Overview

overview

10

Static

static

8

1.rar

windows7-x64

3

1.rar

windows10-2004-x64

3

Ehhbsuuemv.exe

windows7-x64

10

Ehhbsuuemv.exe

windows10-2004-x64

10

GjIEmKW.exe

windows7-x64

10

GjIEmKW.exe

windows10-2004-x64

10

Jtvcsfni.exe

windows7-x64

10

Jtvcsfni.exe

windows10-2004-x64

10

OriginalBuild.exe

windows7-x64

1

OriginalBuild.exe

windows10-2004-x64

8

PUMPED_docc.exe

windows7-x64

10

PUMPED_docc.exe

windows10-2004-x64

10

Servicing-...te.pdf

windows7-x64

1

Servicing-...te.pdf

windows10-2004-x64

1

cgu3.rar

windows7-x64

3

cgu3.rar

windows10-2004-x64

3

debt.rtf.rar

windows7-x64

3

debt.rtf.rar

windows10-2004-x64

3

eeee.dotm

windows7-x64

1

eeee.dotm

windows10-2004-x64

1

egor.dotm

windows7-x64

10

egor.dotm

windows10-2004-x64

10

errr.dotm

windows7-x64

1

errr.dotm

windows10-2004-x64

1

example.dotm

windows7-x64

10

example.dotm

windows10-2004-x64

10

fasfs.dotm

windows7-x64

10

fasfs.dotm

windows10-2004-x64

10

ferrr.dotm

windows7-x64

1

ferrr.dotm

windows10-2004-x64

1

fffffffnew.dotm

windows7-x64

10

fffffffnew.dotm

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2023, 18:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Jtvcsfni.exe

  • Size

    300.9MB

  • MD5

    fa2a122398f04f0a45ed7bed477aa4de

  • SHA1

    dec80165e13f370fc832f6fe752084eb5ba944cb

  • SHA256

    cde19a4b3504ff5f04a4291be87d98594673de5e3ba4d939b18305e7e1fd93a2

  • SHA512

    332c34cde567511fc31422d75a77f183546998762f912844726e0b157d5c5bc29893e20b93e0ab5daa90908e39aab326743606ee090b38d73ba51b9d949e8905

  • SSDEEP

    6291456:TzQXTpP65CUl6Xd+6a3BwpQTOQGZ+TmCI/0haPyrUVb0/29c1e1M51K:Y1jUl6sBwKgZXCI/0haqgVb0/l6

Score
10/10
redline@hukiosideinfostealer

Malware Config

Extracted

Family

redline

Botnet

@hukioside

C2

37.220.87.13:48790

Attributes
  • auth_value

    7bb7435e1cb000627132c502060da133

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe
    "C:\Users\Admin\AppData\Local\Temp\Jtvcsfni.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:1888

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5q15uzz.td3.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/1888-172-0x0000000005220000-0x0000000005230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1888-171-0x0000000005220000-0x0000000005230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1888-170-0x0000000004ED0000-0x0000000004F0C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1888-169-0x0000000004FA0000-0x00000000050AA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1888-168-0x0000000004E70000-0x0000000004E82000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1888-167-0x0000000005430000-0x0000000005A48000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/1888-165-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/3396-140-0x0000000005B10000-0x0000000006138000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/3396-139-0x0000000003390000-0x00000000033C6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3396-143-0x0000000005A60000-0x0000000005AC6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3396-149-0x0000000006330000-0x0000000006396000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3396-141-0x0000000003480000-0x0000000003490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3396-154-0x0000000006960000-0x000000000697E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3396-155-0x0000000003480000-0x0000000003490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3396-156-0x0000000007FF0000-0x000000000866A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/3396-157-0x0000000006E50000-0x0000000006E6A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3396-142-0x0000000003480000-0x0000000003490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3396-159-0x0000000003480000-0x0000000003490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3396-160-0x0000000003480000-0x0000000003490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3396-161-0x0000000003480000-0x0000000003490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4100-158-0x0000000018480000-0x0000000018490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4100-133-0x0000000000D80000-0x0000000001D80000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/4100-138-0x0000000018480000-0x0000000018490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4100-137-0x0000000018790000-0x00000000187B2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4100-136-0x00000000182C0000-0x00000000182CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4100-135-0x0000000018320000-0x00000000183B2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4100-134-0x00000000188D0000-0x0000000018E74000-memory.dmp

            Filesize

            5.6MB

            Download