Overview

overview

10

Static

static

3

40c85ae969...5f.exe

windows7-x64

10

40c85ae969...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40c85ae969ffabd2e61ab26027dc515f.exe

  • Size

    735KB

  • MD5

    40c85ae969ffabd2e61ab26027dc515f

  • SHA1

    3dd377da7e0c8fd0a6c728173e69467e68649359

  • SHA256

    cf9562f1f4b3a189173560854e6ef7a748b1bbcb6bb8f0b0f0947462ebadaacd

  • SHA512

    d9f4a686499b1db2834e9fe9ac4315c3fbd1fd8b5b1118bb957494e143fb24f5f12b00c1851869ab3fbbf33c80b9be20577b935c6f1a5e2ab72aa0edf38483a3

  • SSDEEP

    12288:BMruy90L0z0JfmC16lIhvTab/sdAvveStsVrA6k6WNDdBzL0rrHeSOno:TyYT1lWbqTEsVrA6kXND/zwrHuo

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40c85ae969ffabd2e61ab26027dc515f.exe
    "C:\Users\Admin\AppData\Local\Temp\40c85ae969ffabd2e61ab26027dc515f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7791561.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7791561.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0267532.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0267532.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4350347.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4350347.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:624
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2796735.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2796735.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2092
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3679653.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3679653.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1196
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:224
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 140
              6⤵
              • Program crash
              PID:4524
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2028676.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2028676.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1196 -ip 1196
    1⤵
      PID:4856

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7791561.exe
      Filesize

      529KB

      MD5

      0aa43b296321d5ac9d54035e87cbd1a3

      SHA1

      7ce5dd3288c6778e69f278b921a29f494172fc58

      SHA256

      267d1156f873c7f1655e9131a343a4c12fcbd180555ac2e7b9ae90e580fed46f

      SHA512

      57b3f70a4fcc36d19eceeaac0d3a191478e9cfe9f332988dfacff0c326de4e80ae78ee139a8711bc9f56d45ddaf13cbe551b20d956f363e53c7f60f6abbba811

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7791561.exe
      Filesize

      529KB

      MD5

      0aa43b296321d5ac9d54035e87cbd1a3

      SHA1

      7ce5dd3288c6778e69f278b921a29f494172fc58

      SHA256

      267d1156f873c7f1655e9131a343a4c12fcbd180555ac2e7b9ae90e580fed46f

      SHA512

      57b3f70a4fcc36d19eceeaac0d3a191478e9cfe9f332988dfacff0c326de4e80ae78ee139a8711bc9f56d45ddaf13cbe551b20d956f363e53c7f60f6abbba811

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0267532.exe
      Filesize

      357KB

      MD5

      4d4aa68124d3a9647c454e8c5b62b5fc

      SHA1

      f7054f91781af93de34f1198eadf0377ab4335f7

      SHA256

      0677790cc34e1a713000964ee2a12b60b5f34888225a4ccd81c7261894461ade

      SHA512

      a3a5db8f9f21ee705b88d0f70602b8c5899c972a9d3ae3acb00bbbd384b03cca2f428799e345381a2fefc299995403ef466c9703604891803c967a00fbcdb018

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0267532.exe
      Filesize

      357KB

      MD5

      4d4aa68124d3a9647c454e8c5b62b5fc

      SHA1

      f7054f91781af93de34f1198eadf0377ab4335f7

      SHA256

      0677790cc34e1a713000964ee2a12b60b5f34888225a4ccd81c7261894461ade

      SHA512

      a3a5db8f9f21ee705b88d0f70602b8c5899c972a9d3ae3acb00bbbd384b03cca2f428799e345381a2fefc299995403ef466c9703604891803c967a00fbcdb018

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2028676.exe
      Filesize

      172KB

      MD5

      3621043f69278dfc6740a9a00086aea3

      SHA1

      599f1c7de87ea556d097546a22ac9c6ad3bf0a40

      SHA256

      4c19b912ad4c06df15972b43379c77c0b7dc21cd987a5ed2cb24a65dbcd032db

      SHA512

      83d1d5027665909759ea2f006cb0f0dea58ea2491db88191a0000f3f9a4289449716450edd3156357aa008a4639915ad438f09d9289cdeb2010f302907eec900

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2028676.exe
      Filesize

      172KB

      MD5

      3621043f69278dfc6740a9a00086aea3

      SHA1

      599f1c7de87ea556d097546a22ac9c6ad3bf0a40

      SHA256

      4c19b912ad4c06df15972b43379c77c0b7dc21cd987a5ed2cb24a65dbcd032db

      SHA512

      83d1d5027665909759ea2f006cb0f0dea58ea2491db88191a0000f3f9a4289449716450edd3156357aa008a4639915ad438f09d9289cdeb2010f302907eec900

