Overview

overview

10

Static

static

1

931550f644...29.exe

windows7-x64

10

931550f644...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    931550f6442765e288034980250788695e5e57bc2ec44b1a09fd6115fb5a1e29.exe

  • Size

    380KB

  • MD5

    6ac746b33d45f3a5389023fa3aa38a40

  • SHA1

    ed149f7728ffb1cfaa6b9884522647dad1dd261b

  • SHA256

    931550f6442765e288034980250788695e5e57bc2ec44b1a09fd6115fb5a1e29

  • SHA512

    dff49074f5b26182060eaecf257189a2c4cfca37295f4150fde8a3465ebcb58283cb1f768a0f6793668deaa1e9bd66bfeaf9a926ae85771f10739fbe850d0093

  • SSDEEP

    6144:qRnxyU+DIM5nSAy6YbWYYo4zsxDOdu6Q0KgT8S/ANN4T:qRnxt+Ddt49tvOrlT2N

Score
10/10
redline@chicagodiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@chicago

C2

185.11.61.125:22344

Attributes
  • auth_value

    21f863e0cbd09d0681058e068d0d1d7f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\931550f6442765e288034980250788695e5e57bc2ec44b1a09fd6115fb5a1e29.exe
    "C:\Users\Admin\AppData\Local\Temp\931550f6442765e288034980250788695e5e57bc2ec44b1a09fd6115fb5a1e29.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1224
      2⤵
      • Program crash
      PID:3420
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1512 -ip 1512
    1⤵
      PID:1612

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1512-134-0x00000000048C0000-0x0000000004922000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1512-135-0x0000000007550000-0x0000000007AF4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1512-136-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-137-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-139-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-141-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-143-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-145-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-148-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-147-0x0000000007540000-0x0000000007550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1512-150-0x0000000007540000-0x0000000007550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1512-152-0x0000000007540000-0x0000000007550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1512-151-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-154-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-156-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-158-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-160-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-162-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-164-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-166-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-168-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-170-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-172-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-174-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-176-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-178-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-180-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-182-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-184-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-186-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-188-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-190-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-192-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-194-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-196-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-198-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-200-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-202-0x0000000004FD0000-0x0000000005022000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1512-929-0x0000000007B00000-0x0000000008118000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1512-930-0x00000000073D0000-0x00000000073E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1512-931-0x00000000073F0000-0x00000000074FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1512-932-0x0000000007540000-0x0000000007550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1512-933-0x0000000007500000-0x000000000753C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1512-934-0x00000000083F0000-0x0000000008456000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1512-935-0x0000000008BC0000-0x0000000008C52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1512-936-0x0000000008C70000-0x0000000008CE6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1512-937-0x0000000008D50000-0x0000000008F12000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1512-938-0x0000000008F30000-0x000000000945C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1512-939-0x0000000009570000-0x000000000958E000-memory.dmp

      Filesize

      120KB

      Download