Overview

overview

10

Static

static

3

123.exe

windows7-x64

10

123.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2023, 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123.exe

  • Size

    704.3MB

  • MD5

    8584416cd8d5c7095bd38831d775ae4b

  • SHA1

    6bfa29983d6d5f345156a435ac52df25d2335b5c

  • SHA256

    f5854b5b708d95d228d7c67643b4693d633f03515a5bcbcb69c995aac3bbe224

  • SHA512

    4c4f04a5423b39d2d53aa6e6c513e45d71e73d7fee2d7ac388a02e198e1259e581d8177882dee26cc884b95e8eaa81776724470200772c4fd4d16d1fc3058fe8

  • SSDEEP

    98304:mdDHuBJUPXfOZtVyqMLyut+vVxKaDOpZlehjfOeEhiG:+DHuBqvfQtAqMNyxpOIh4hiG

Score
10/10
redline@gramms_cc 14/06infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

@gramms_CC 14/06

C2

5.42.64.70:45663

Attributes
  • auth_value

    7415b604399dcb01a5a0788cf91d64ff

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123.exe
    "C:\Users\Admin\AppData\Local\Temp\123.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Local\Temp\foe"
      2⤵
        PID:404
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\123.exe" "C:\Users\Admin\AppData\Local\Temp\foe\foe.exe"
        2⤵
          PID:752
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 25 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\foe\foe.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 25 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\foe\foe.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:1084

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1152-140-0x0000000004BA0000-0x0000000004BDC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1152-146-0x0000000005CA0000-0x0000000005D16000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1152-136-0x00000000051C0000-0x00000000057D8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1152-137-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1152-138-0x0000000004CB0000-0x0000000004DBA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1152-139-0x0000000004F00000-0x0000000004F10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1152-134-0x0000000000410000-0x0000000000436000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1152-144-0x00000000060D0000-0x0000000006674000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1152-150-0x0000000005FC0000-0x0000000006010000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1152-145-0x0000000005C00000-0x0000000005C92000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1152-143-0x0000000005020000-0x0000000005086000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1152-147-0x0000000006680000-0x0000000006842000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1152-148-0x0000000006D80000-0x00000000072AC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1152-149-0x0000000005E50000-0x0000000005E6E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5072-133-0x0000000000760000-0x0000000000BB2000-memory.dmp

        Filesize

        4.3MB

        Download