Overview

overview

10

Static

static

3

08259899.exe

windows7-x64

10

08259899.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08259899.exe

  • Size

    585KB

  • MD5

    48fd57fde93bc3ea676506d9bc86ec90

  • SHA1

    9768e0856cf7ce7b08609292dac2bc9546f70803

  • SHA256

    e3420fc8be6b383d3c81fc05dea3d7243d88f8c58d946e120fc49115412017a2

  • SHA512

    c65362f0cfbb7fcfd1ad6ded1bcd81ed215b6f9f785b5d90c40e6ef103f1063c2c944d413ca22361924e1b635eac95449123ea8e36f16ce0ae468c7602953ac3

  • SSDEEP

    12288:lMrMy900rOFPjYRfLUWvxD/5D6pwIMbByl8V3oVpsFLJZy:xyhgYNLlF5D6poByNVpo7y

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08259899.exe
    "C:\Users\Admin\AppData\Local\Temp\08259899.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3612
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe
    Filesize

    377KB

    MD5

    46afa44e4e1ec95815aaa6d25a5ff3cd

    SHA1

    ad7a1a73faa677adc1c5ddfab32fe6af070bd977

    SHA256

    f35e633855fe2d8bc3ba4afaa949f35e63d645dfe1f17afa6de79efe851dfb11

    SHA512

    5158bd75d29d21a33021d29a795208aaa231a0976fe037fab2bf04b8b0f5724343f30c32002b8236e1974bf1af87627c69fb06fbff0cf048440db4f958e80bd0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe
    Filesize

    377KB

    MD5

    46afa44e4e1ec95815aaa6d25a5ff3cd

    SHA1

    ad7a1a73faa677adc1c5ddfab32fe6af070bd977

    SHA256

    f35e633855fe2d8bc3ba4afaa949f35e63d645dfe1f17afa6de79efe851dfb11

    SHA512

    5158bd75d29d21a33021d29a795208aaa231a0976fe037fab2bf04b8b0f5724343f30c32002b8236e1974bf1af87627c69fb06fbff0cf048440db4f958e80bd0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe
    Filesize

    206KB

    MD5

    d0077dcfc462dd25521cff19de64ea59

    SHA1

    1781bf807c41aa3b3caf493e0503afd215f497de

    SHA256

    852bd972e543f61432ff6ca4d3547649cf4b63e65b340153cb912a5ce639b896

    SHA512

    381573feda29c8b7528814157c9dd4f84a3fae1e12a4b03dbebf78f0174e4b82cd88b2177b5c59d254d904ae1ad2453000dbf3b06329a2ced5b853c33c330456

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe
    Filesize

    206KB

    MD5

    d0077dcfc462dd25521cff19de64ea59

    SHA1

    1781bf807c41aa3b3caf493e0503afd215f497de

    SHA256

    852bd972e543f61432ff6ca4d3547649cf4b63e65b340153cb912a5ce639b896

    SHA512

    381573feda29c8b7528814157c9dd4f84a3fae1e12a4b03dbebf78f0174e4b82cd88b2177b5c59d254d904ae1ad2453000dbf3b06329a2ced5b853c33c330456

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe
    Filesize

    13KB

    MD5

    c8ffef0f74daf1371e0c34cda29dabb9

    SHA1

    cbe06286918051ae45e5e11120b2cf49e00f7d86

    SHA256

    b2d3f56be024f288423be750240b42312c6c97c5973caf58906f8196790f0d14

    SHA512

    de01e3adf8255da86180aceeddec10690ce8f1c40bdc65d81023934bb73a8656ce9c65fd43fcae344ac01cad9ca55765dde5e636eeb95ee39d3e802851e10d66

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe
    Filesize

    13KB

    MD5

    c8ffef0f74daf1371e0c34cda29dabb9

    SHA1

    cbe06286918051ae45e5e11120b2cf49e00f7d86

    SHA256

    b2d3f56be024f288423be750240b42312c6c97c5973caf58906f8196790f0d14

    SHA512

    de01e3adf8255da86180aceeddec10690ce8f1c40bdc65d81023934bb73a8656ce9c65fd43fcae344ac01cad9ca55765dde5e636eeb95ee39d3e802851e10d66

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe
    Filesize

    172KB

    MD5

    7eb9e2e5f30e56c6929360ba44ea1085

    SHA1

    b53421e7a9ec49ebacd48bc51c59904cb2452d47

    SHA256

    8c497e715ba002c8d1fd66438f419bc5c99ca3ad06e2777c775c1a8bd663e491

    SHA512

    e5b5f29a6a5c1b1d9f01bc1eb3154386407bdba825b72c225edc316b35c9545ec3e59b5c762fe84c44760dcf87da239f5098d0b03e5a7413a5bfde9329be674e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe
    Filesize

    172KB

    MD5

    7eb9e2e5f30e56c6929360ba44ea1085

    SHA1

    b53421e7a9ec49ebacd48bc51c59904cb2452d47

    SHA256

    8c497e715ba002c8d1fd66438f419bc5c99ca3ad06e2777c775c1a8bd663e491

    SHA512

    e5b5f29a6a5c1b1d9f01bc1eb3154386407bdba825b72c225edc316b35c9545ec3e59b5c762fe84c44760dcf87da239f5098d0b03e5a7413a5bfde9329be674e

    Download Submit

  • memory/3392-160-0x000000000AD60000-0x000000000B378000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3392-165-0x000000000AB60000-0x000000000ABD6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3392-172-0x000000000C8B0000-0x000000000CDDC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3392-161-0x000000000A8B0000-0x000000000A9BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3392-162-0x000000000A7F0000-0x000000000A802000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3392-163-0x000000000A850000-0x000000000A88C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3392-164-0x00000000053B0000-0x00000000053C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3392-159-0x0000000000A70000-0x0000000000AA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3392-166-0x000000000AC80000-0x000000000AD12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3392-167-0x000000000B930000-0x000000000BED4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3392-168-0x000000000B480000-0x000000000B4E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3392-169-0x000000000B880000-0x000000000B8D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3392-170-0x00000000053B0000-0x00000000053C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3392-171-0x000000000C1B0000-0x000000000C372000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3612-154-0x0000000000C30000-0x0000000000C3A000-memory.dmp

    Filesize

    40KB

    Download