Overview

overview

10

Static

static

10

465325a3eb...b2.exe

windows7-x64

10

465325a3eb...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2023, 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    465325a3ebd9890234c2829cbb4cf3ca29f7591eb64b5bb21a1e4834410bd0b2.exe

  • Size

    175KB

  • MD5

    2d5cceb9fc4dc32afd509390d93842ec

  • SHA1

    c622d7bbd6ca971d1ab1fc1ae1e89314cc19b7db

  • SHA256

    465325a3ebd9890234c2829cbb4cf3ca29f7591eb64b5bb21a1e4834410bd0b2

  • SHA512

    bf851cdff5fad758542a46cf61d1315cc53178db44588b435b0208d2b5a01851abb3a6b0b309bafb82d04e9b234334df6fa95da0df1c209618d2a4ad1fddd360

  • SSDEEP

    3072:yxqZWFFa7E6T825De559yhGfxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jOuw+cO:gqZcMUyh

Score
10/10
redlinenadodiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

nado

C2

176.113.115.145:4125

Attributes
  • auth_value

    a648e365d8e0df895a84152ad68ffc56

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\465325a3ebd9890234c2829cbb4cf3ca29f7591eb64b5bb21a1e4834410bd0b2.exe
    "C:\Users\Admin\AppData\Local\Temp\465325a3ebd9890234c2829cbb4cf3ca29f7591eb64b5bb21a1e4834410bd0b2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4736-133-0x0000000000090000-0x00000000000C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4736-134-0x0000000004FC0000-0x00000000055D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4736-135-0x0000000004B30000-0x0000000004C3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4736-136-0x0000000004A60000-0x0000000004A72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4736-137-0x0000000004AC0000-0x0000000004AFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4736-138-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4736-139-0x0000000004E00000-0x0000000004E92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4736-140-0x0000000005B90000-0x0000000006134000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4736-141-0x0000000004EA0000-0x0000000004F06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4736-142-0x0000000006310000-0x00000000064D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4736-143-0x0000000006A10000-0x0000000006F3C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4736-144-0x0000000004D50000-0x0000000004D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4736-145-0x00000000064E0000-0x0000000006556000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4736-146-0x0000000006280000-0x00000000062D0000-memory.dmp

    Filesize

    320KB

    Download