Overview

overview

10

Static

static

3

fe8656855a...48.exe

windows7-x64

10

fe8656855a...48.exe

windows10-2004-x64

10

Resubmissions

04/06/2023, 19:25

230604-x49nkadd62 10

04/06/2023, 19:16

230604-xyxf2sdh9v 10

Analysis

  • max time kernel
    61s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2023, 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe8656855a1318e7c373c588021ac41e01a8c25d0eb14d11ee5166f858f11448.exe

  • Size

    580KB

  • MD5

    7de7eb8be918cb898e6b38ac6d04898f

  • SHA1

    f6a281dbfac83073dcd679ee0ade72dd9ee357dc

  • SHA256

    fe8656855a1318e7c373c588021ac41e01a8c25d0eb14d11ee5166f858f11448

  • SHA512

    e3d25d05da377c48845f3104171199e1699b2915f049e43fbe14f3a008dc7da1de5e714cc0990d3933e67381d2616d85fb380722945422c1a949ac5daa9fa1f3

  • SSDEEP

    12288:mMrIy9056mGJk1tZhg+1Smzw2snTfLMSP7d8bOZ4x8SKR:qytmGJulxSR2sTfpP7eCOxhS

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe8656855a1318e7c373c588021ac41e01a8c25d0eb14d11ee5166f858f11448.exe
    "C:\Users\Admin\AppData\Local\Temp\fe8656855a1318e7c373c588021ac41e01a8c25d0eb14d11ee5166f858f11448.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0746831.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0746831.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2876121.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2876121.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:760
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4219910.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4219910.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1932
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6811063.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6811063.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1376
  • C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0746831.exe
    Filesize

    377KB

    MD5

    67bdffbf66b3ee53184ff981f62708fe

    SHA1

    b31e9eceae8df9fc96fe58f2945a2a286f84a9d8

    SHA256

    9ad37a7a920312ff585602fe7a7beed82c10494eaf860c17cd79864c5e666f52

    SHA512

    08624f91ccb95cbe8e4ffa7a601619b3a5461d3b7d96a55fe4439ff4306a17eabd1ec4292c566c51e8cbc366ca36129a3d51405f4a3a0e33d08dc9db933d2839

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0746831.exe
    Filesize

    377KB

    MD5

    67bdffbf66b3ee53184ff981f62708fe

    SHA1

    b31e9eceae8df9fc96fe58f2945a2a286f84a9d8

    SHA256

    9ad37a7a920312ff585602fe7a7beed82c10494eaf860c17cd79864c5e666f52

    SHA512

    08624f91ccb95cbe8e4ffa7a601619b3a5461d3b7d96a55fe4439ff4306a17eabd1ec4292c566c51e8cbc366ca36129a3d51405f4a3a0e33d08dc9db933d2839

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2876121.exe
    Filesize

    206KB

    MD5

    d3979512f8870fbd68b5ccf36e9d3fae

    SHA1

    74c518b1de6a7a0b0a9abdfe37bdb2f645e4de0e

    SHA256

    8c70e69e6c586b4f65b91b213bec67541027bd0a92cd5e03b30cad00d17c9c88

    SHA512

    e9ad27b3bcb4a0ea1ef6202135c620883844028da2f2e8cdd17f4553afc8179d7339d925bbb060c3ba781690c59202b5f793d02957a2741d323f91248ff76074

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2876121.exe
    Filesize

    206KB

    MD5

    d3979512f8870fbd68b5ccf36e9d3fae

    SHA1

    74c518b1de6a7a0b0a9abdfe37bdb2f645e4de0e

    SHA256

    8c70e69e6c586b4f65b91b213bec67541027bd0a92cd5e03b30cad00d17c9c88

    SHA512

    e9ad27b3bcb4a0ea1ef6202135c620883844028da2f2e8cdd17f4553afc8179d7339d925bbb060c3ba781690c59202b5f793d02957a2741d323f91248ff76074

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4219910.exe
    Filesize

    11KB

    MD5

    97927ec7f8672fe4432697491ee9e4fd

    SHA1

    1f6f22d89f72f4ac176c84b9862fd3df63de73a1

    SHA256

    5950d4dc717d1fa5272fb7cd49857f12fd02c7cd8e61e1d7b7f0f6bcccfe39ee

    SHA512

    c75d7400af11f014496ff6cc66d29de4d77ff2af29578b37b8a7aef65838fbb6577bd3ba1b972fa04680f34c6567c75733b42ff80a95db288203643bcd505222

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4219910.exe
    Filesize

    11KB

    MD5

    97927ec7f8672fe4432697491ee9e4fd

    SHA1

    1f6f22d89f72f4ac176c84b9862fd3df63de73a1

    SHA256

    5950d4dc717d1fa5272fb7cd49857f12fd02c7cd8e61e1d7b7f0f6bcccfe39ee

    SHA512

    c75d7400af11f014496ff6cc66d29de4d77ff2af29578b37b8a7aef65838fbb6577bd3ba1b972fa04680f34c6567c75733b42ff80a95db288203643bcd505222

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6811063.exe
    Filesize

    172KB

    MD5

    4443d4427937246e6a448db55fd0a4bc

    SHA1

    c2ad372047ec4a90e69931835f1f8da5bcb1556d

    SHA256

    d61fa7c85e06c4976b315052c131ed00b7913dd8cc9c516e9c2ba9e1a3146fcc

    SHA512

    e4e21232ce49d8f6552ff35f37de4c39c628908ddd19188a60dfadcbf8581495aed234b366c6f3be71e9e97c7a603e8259305f3ee4ee5be800e6b213a3b17dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6811063.exe
    Filesize

