Overview

overview

10

Static

static

10

380cf16c91...88.exe

windows7-x64

10

380cf16c91...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2023 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    380cf16c91062c831de25e05a5a3d288.exe

  • Size

    172KB

  • MD5

    380cf16c91062c831de25e05a5a3d288

  • SHA1

    a852c13a3699458994bbd83471d16d6d5b14e14a

  • SHA256

    d65b2481250404bff74b626a516ea0de91754a0d133edf3d7f337e98caf90521

  • SHA512

    d51f7537d10b86e84a41f4c71bfa8ef069f7309656e766048a39b03c75a60d7fa5ed3a6ecfc5a40923799bf0f8fbbf11cb908e1737cab14439a0571fdfcf586d

  • SSDEEP

    1536:8/tcDOd2V36sv0W7TwiQjrH0V32ai6xWqlB2fxNiLYQ9VbuyqN9fkyt0GkRM8e8u:6yOUrhD3TiG72fxNbqA5kytf8e8hw

Score
10/10
redlinemuhadiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

muha

C2

83.97.73.129:19068

Attributes
  • auth_value

    3c237e5fecb41481b7af249e79828a46

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\380cf16c91062c831de25e05a5a3d288.exe
    "C:\Users\Admin\AppData\Local\Temp\380cf16c91062c831de25e05a5a3d288.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4088-133-0x0000000000B80000-0x0000000000BB0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4088-134-0x000000000AFB0000-0x000000000B5C8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4088-135-0x000000000AAF0000-0x000000000ABFA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4088-136-0x000000000AA30000-0x000000000AA42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4088-137-0x0000000005500000-0x0000000005510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4088-138-0x000000000AA90000-0x000000000AACC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4088-139-0x000000000ADA0000-0x000000000AE16000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4088-140-0x000000000AEC0000-0x000000000AF52000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4088-141-0x000000000BB80000-0x000000000C124000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4088-142-0x000000000B740000-0x000000000B7A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4088-143-0x000000000BAB0000-0x000000000BB00000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4088-144-0x000000000C400000-0x000000000C5C2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4088-145-0x000000000CB00000-0x000000000D02C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4088-146-0x0000000005500000-0x0000000005510000-memory.dmp
    Filesize

    64KB

    Download