Overview

overview

10

Static

static

1

72f39adecf...31.exe

windows7-x64

3

72f39adecf...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2023 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72f39adecf2367944add8e33bbfc5c31.exe

  • Size

    235KB

  • MD5

    72f39adecf2367944add8e33bbfc5c31

  • SHA1

    a01e04bb87924d6d1b31ac1e6190937ce542b17b

  • SHA256

    9f7b850b2f255a609532c8bac161f2c11dca15133312cb2a3f7a989eca325969

  • SHA512

    b66b8cac51a8a8de0496d8ae011a0e91ce42cf3fade307c1b7a374fb44e0c1e1ba21959610cd0b3f3eae18c7cfa298c19c242a6bfa7fcb09a0a9d72c9ac3a2fb

  • SSDEEP

    6144:+LLrksSYjJanJGtgNiUfUgxZ2K/cSK1IOq:+nBR0nAGNio2sch14

Score
10/10
redline1379752987infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

1379752987

C2

167.235.158.92:39675

Attributes
  • auth_value

    94039ae8b5b0b9ec5346501cc0139461

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Blocklisted process makes network request 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72f39adecf2367944add8e33bbfc5c31.exe
    "C:\Users\Admin\AppData\Local\Temp\72f39adecf2367944add8e33bbfc5c31.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
        3⤵
          PID:3944
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3068

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pawex22i.rz5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2128-137-0x00000000056B0000-0x00000000056BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2128-168-0x0000000005990000-0x00000000059A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2128-136-0x0000000005990000-0x00000000059A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2128-134-0x0000000005CD0000-0x0000000006274000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2128-133-0x0000000000C70000-0x0000000000CAC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2128-135-0x0000000005720000-0x00000000057B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3068-172-0x0000000006B30000-0x0000000006CF2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3068-171-0x00000000067E0000-0x0000000006830000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3068-173-0x000000000AF10000-0x000000000B43C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3068-170-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3068-160-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3068-165-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3068-164-0x0000000005510000-0x000000000554C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3068-163-0x00000000054B0000-0x00000000054C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3068-162-0x0000000005770000-0x000000000587A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3068-161-0x0000000005C80000-0x0000000006298000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3160-140-0x0000000005C00000-0x0000000005C22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3160-159-0x0000000007730000-0x000000000774A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3160-158-0x0000000007D90000-0x000000000840A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3160-157-0x0000000007690000-0x0000000007706000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3160-156-0x0000000002C20000-0x0000000002C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3160-155-0x00000000074D0000-0x0000000007514000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3160-154-0x0000000006350000-0x000000000636E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3160-153-0x0000000002C20000-0x0000000002C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3160-152-0x0000000002C20000-0x0000000002C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3160-147-0x0000000005D80000-0x0000000005DE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3160-146-0x0000000005CA0000-0x0000000005D06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3160-139-0x00000000055D0000-0x0000000005BF8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3160-138-0x0000000002A50000-0x0000000002A86000-memory.dmp

      Filesize

      216KB

      Download