Overview

overview

10

Static

static

3

ff942a6a39...ab.exe

windows7-x64

10

ff942a6a39...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 20:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff942a6a39302124e8822579f265702cc50606edf0f09459e6265e38ef2e9cab.exe

  • Size

    893KB

  • MD5

    8ea65de7db607d2bf1e2a76dcf654a81

  • SHA1

    1a050bdaade0496202324a541f481c10e865f7b2

  • SHA256

    ff942a6a39302124e8822579f265702cc50606edf0f09459e6265e38ef2e9cab

  • SHA512

    9b21e56aca0985a5a0d12fbf3e317bf22f43a31082f2f7e4eb8efe291fb21db45efb370ee62f2b26f5d00b070b1d53c2817b2dc2fb8eeaabe14f6ba5589e6359

  • SSDEEP

    24576:oyThxqXKYJmHveucaQtGfmvjuOumcw+j6Hdo:vdWbPtI5/mcS

Score
10/10
redlinedarkevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dark

C2

185.161.248.73:4164

Attributes
  • auth_value

    ae85b01f66afe8770afeed560513fc2d

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 10 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff942a6a39302124e8822579f265702cc50606edf0f09459e6265e38ef2e9cab.exe
    "C:\Users\Admin\AppData\Local\Temp\ff942a6a39302124e8822579f265702cc50606edf0f09459e6265e38ef2e9cab.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st983673.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st983673.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81214228.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81214228.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1252
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1260
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr877551.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr877551.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1140

Network

    No results found
  • 185.161.248.73:4164
    lr877551.exe
    152 B
     3
  • 185.161.248.73:4164
    lr877551.exe
    152 B
     3
  • 185.161.248.73:4164
    lr877551.exe
    152 B
     3
  • 185.161.248.73:4164
    lr877551.exe
    152 B
     3
  • 185.161.248.73:4164
    lr877551.exe
    104 B
     2
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr877551.exe
    Filesize

    169KB

    MD5

    adbd502c3603507672924e7e96ce71d2

    SHA1

    ac7c20b1ecc7044a87dde1e863e8078134fc2ed2

    SHA256

    d7047bb7c62753eac8bfe64d60504a7f1ba1eb2be976bab164aacd90d104a748

    SHA512

    9666798f006f3059372bbd1a337f91680f03d7fd4eab62218b0df83ba55cf6f4e891cdb373b3fd07867e1302fe959c1bba816d809dfbdc91d41d26a2d5c21497

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr877551.exe
    Filesize

    169KB

    MD5

    adbd502c3603507672924e7e96ce71d2

    SHA1

    ac7c20b1ecc7044a87dde1e863e8078134fc2ed2

    SHA256

    d7047bb7c62753eac8bfe64d60504a7f1ba1eb2be976bab164aacd90d104a748

    SHA512

    9666798f006f3059372bbd1a337f91680f03d7fd4eab62218b0df83ba55cf6f4e891cdb373b3fd07867e1302fe959c1bba816d809dfbdc91d41d26a2d5c21497

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st983673.exe
    Filesize

    739KB

    MD5

    f821bb32cff0e3ee727ae92cf87fe8bf

    SHA1

    4204f5a1407a56418ca86b9fa8acaabbfa725867

    SHA256

    ab7a80b4a386400e1c6f8f043df3c9c426ee86e975955c6e01715b3742d89de2

    SHA512

    c4e5d2d908ca51affffc22fac96bb950ec930af4b73dca8af8f02aff9157122d34c2a715a7942b679db3a8910f62110fe282833217e8a9c33ca031c288febad6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st983673.exe
    Filesize

    739KB

    MD5

    f821bb32cff0e3ee727ae92cf87fe8bf

    SHA1

    4204f5a1407a56418ca86b9fa8acaabbfa725867

    SHA256

    ab7a80b4a386400e1c6f8f043df3c9c426ee86e975955c6e01715b3742d89de2

    SHA512

    c4e5d2d908ca51affffc22fac96bb950ec930af4b73dca8af8f02aff9157122d34c2a715a7942b679db3a8910f62110fe282833217e8a9c33ca031c288febad6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81214228.exe
    Filesize

    301KB

    MD5

    89ca6f133007c7eed7596bd79c27f428

    SHA1

    aa6d8d9190752496908753696646bd40961516cc

    SHA256

    c1bccfe02be880e9710b249dae8049d487a08f63de357c337973701aba6bc0ab

    SHA512

    15220ca927aa318a146c2350d76c6a9d0a19f6d4468e19821346a0992c882fb7a3bfa9c784220b31b09e34f8a90b8960cc91102c32b50577e4bf0934f0a5e37b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81214228.exe
    Filesize

