Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2023, 01:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    318KB

  • MD5

    34c735aac13c12757a8e954f87f6852c

  • SHA1

    5d0c1b22263578abf5a9cf9f2b8327dd91dc3935

  • SHA256

    82b28da9dd8874b827052827a6a1214ec59689001373a71c9f7dfb8b3f56c3df

  • SHA512

    a20437e1f984ca5f1087c8f8e88fc53484b93910847f2c2c691421fd5fd3857832e44f5d204f43f228ce83585033dd9eac48948d9f4c574c06cdbebf112d6571

  • SSDEEP

    6144:ZPKnmlp1JPMWi7Q0VMxWwkTUI1LfXk0mTv:ZjlpHMWKQ0VgWwkTFXkd

Score
10/10
redlineinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:764

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/764-134-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/764-139-0x0000000007D00000-0x0000000008318000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/764-140-0x00000000076E0000-0x00000000076F2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/764-141-0x0000000007810000-0x000000000791A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/764-142-0x0000000007A90000-0x0000000007AA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/764-143-0x0000000007740000-0x000000000777C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/764-144-0x0000000007AA0000-0x0000000007B06000-memory.dmp

          Filesize

          408KB

          Download

        • memory/764-145-0x0000000008BD0000-0x0000000009174000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/764-146-0x00000000086C0000-0x0000000008752000-memory.dmp

          Filesize

          584KB

          Download

        • memory/764-147-0x0000000008760000-0x00000000087D6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/764-148-0x00000000089B0000-0x0000000008B72000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/764-149-0x00000000096B0000-0x0000000009BDC000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/764-150-0x00000000088A0000-0x00000000088BE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/764-151-0x00000000088D0000-0x0000000008920000-memory.dmp

          Filesize

          320KB

          Download