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4350347.exe
      Filesize

      202KB

      MD5

      e08030610cac7c6de11fc6d465afe459

      SHA1

      230a2268a0d06bf3cd5965862412bd18306c73ff

      SHA256

      d90d1a95e5223540b7725a3502f8a60dc552835747eb3c62f41f04c2b95fd389

      SHA512

      47f3e929566eb2bcee2bc9ca32a9d6b1816980aee7c8f930abb9753421385fec90fb1ff11308d409bda9ffc6522be81d1552fd3e7dbb432345156a45f610da08

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4350347.exe
      Filesize

      202KB

      MD5

      e08030610cac7c6de11fc6d465afe459

      SHA1

      230a2268a0d06bf3cd5965862412bd18306c73ff

      SHA256

      d90d1a95e5223540b7725a3502f8a60dc552835747eb3c62f41f04c2b95fd389

      SHA512

      47f3e929566eb2bcee2bc9ca32a9d6b1816980aee7c8f930abb9753421385fec90fb1ff11308d409bda9ffc6522be81d1552fd3e7dbb432345156a45f610da08

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2796735.exe
      Filesize

      13KB

      MD5

      04736de3e0b2048541fc58dc720c993a

      SHA1

      01216f8c0543dc13702d04e165de40fbabdb31a5

      SHA256

      f0b342e69e2b6605e47ebab9c9ac42b7e23ce96117cbcaf57e2baeb48d055cb5

      SHA512

      8d27bac7a6469847c564717929326e3d6221839d0f6ce51d891fedd62c2a19056a501bbd6fe581dfd83cd462841bf202af17e665612a6f340c118c47da3624a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2796735.exe
      Filesize

      13KB

      MD5

      04736de3e0b2048541fc58dc720c993a

      SHA1

      01216f8c0543dc13702d04e165de40fbabdb31a5

      SHA256

      f0b342e69e2b6605e47ebab9c9ac42b7e23ce96117cbcaf57e2baeb48d055cb5

      SHA512

      8d27bac7a6469847c564717929326e3d6221839d0f6ce51d891fedd62c2a19056a501bbd6fe581dfd83cd462841bf202af17e665612a6f340c118c47da3624a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3679653.exe
      Filesize

      117KB

      MD5

      832115726935f018cbe0e0a93e81e2e3

      SHA1

      4a9aae0b5c0d69bc57d4857c6ecdbde6566f5804

      SHA256

      b672a08fb72f8947b209b9c85b9c21e530c04fb0b7d9d252282fb7ce4ed8bc89

      SHA512

      a8088789c80ebe9cc83ebd1a076192842a95c8314f11286f26de43bdb6dc78005fa79ff09e57c4fced275bbbabe738569c86af5987f2c0305288b9acb28bf2f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3679653.exe
      Filesize

      117KB

      MD5

      832115726935f018cbe0e0a93e81e2e3

      SHA1

      4a9aae0b5c0d69bc57d4857c6ecdbde6566f5804

      SHA256

      b672a08fb72f8947b209b9c85b9c21e530c04fb0b7d9d252282fb7ce4ed8bc89

      SHA512

      a8088789c80ebe9cc83ebd1a076192842a95c8314f11286f26de43bdb6dc78005fa79ff09e57c4fced275bbbabe738569c86af5987f2c0305288b9acb28bf2f9

      Download Submit
    • memory/224-167-0x0000000000160000-0x000000000016A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2092-161-0x0000000000790000-0x000000000079A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3620-175-0x0000000000AF0000-0x0000000000B20000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3620-176-0x0000000005BC0000-0x00000000061D8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3620-177-0x00000000056B0000-0x00000000057BA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3620-178-0x00000000055A0000-0x00000000055B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3620-179-0x0000000005600000-0x000000000563C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3620-180-0x0000000005390000-0x00000000053A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3620-182-0x0000000005390000-0x00000000053A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3620-183-0x00000000062E0000-0x0000000006356000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3620-184-0x0000000006400000-0x0000000006492000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3620-185-0x0000000006B80000-0x0000000007124000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3620-186-0x0000000006360000-0x00000000063C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3620-187-0x0000000007130000-0x00000000072F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3620-188-0x0000000008D50000-0x000000000927C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3620-189-0x0000000006A00000-0x0000000006A50000-memory.dmp
      Filesize

      320KB

      Download