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
    Filesize

    365KB

    MD5

    7078a79ec92c748cd458ae8386abf0a7

    SHA1

    89b086f9b3bc2b1fa4b5cb75013acb3d89febac1

    SHA256

    19ef0da4f14858991e181bd446609a197423ff7bc70e8a9ae99d683f6197843d

    SHA512

    1b8154020389fceb5a42e90253fd6975eed4e0581a7bcf1b8cd571efb22fa7cb854790bb07957705920f49bb1ecf42cdada5c250f0ab2ed831f9477c84c464c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
    Filesize

    365KB

    MD5

    7078a79ec92c748cd458ae8386abf0a7

    SHA1

    89b086f9b3bc2b1fa4b5cb75013acb3d89febac1

    SHA256

    19ef0da4f14858991e181bd446609a197423ff7bc70e8a9ae99d683f6197843d

    SHA512

    1b8154020389fceb5a42e90253fd6975eed4e0581a7bcf1b8cd571efb22fa7cb854790bb07957705920f49bb1ecf42cdada5c250f0ab2ed831f9477c84c464c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
    Filesize

    365KB

    MD5

    7078a79ec92c748cd458ae8386abf0a7

    SHA1

    89b086f9b3bc2b1fa4b5cb75013acb3d89febac1

    SHA256

    19ef0da4f14858991e181bd446609a197423ff7bc70e8a9ae99d683f6197843d

    SHA512

    1b8154020389fceb5a42e90253fd6975eed4e0581a7bcf1b8cd571efb22fa7cb854790bb07957705920f49bb1ecf42cdada5c250f0ab2ed831f9477c84c464c0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\si880483.exe
    Filesize

    175KB

    MD5

    0d5e4c45ee0d8f38b9bef529923c62d8

    SHA1

    ae52fb0a557f6b2a0bcebca35712ed7e8f88cd38

    SHA256

    4d728d888d172a52f4525249287178b1754affe474f607f019b4957186ca6b8a

    SHA512

    4be62a90eedd0cd3dbb8ad29446909f2af188310059fe5191e0c48e3eedaec21e8b0ab0d2827ab37cc1df200f7607d566c1f02693acc3070fa6f6a3ec2388d2e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\si880483.exe
    Filesize

    175KB

    MD5

    0d5e4c45ee0d8f38b9bef529923c62d8

    SHA1

    ae52fb0a557f6b2a0bcebca35712ed7e8f88cd38

    SHA256

    4d728d888d172a52f4525249287178b1754affe474f607f019b4957186ca6b8a

    SHA512

    4be62a90eedd0cd3dbb8ad29446909f2af188310059fe5191e0c48e3eedaec21e8b0ab0d2827ab37cc1df200f7607d566c1f02693acc3070fa6f6a3ec2388d2e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un730014.exe
    Filesize

    558KB

    MD5

    5db3924e6aac342a5d6bde6527871e86

    SHA1

    0fdac73db5532b40212c1a37718ed8f3de031128

    SHA256

    03b83f84e5077b76bc6d71b7056df8ebd14e3cc16bbd8bfac29dd1db46a7b7e8

    SHA512

    8e6a3a294539f7299e5dae37359919c60e07b9ea34a1fcc235dbee3d1a67b78e5e499c9e75536bb3f1b04aba4f8223cf41fec681786cb633e3e0b57ff6536e6e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\un730014.exe
    Filesize

    558KB

    MD5

    5db3924e6aac342a5d6bde6527871e86

    SHA1

    0fdac73db5532b40212c1a37718ed8f3de031128

    SHA256

    03b83f84e5077b76bc6d71b7056df8ebd14e3cc16bbd8bfac29dd1db46a7b7e8

    SHA512

    8e6a3a294539f7299e5dae37359919c60e07b9ea34a1fcc235dbee3d1a67b78e5e499c9e75536bb3f1b04aba4f8223cf41fec681786cb633e3e0b57ff6536e6e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
    Filesize

    307KB

    MD5

    9a91cd22e62655b9a228ec17edf0a1da

    SHA1

    1d2188fd90c061bb7edc6694d0724a155f424a26

    SHA256

    b3fa333f4c69d12726d4192910261e4e5fa175a21e0c4f6eb8863eed1e7ae04f

    SHA512

    fa35876587944d6d67f8928f2800c9b8db92e073993a027a1d27daeaab6b2e0515aa266108be2f4cdb45c5b4f33338c004bb6570eebf1def1a19e3422a06bdc2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
    Filesize