    301KB

    MD5

    89ca6f133007c7eed7596bd79c27f428

    SHA1

    aa6d8d9190752496908753696646bd40961516cc

    SHA256

    c1bccfe02be880e9710b249dae8049d487a08f63de357c337973701aba6bc0ab

    SHA512

    15220ca927aa318a146c2350d76c6a9d0a19f6d4468e19821346a0992c882fb7a3bfa9c784220b31b09e34f8a90b8960cc91102c32b50577e4bf0934f0a5e37b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
    Filesize

    581KB

    MD5

    21690147cec837d5c27b34e937d22788

    SHA1

    225c15b3f7b744f2ba7fbd34259157011a451e44

    SHA256

    d59cc1d07723d5cbf8e1610f68c1f081bb9c92a2df2e58b6822d015afb90a5c4

    SHA512

    caa2c037500b50b5ab850a80c61f816fcbd9e8814ddbcac69b0c6a81395e927340a090073560011f0ef183a7e478db82922e83208379c90e788e36598630f2c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
    Filesize

    581KB

    MD5

    21690147cec837d5c27b34e937d22788

    SHA1

    225c15b3f7b744f2ba7fbd34259157011a451e44

    SHA256

    d59cc1d07723d5cbf8e1610f68c1f081bb9c92a2df2e58b6822d015afb90a5c4

    SHA512

    caa2c037500b50b5ab850a80c61f816fcbd9e8814ddbcac69b0c6a81395e927340a090073560011f0ef183a7e478db82922e83208379c90e788e36598630f2c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
    Filesize

    581KB

    MD5

    21690147cec837d5c27b34e937d22788

    SHA1

    225c15b3f7b744f2ba7fbd34259157011a451e44

    SHA256

    d59cc1d07723d5cbf8e1610f68c1f081bb9c92a2df2e58b6822d015afb90a5c4

    SHA512

    caa2c037500b50b5ab850a80c61f816fcbd9e8814ddbcac69b0c6a81395e927340a090073560011f0ef183a7e478db82922e83208379c90e788e36598630f2c1

    Download Submit

  • C:\Windows\Temp\1.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Windows\Temp\1.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\lr877551.exe
    Filesize

    169KB

    MD5

    adbd502c3603507672924e7e96ce71d2

    SHA1

    ac7c20b1ecc7044a87dde1e863e8078134fc2ed2

    SHA256

    d7047bb7c62753eac8bfe64d60504a7f1ba1eb2be976bab164aacd90d104a748

    SHA512

    9666798f006f3059372bbd1a337f91680f03d7fd4eab62218b0df83ba55cf6f4e891cdb373b3fd07867e1302fe959c1bba816d809dfbdc91d41d26a2d5c21497

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\lr877551.exe
    Filesize

    169KB

    MD5

    adbd502c3603507672924e7e96ce71d2

    SHA1

    ac7c20b1ecc7044a87dde1e863e8078134fc2ed2

    SHA256

    d7047bb7c62753eac8bfe64d60504a7f1ba1eb2be976bab164aacd90d104a748

    SHA512

    9666798f006f3059372bbd1a337f91680f03d7fd4eab62218b0df83ba55cf6f4e891cdb373b3fd07867e1302fe959c1bba816d809dfbdc91d41d26a2d5c21497

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\st983673.exe
    Filesize

    739KB

    MD5

    f821bb32cff0e3ee727ae92cf87fe8bf

    SHA1

    4204f5a1407a56418ca86b9fa8acaabbfa725867

    SHA256

    ab7a80b4a386400e1c6f8f043df3c9c426ee86e975955c6e01715b3742d89de2

    SHA512

    c4e5d2d908ca51affffc22fac96bb950ec930af4b73dca8af8f02aff9157122d34c2a715a7942b679db3a8910f62110fe282833217e8a9c33ca031c288febad6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\st983673.exe
    Filesize

    739KB

    MD5

    f821bb32cff0e3ee727ae92cf87fe8bf

    SHA1

    4204f5a1407a56418ca86b9fa8acaabbfa725867

    SHA256

    ab7a80b4a386400e1c6f8f043df3c9c426ee86e975955c6e01715b3742d89de2

    SHA512

    c4e5d2d908ca51affffc22fac96bb950ec930af4b73dca8af8f02aff9157122d34c2a715a7942b679db3a8910f62110fe282833217e8a9c33ca031c288febad6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\81214228.exe
    Filesize

