Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    177s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-05-2023 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18b857297048eb4a71df683ea14505d28411288eb144999f4b930e687ffb1af1.exe

  • Size

    327KB

  • MD5

    ddc408a9c438919410396dedf661cb81

  • SHA1

    db03c2c85632ddef24496fc75851ce1bfa2bbdff

  • SHA256

    18b857297048eb4a71df683ea14505d28411288eb144999f4b930e687ffb1af1

  • SHA512

    c8675259c707ba13ac5082a05e7f5e5457446be6b89dcb7cf51c6045f4ea3f87edbb1236227b3f9c523c1cbc9309fb0e0a5eaa413757ba5251227cc27eda101a

  • SSDEEP

    6144:iV9SHeF4RbXigPTwH0iE4drB8p3LNLOIjvPBmZ5Gj8:ivieF4RbSjH0i3dr2p3LNLOI7PMh

Score
10/10
redlineinfostealerspyware

Malware Config

Extracted

Family

redline

C2

135.181.10.136:4328

Attributes
  • auth_value

    a909e2aaecf96137978fea4f86400b9b

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18b857297048eb4a71df683ea14505d28411288eb144999f4b930e687ffb1af1.exe
    "C:\Users\Admin\AppData\Local\Temp\18b857297048eb4a71df683ea14505d28411288eb144999f4b930e687ffb1af1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4264

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4264-117-0x0000000000500000-0x000000000052A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4264-125-0x0000000008E30000-0x0000000009436000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4264-126-0x0000000008950000-0x0000000008A5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4264-127-0x0000000008880000-0x0000000008892000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4264-128-0x0000000008A60000-0x0000000008A9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4264-129-0x00000000088A0000-0x00000000088EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4264-130-0x0000000008910000-0x0000000008920000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4264-135-0x0000000008C30000-0x0000000008CC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4264-136-0x0000000009940000-0x0000000009E3E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4264-137-0x0000000008CD0000-0x0000000008D36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4264-860-0x000000000A010000-0x000000000A1D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4264-861-0x000000000A710000-0x000000000AC3C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4264-862-0x0000000008910000-0x0000000008920000-memory.dmp

    Filesize

    64KB

    Download