Overview

overview

10

Static

static

3

07118299.exe

windows7-x64

10

07118299.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2023, 11:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07118299.exe

  • Size

    585KB

  • MD5

    bb4539edbb8fa9c890cc49978383414d

  • SHA1

    61a759e91f6cdeacffbb1cab32e692b7075efaa8

  • SHA256

    3c785e270042f3778b2321d0be981e2252fbe5dc55109b38b66a6e5c1418e204

  • SHA512

    8e54826a8fccdb64714bff359ae9223dadb00cfb5de15456e6a15c66d1a16faa9dee836101527ca8fe7f5e1e714c77e776bcb377466951207ca51ba546745fa5

  • SSDEEP

    12288:TMrqy90Z037vhyfXuO8v59X22y+MXZejR1EQP/eq64aNZa:lyYy6uD/ZMp2EeeDVa

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07118299.exe
    "C:\Users\Admin\AppData\Local\Temp\07118299.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:928

Network

    No results found
  • 83.97.73.126:19048
    l4429849.exe
    152 B
     3
  • 83.97.73.126:19048
    l4429849.exe
    9.5kB
     9.6kB
     31
    39
  • 83.97.73.126:19048
    l4429849.exe
    9.4kB
     8.3kB
     28
    34
  • 83.97.73.126:19048
    l4429849.exe
    152 B
     3
  • 83.97.73.126:19048
    l4429849.exe
    9.4kB
     8.3kB
     28
    36
  • 83.97.73.126:19048
    l4429849.exe
    9.4kB
     8.3kB
     28
    36
  • 83.97.73.126:19048
    l4429849.exe
    9.4kB
     8.4kB
     28
    37
  • 83.97.73.126:19048
    l4429849.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
    Filesize

    377KB

    MD5

    04c913636eef8e009b67a6471aceb1cc

    SHA1

    50c666e0fc32181e3673352451e67167aa15632a

    SHA256

    bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

    SHA512

    3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
    Filesize

    377KB

    MD5

    04c913636eef8e009b67a6471aceb1cc

    SHA1

    50c666e0fc32181e3673352451e67167aa15632a

    SHA256

    bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

    SHA512

    3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    Filesize

    206KB

    MD5

    141cac089e26c4f0c69e0d7e512f7be1

    SHA1

    5509723287d89cfbbdd084d6480f8f7c962f2e47

    SHA256

    45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

    SHA512

    35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    Filesize

    206KB

    MD5

    141cac089e26c4f0c69e0d7e512f7be1

    SHA1

    5509723287d89cfbbdd084d6480f8f7c962f2e47

    SHA256

    45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

    SHA512

    35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
    Filesize

    13KB

    MD5

    2729520af0a8af272be9fa9a08374fed

    SHA1

    287f245bc42c5672947f9be216934c3193ff20fd

    SHA256

    5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

    SHA512

    eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
    Filesize

    13KB

    MD5

    2729520af0a8af272be9fa9a08374fed

    SHA1

    287f245bc42c5672947f9be216934c3193ff20fd

    SHA256

    5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

    SHA512

    eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
    Filesize

    172KB

    MD5

    9ee6e7a9103170f2f829a497879dec4d

    SHA1

    1013f962d3071a62ef343cb8d93888264d528d64

    SHA256

    77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

    SHA512

    60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
    Filesize

    172KB

    MD5

    9ee6e7a9103170f2f829a497879dec4d

    SHA1

    1013f962d3071a62ef343cb8d93888264d528d64

    SHA256

    77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

    SHA512

    60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
    Filesize

    377KB

    MD5

    04c913636eef8e009b67a6471aceb1cc

    SHA1

    50c666e0fc32181e3673352451e67167aa15632a

    SHA256

    bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

    SHA512

    3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
    Filesize

    377KB

    MD5

    04c913636eef8e009b67a6471aceb1cc

    SHA1

    50c666e0fc32181e3673352451e67167aa15632a

    SHA256

    bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

    SHA512

    3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    Filesize

    206KB

    MD5

    141cac089e26c4f0c69e0d7e512f7be1

    SHA1

    5509723287d89cfbbdd084d6480f8f7c962f2e47

    SHA256

    45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

    SHA512

    35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    Filesize

    206KB

    MD5

    141cac089e26c4f0c69e0d7e512f7be1

    SHA1

    5509723287d89cfbbdd084d6480f8f7c962f2e47

    SHA256

    45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

    SHA512

    35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
    Filesize

    13KB

    MD5

    2729520af0a8af272be9fa9a08374fed

    SHA1

    287f245bc42c5672947f9be216934c3193ff20fd

    SHA256

    5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

    SHA512

    eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
    Filesize

    172KB

    MD5

    9ee6e7a9103170f2f829a497879dec4d

    SHA1

    1013f962d3071a62ef343cb8d93888264d528d64

    SHA256

    77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

    SHA512

    60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
    Filesize

    172KB

    MD5

    9ee6e7a9103170f2f829a497879dec4d

    SHA1

    1013f962d3071a62ef343cb8d93888264d528d64

    SHA256

    77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

    SHA512

    60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

    Download Submit

  • memory/928-89-0x00000000001A0000-0x00000000001D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/928-90-0x0000000000530000-0x0000000000536000-memory.dmp

    Filesize

    24KB

    Download

  • memory/928-91-0x00000000008C0000-0x0000000000900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/928-92-0x00000000008C0000-0x0000000000900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1668-82-0x0000000000120000-0x000000000012A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.