    172KB

    MD5

    4443d4427937246e6a448db55fd0a4bc

    SHA1

    c2ad372047ec4a90e69931835f1f8da5bcb1556d

    SHA256

    d61fa7c85e06c4976b315052c131ed00b7913dd8cc9c516e9c2ba9e1a3146fcc

    SHA512

    e4e21232ce49d8f6552ff35f37de4c39c628908ddd19188a60dfadcbf8581495aed234b366c6f3be71e9e97c7a603e8259305f3ee4ee5be800e6b213a3b17dd3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y0746831.exe
    Filesize

    377KB

    MD5

    67bdffbf66b3ee53184ff981f62708fe

    SHA1

    b31e9eceae8df9fc96fe58f2945a2a286f84a9d8

    SHA256

    9ad37a7a920312ff585602fe7a7beed82c10494eaf860c17cd79864c5e666f52

    SHA512

    08624f91ccb95cbe8e4ffa7a601619b3a5461d3b7d96a55fe4439ff4306a17eabd1ec4292c566c51e8cbc366ca36129a3d51405f4a3a0e33d08dc9db933d2839

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y0746831.exe
    Filesize

    377KB

    MD5

    67bdffbf66b3ee53184ff981f62708fe

    SHA1

    b31e9eceae8df9fc96fe58f2945a2a286f84a9d8

    SHA256

    9ad37a7a920312ff585602fe7a7beed82c10494eaf860c17cd79864c5e666f52

    SHA512

    08624f91ccb95cbe8e4ffa7a601619b3a5461d3b7d96a55fe4439ff4306a17eabd1ec4292c566c51e8cbc366ca36129a3d51405f4a3a0e33d08dc9db933d2839

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\y2876121.exe
    Filesize

    206KB

    MD5

    d3979512f8870fbd68b5ccf36e9d3fae

    SHA1

    74c518b1de6a7a0b0a9abdfe37bdb2f645e4de0e

    SHA256

    8c70e69e6c586b4f65b91b213bec67541027bd0a92cd5e03b30cad00d17c9c88

    SHA512

    e9ad27b3bcb4a0ea1ef6202135c620883844028da2f2e8cdd17f4553afc8179d7339d925bbb060c3ba781690c59202b5f793d02957a2741d323f91248ff76074

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\y2876121.exe
    Filesize

    206KB

    MD5

    d3979512f8870fbd68b5ccf36e9d3fae

    SHA1

    74c518b1de6a7a0b0a9abdfe37bdb2f645e4de0e

    SHA256

    8c70e69e6c586b4f65b91b213bec67541027bd0a92cd5e03b30cad00d17c9c88

    SHA512

    e9ad27b3bcb4a0ea1ef6202135c620883844028da2f2e8cdd17f4553afc8179d7339d925bbb060c3ba781690c59202b5f793d02957a2741d323f91248ff76074

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\k4219910.exe
    Filesize

    11KB

    MD5

    97927ec7f8672fe4432697491ee9e4fd

    SHA1

    1f6f22d89f72f4ac176c84b9862fd3df63de73a1

    SHA256

    5950d4dc717d1fa5272fb7cd49857f12fd02c7cd8e61e1d7b7f0f6bcccfe39ee

    SHA512

    c75d7400af11f014496ff6cc66d29de4d77ff2af29578b37b8a7aef65838fbb6577bd3ba1b972fa04680f34c6567c75733b42ff80a95db288203643bcd505222

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\l6811063.exe
    Filesize

    172KB

    MD5

    4443d4427937246e6a448db55fd0a4bc

    SHA1

    c2ad372047ec4a90e69931835f1f8da5bcb1556d

    SHA256

    d61fa7c85e06c4976b315052c131ed00b7913dd8cc9c516e9c2ba9e1a3146fcc

    SHA512

    e4e21232ce49d8f6552ff35f37de4c39c628908ddd19188a60dfadcbf8581495aed234b366c6f3be71e9e97c7a603e8259305f3ee4ee5be800e6b213a3b17dd3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\l6811063.exe
    Filesize

    172KB

    MD5

    4443d4427937246e6a448db55fd0a4bc

    SHA1

    c2ad372047ec4a90e69931835f1f8da5bcb1556d

    SHA256

    d61fa7c85e06c4976b315052c131ed00b7913dd8cc9c516e9c2ba9e1a3146fcc

    SHA512

    e4e21232ce49d8f6552ff35f37de4c39c628908ddd19188a60dfadcbf8581495aed234b366c6f3be71e9e97c7a603e8259305f3ee4ee5be800e6b213a3b17dd3

    Download Submit

  • memory/1048-93-0x0000000001C40000-0x0000000001C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1048-94-0x0000000003850000-0x0000000003860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1376-89-0x00000000008B0000-0x00000000008E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1376-90-0x0000000000340000-0x0000000000346000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1376-91-0x0000000004C10000-0x0000000004C50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1376-92-0x0000000004C10000-0x0000000004C50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1932-82-0x0000000000170000-0x000000000017A000-memory.dmp

    Filesize

    40KB

    Download