Overview

overview

10

Static

static

3

08431499.exe

windows7-x64

10

08431499.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2023, 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08431499.exe

  • Size

    778KB

  • MD5

    9c79d66839648790644b9fd1120aa08d

  • SHA1

    0ff6a6076233097a4ce2a9c49f39d11f540becc1

  • SHA256

    a12dd546e54d84d55eddaa14e045718f345bec3edf54cc55a78ae9fe26d26cb8

  • SHA512

    01fb349021b6a0a1da3c200e00f7ad64ef4989ff3638cfca5f70c0073519d718a8461096aa87a8fc2a62db90c3f7e6c48bd3fb2f868b073f779f6d012a58e8f7

  • SSDEEP

    12288:/Mrey90e7fJgds3Cf4Q/Xwhr/uZFY3k9RAbP+C+R3llDXAuAxRFk:Fy7TJrSAQvy/ubYwRs+hpllsuh

Score
10/10
redlinedusadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dusa

C2

83.97.73.126:19046

Attributes
  • auth_value

    ee896466545fedf9de5406175fb82de5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08431499.exe
    "C:\Users\Admin\AppData\Local\Temp\08431499.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1560467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1560467.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5618804.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5618804.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3868894.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3868894.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3264
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3576
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6816319.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6816319.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1560467.exe
    Filesize

    448KB

    MD5

    6f1bb9f510619c425208b5fcacb0ef0d

    SHA1

    d675666c38fe0bee5c8ec5eabf498b8f8448bc2a

    SHA256

    0e200cf4ea5b9f44fd5569f3a01e90d8c207c07d7d036be2f51b955da59f1154

    SHA512

    cfc17ce728250896fe85deec2deb8fac0ccd8958ae90999e012a3c13db97737e3577d3b986fc5a0a67c59ece7dd5558bda5fd976496a7d90cb7128101e5db964

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1560467.exe
    Filesize

    448KB

    MD5

    6f1bb9f510619c425208b5fcacb0ef0d

    SHA1

    d675666c38fe0bee5c8ec5eabf498b8f8448bc2a

    SHA256

    0e200cf4ea5b9f44fd5569f3a01e90d8c207c07d7d036be2f51b955da59f1154

    SHA512

    cfc17ce728250896fe85deec2deb8fac0ccd8958ae90999e012a3c13db97737e3577d3b986fc5a0a67c59ece7dd5558bda5fd976496a7d90cb7128101e5db964

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5618804.exe
    Filesize

    276KB

    MD5

    84100923a4b8916a09a2319a85684ac2

    SHA1

    b8626f7932b042ca1263ea4a6396b6736f73c194

    SHA256

    4adcaa271f1776938ba253b31ef7a3839c27a091aa2fac55af94f019e490d26e

    SHA512

    c8bb0c9337ee8c82f2ea7874b5a2ccafac9eb69ee92f7ec4a169fa110eb41cbffc74f5123df6b4900c542e7186772157e5cf87c2eb0d34f36b17d8fa27fb1a3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5618804.exe
    Filesize

    276KB

    MD5

    84100923a4b8916a09a2319a85684ac2

    SHA1

    b8626f7932b042ca1263ea4a6396b6736f73c194

    SHA256

    4adcaa271f1776938ba253b31ef7a3839c27a091aa2fac55af94f019e490d26e

    SHA512

    c8bb0c9337ee8c82f2ea7874b5a2ccafac9eb69ee92f7ec4a169fa110eb41cbffc74f5123df6b4900c542e7186772157e5cf87c2eb0d34f36b17d8fa27fb1a3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3868894.exe
    Filesize

    147KB

    MD5

    23b4a4efcb740903967f4d9b45626097

    SHA1

    40cafa7a13f0b50332671f26f9bc98c6a4640680

    SHA256

    b06728a4b8123c6664447c056b4cadb3e938312e2c88e56d1a1e207972d52d37

    SHA512

    f99db74d23d47cbc3ee7123812cb52a5bef86091b90fd4d96ad5089ea8c0770568b38c23e2e9767ad04348e141d7587ab2767285f6f3feb89783fa159c6a8d8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3868894.exe
    Filesize

    147KB

    MD5

    23b4a4efcb740903967f4d9b45626097

    SHA1

    40cafa7a13f0b50332671f26f9bc98c6a4640680

    SHA256

    b06728a4b8123c6664447c056b4cadb3e938312e2c88e56d1a1e207972d52d37

    SHA512

    f99db74d23d47cbc3ee7123812cb52a5bef86091b90fd4d96ad5089ea8c0770568b38c23e2e9767ad04348e141d7587ab2767285f6f3feb89783fa159c6a8d8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6816319.exe
    Filesize

    168KB

    MD5

    50a86a280202839aadf80508cef194c3

    SHA1

    5cfc0ce02d7c3cb1834fc2442579ff05b26f75f4

    SHA256

    bc0ad2cdb7de69c2caf63611eb24569b7c026f432d4db0c73e428af9f869b7bf

    SHA512

    0b9927cdf4fc1cd08d19dc75d1fc72dc954a8dfe28a0ade9fcdfdd9245b8251a022c71fd46bce5e66acb3be8c71c9788b7ceedf67220643c69ffee09ba6cc95e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6816319.exe
    Filesize

    168KB

    MD5

    50a86a280202839aadf80508cef194c3

    SHA1

    5cfc0ce02d7c3cb1834fc2442579ff05b26f75f4

    SHA256

    bc0ad2cdb7de69c2caf63611eb24569b7c026f432d4db0c73e428af9f869b7bf

    SHA512

    0b9927cdf4fc1cd08d19dc75d1fc72dc954a8dfe28a0ade9fcdfdd9245b8251a022c71fd46bce5e66acb3be8c71c9788b7ceedf67220643c69ffee09ba6cc95e

    Download Submit

  • memory/2496-163-0x000000000A8F0000-0x000000000AF08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2496-169-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2496-176-0x000000000C170000-0x000000000C69C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2496-164-0x000000000A3E0000-0x000000000A4EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2496-165-0x000000000A310000-0x000000000A322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2496-166-0x000000000A370000-0x000000000A3AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2496-167-0x0000000004E40000-0x0000000004E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2496-162-0x0000000000460000-0x000000000048E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2496-170-0x0000000000B40000-0x0000000000BB6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2496-171-0x000000000A6F0000-0x000000000A782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2496-172-0x000000000B4C0000-0x000000000BA64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2496-173-0x0000000002570000-0x00000000025D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2496-174-0x0000000004EA0000-0x0000000004EF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2496-175-0x000000000BA70000-0x000000000BC32000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3576-154-0x00000000003F0000-0x00000000003FA000-memory.dmp

    Filesize

    40KB

    Download