    301KB

    MD5

    89ca6f133007c7eed7596bd79c27f428

    SHA1

    aa6d8d9190752496908753696646bd40961516cc

    SHA256

    c1bccfe02be880e9710b249dae8049d487a08f63de357c337973701aba6bc0ab

    SHA512

    15220ca927aa318a146c2350d76c6a9d0a19f6d4468e19821346a0992c882fb7a3bfa9c784220b31b09e34f8a90b8960cc91102c32b50577e4bf0934f0a5e37b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\81214228.exe
    Filesize

    301KB

    MD5

    89ca6f133007c7eed7596bd79c27f428

    SHA1

    aa6d8d9190752496908753696646bd40961516cc

    SHA256

    c1bccfe02be880e9710b249dae8049d487a08f63de357c337973701aba6bc0ab

    SHA512

    15220ca927aa318a146c2350d76c6a9d0a19f6d4468e19821346a0992c882fb7a3bfa9c784220b31b09e34f8a90b8960cc91102c32b50577e4bf0934f0a5e37b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
    Filesize

    581KB

    MD5

    21690147cec837d5c27b34e937d22788

    SHA1

    225c15b3f7b744f2ba7fbd34259157011a451e44

    SHA256

    d59cc1d07723d5cbf8e1610f68c1f081bb9c92a2df2e58b6822d015afb90a5c4

    SHA512

    caa2c037500b50b5ab850a80c61f816fcbd9e8814ddbcac69b0c6a81395e927340a090073560011f0ef183a7e478db82922e83208379c90e788e36598630f2c1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
    Filesize

    581KB

    MD5

    21690147cec837d5c27b34e937d22788

    SHA1

    225c15b3f7b744f2ba7fbd34259157011a451e44

    SHA256

    d59cc1d07723d5cbf8e1610f68c1f081bb9c92a2df2e58b6822d015afb90a5c4

    SHA512

    caa2c037500b50b5ab850a80c61f816fcbd9e8814ddbcac69b0c6a81395e927340a090073560011f0ef183a7e478db82922e83208379c90e788e36598630f2c1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143355.exe
    Filesize

    581KB

    MD5

    21690147cec837d5c27b34e937d22788

    SHA1

    225c15b3f7b744f2ba7fbd34259157011a451e44

    SHA256

    d59cc1d07723d5cbf8e1610f68c1f081bb9c92a2df2e58b6822d015afb90a5c4

    SHA512

    caa2c037500b50b5ab850a80c61f816fcbd9e8814ddbcac69b0c6a81395e927340a090073560011f0ef183a7e478db82922e83208379c90e788e36598630f2c1

    Download Submit

  • \Windows\Temp\1.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/844-88-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-100-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-106-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-110-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-112-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-114-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-116-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-120-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-122-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-124-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-128-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-126-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-132-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-134-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-136-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-138-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-140-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-130-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-118-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-108-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-102-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-92-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-84-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-2205-0x0000000000A60000-0x0000000000A6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/844-2207-0x0000000004940000-0x0000000004980000-memory.dmp

    Filesize

    256KB

    Download

  • memory/844-104-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-98-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-96-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-94-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-90-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-86-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-82-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-80-0x0000000004940000-0x0000000004980000-memory.dmp

    Filesize

    256KB

    Download

  • memory/844-79-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-74-0x0000000004860000-0x00000000048B8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/844-75-0x00000000048C0000-0x0000000004916000-memory.dmp

    Filesize

    344KB

    Download

  • memory/844-76-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/844-77-0x00000000048C0000-0x0000000004911000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1140-4385-0x0000000000D10000-0x0000000000D40000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1140-4386-0x0000000000540000-0x0000000000546000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1140-4387-0x0000000004C20000-0x0000000004C60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1140-4388-0x0000000004C20000-0x0000000004C60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1252-2222-0x0000000001030000-0x000000000103A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1260-2407-0x0000000004F30000-0x0000000004F70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1260-2409-0x0000000004F30000-0x0000000004F70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1260-4375-0x00000000010F0000-0x0000000001122000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1260-4376-0x0000000004F30000-0x0000000004F70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1260-2405-0x0000000000360000-0x00000000003BB000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1260-2225-0x0000000002830000-0x0000000002896000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1260-2224-0x0000000002670000-0x00000000026D8000-memory.dmp

    Filesize

    416KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.