    307KB

    MD5

    9a91cd22e62655b9a228ec17edf0a1da

    SHA1

    1d2188fd90c061bb7edc6694d0724a155f424a26

    SHA256

    b3fa333f4c69d12726d4192910261e4e5fa175a21e0c4f6eb8863eed1e7ae04f

    SHA512

    fa35876587944d6d67f8928f2800c9b8db92e073993a027a1d27daeaab6b2e0515aa266108be2f4cdb45c5b4f33338c004bb6570eebf1def1a19e3422a06bdc2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6077.exe
    Filesize

    307KB

    MD5

    9a91cd22e62655b9a228ec17edf0a1da

    SHA1

    1d2188fd90c061bb7edc6694d0724a155f424a26

    SHA256

    b3fa333f4c69d12726d4192910261e4e5fa175a21e0c4f6eb8863eed1e7ae04f

    SHA512

    fa35876587944d6d67f8928f2800c9b8db92e073993a027a1d27daeaab6b2e0515aa266108be2f4cdb45c5b4f33338c004bb6570eebf1def1a19e3422a06bdc2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
    Filesize

    365KB

    MD5

    7078a79ec92c748cd458ae8386abf0a7

    SHA1

    89b086f9b3bc2b1fa4b5cb75013acb3d89febac1

    SHA256

    19ef0da4f14858991e181bd446609a197423ff7bc70e8a9ae99d683f6197843d

    SHA512

    1b8154020389fceb5a42e90253fd6975eed4e0581a7bcf1b8cd571efb22fa7cb854790bb07957705920f49bb1ecf42cdada5c250f0ab2ed831f9477c84c464c0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
    Filesize

    365KB

    MD5

    7078a79ec92c748cd458ae8386abf0a7

    SHA1

    89b086f9b3bc2b1fa4b5cb75013acb3d89febac1

    SHA256

    19ef0da4f14858991e181bd446609a197423ff7bc70e8a9ae99d683f6197843d

    SHA512

    1b8154020389fceb5a42e90253fd6975eed4e0581a7bcf1b8cd571efb22fa7cb854790bb07957705920f49bb1ecf42cdada5c250f0ab2ed831f9477c84c464c0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7597.exe
    Filesize

    365KB

    MD5

    7078a79ec92c748cd458ae8386abf0a7

    SHA1

    89b086f9b3bc2b1fa4b5cb75013acb3d89febac1

    SHA256

    19ef0da4f14858991e181bd446609a197423ff7bc70e8a9ae99d683f6197843d

    SHA512

    1b8154020389fceb5a42e90253fd6975eed4e0581a7bcf1b8cd571efb22fa7cb854790bb07957705920f49bb1ecf42cdada5c250f0ab2ed831f9477c84c464c0

    Download Submit

  • memory/1248-86-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-112-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1248-94-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-100-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-98-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-104-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-102-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-108-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-106-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-110-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-111-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1248-96-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-90-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-92-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-88-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-83-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-84-0x0000000000E40000-0x0000000000E52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1248-82-0x0000000000E40000-0x0000000000E58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1248-81-0x0000000004EF0000-0x0000000004F30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1248-80-0x0000000004EF0000-0x0000000004F30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1248-78-0x00000000003E0000-0x00000000003FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1248-79-0x0000000000270000-0x000000000029D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1456-1046-0x0000000000250000-0x0000000000282000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1456-1047-0x00000000006B0000-0x00000000006F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-134-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-155-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-135-0x0000000000390000-0x00000000003DB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1872-138-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-137-0x0000000004D00000-0x0000000004D40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-139-0x0000000004D00000-0x0000000004D40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-141-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-143-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-145-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-147-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-149-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-151-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-153-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-132-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-157-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-159-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-161-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-1034-0x0000000004D00000-0x0000000004D40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-1036-0x0000000004D00000-0x0000000004D40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-1037-0x0000000004D00000-0x0000000004D40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-1038-0x0000000004D00000-0x0000000004D40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1872-130-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-128-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-126-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-125-0x0000000004D40000-0x0000000004D7F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1872-124-0x0000000004D40000-0x0000000004D84000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1872-123-0x0000000004CA0000-0x0000000004CE6000-memory.dmp

    Filesize

    280KB

    Download