Overview

overview

10

Static

static

1

a568121c4b...5f.exe

windows7-x64

1

a568121c4b...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2023 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a568121c4b1c4b36b77ef499167b265f.exe

  • Size

    1.4MB

  • MD5

    a568121c4b1c4b36b77ef499167b265f

  • SHA1

    92af7c91cedcdcd39b3ae2c8a2430b4789f3a90e

  • SHA256

    a44ee9b6798df416a1186c178f7aa03c29bc912792cfab520f35486be3afd6bc

  • SHA512

    dc73d4437a34f05178c3b28f80247d6d77e5171c60b554b626c09fb2c49b0e379f7f60b2d057e13027836d4cc605344f89988881737a5f39949205809f896bef

  • SSDEEP

    24576:4tj4/Bk1qWa5ypygsQks5KkemsHikXWvSOcOxVjKX4oSpckFmgiddd+ADb:4tj4/BAqWVtnks5KkemINXWvSlOxQX4G

Score
10/10
redlinem2infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

m2

C2

80.85.157.78:38561

Attributes
  • auth_value

    6e2d096364fb8cafaa57bb78f353a4da

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a568121c4b1c4b36b77ef499167b265f.exe
    "C:\Users\Admin\AppData\Local\Temp\a568121c4b1c4b36b77ef499167b265f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      2⤵
        PID:1500
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2376

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/632-134-0x000000000BCC0000-0x000000000BE46000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2376-135-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2376-137-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2376-138-0x000000000B7C0000-0x000000000BDD8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2376-139-0x000000000D150000-0x000000000D25A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2376-140-0x000000000D040000-0x000000000D052000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2376-141-0x000000000D060000-0x000000000D09C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2376-142-0x00000000057C0000-0x00000000057D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2376-143-0x000000000D420000-0x000000000D496000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2376-144-0x000000000D540000-0x000000000D5D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2376-145-0x000000000DB90000-0x000000000E134000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2376-146-0x000000000D5E0000-0x000000000D646000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2376-147-0x000000000D820000-0x000000000D9E2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2376-148-0x000000000E670000-0x000000000EB9C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2376-149-0x000000000D710000-0x000000000D760000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2376-150-0x00000000057C0000-0x00000000057D0000-memory.dmp
      Filesize

      64KB

      Download