Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2023, 23:39

General

  • Target

    l8412641.exe

  • Size

    145KB

  • MD5

    6d029ca6ce5f44e188b0f6d0f5f98bb6

  • SHA1

    bdb651303a34389914c2756fbaa220eff01c7ebb

  • SHA256

    a504755e40c94c02829bc90ebd97cf20afb802f223a88fcea9b32bddee5d7c76

  • SHA512

    1e22e2c25056d76a1c47a6ea2e7a16448d01dcc0312362b73b3f09e16ddd9608ee1369302e7251049d81c8ae8cf1ec5b29f432c22c7d09c2ddc4a86a610ffc8e

  • SSDEEP

    3072:AV+m5cVQmRSxAX9GYM1vYWr9h/Z28e8hq:Aj4Zyz9h/M

Malware Config

Extracted

Family

redline

Botnet

dogma

C2

185.161.248.75:4132

Attributes
  • auth_value

    d6c5d36e9aa03c956dc76aa0fcbe3639

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l8412641.exe
    "C:\Users\Admin\AppData\Local\Temp\l8412641.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2004-54-0x00000000010C0000-0x00000000010EA000-memory.dmp

    Filesize

    168KB

  • memory/2004-55-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

    Filesize

    256KB