Overview

overview

10

Static

static

1

hotel-requ...df.scr

windows7-x64

7

hotel-requ...df.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    452s
  • max time network
    475s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2023 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hotel-requirements.pdf/hotel-requirements.pdf.scr

  • Size

    564.4MB

  • MD5

    7faa29f9a965143cf67f27c1455111c1

  • SHA1

    f5c34c4399c2fca31c6ac05e14a566374c6732a9

  • SHA256

    a06612c8c0ff60c840da39e7d8571e949716bdec4c4a6582fdaae25216907fbe

  • SHA512

    2caffe5412262a291fa76a5887ccff316b3983a675a16d97c4dcde087ae3d3ccdb9685f66dbc999d1ade1888d6df45d015e1dd9bc0d396a2abf8761949bf3dd6

  • SSDEEP

    786432:MA5OgdnGFPsX2YiMiqN7z5EYUj4Vtpe9oA4Jxo88nvcVkf/2npG4U:M4d2oiU7z5EZMre9GJxo8q0Vkf8a

Score
10/10
redlinemastifinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

Mastif

C2

78.47.242.225:15635

Attributes
  • auth_value

    32b21fb55370c8e21f0f75577471534e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hotel-requirements.pdf\hotel-requirements.pdf.scr
    "C:\Users\Admin\AppData\Local\Temp\hotel-requirements.pdf\hotel-requirements.pdf.scr" /S
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe
      "C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
          4⤵
            PID:4952
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe
      Filesize

      74.3MB

      MD5

      4ca5ed9d8c94d36e9291d79f98194dc2

      SHA1

      de70cc4d3bcc448c092c5bd99ee661373f76383d

      SHA256

      5877e8427328cf96115d79d42767fa65c4b54212a0ade9becb8effbc8d3b7074

      SHA512

      d8552f61a3de0170ca5002b02b64dd6a9ab613c8e49b292f310596e52042534fc6b6cb03a71cd63fb9ff8234dd4ff46313b59f29db26e3043af078e6674caded

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe
      Filesize

      74.3MB

      MD5

      4ca5ed9d8c94d36e9291d79f98194dc2

      SHA1

      de70cc4d3bcc448c092c5bd99ee661373f76383d

      SHA256

      5877e8427328cf96115d79d42767fa65c4b54212a0ade9becb8effbc8d3b7074

      SHA512

      d8552f61a3de0170ca5002b02b64dd6a9ab613c8e49b292f310596e52042534fc6b6cb03a71cd63fb9ff8234dd4ff46313b59f29db26e3043af078e6674caded

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2csicxd0.c1s.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/1100-162-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-171-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-184-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-175-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-163-0x0000000007A20000-0x000000000809A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1100-144-0x00000000050B0000-0x00000000056D8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1100-145-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-164-0x00000000073A0000-0x00000000073BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1100-147-0x0000000005020000-0x0000000005042000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1100-166-0x00000000080D0000-0x00000000080F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1100-149-0x00000000058C0000-0x0000000005926000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1100-168-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-159-0x0000000006010000-0x000000000602E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1100-160-0x0000000006560000-0x00000000065A4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1100-161-0x0000000007320000-0x0000000007396000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1100-167-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-143-0x0000000004A40000-0x0000000004A76000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1100-146-0x0000000004A30000-0x0000000004A40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1100-148-0x0000000005850000-0x00000000058B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4184-172-0x0000000017F20000-0x0000000017F32000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4184-173-0x0000000018050000-0x000000001815A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4184-180-0x000000001AB80000-0x000000001B0AC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4184-169-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/4184-170-0x0000000018480000-0x0000000018A98000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4184-179-0x0000000019B70000-0x0000000019D32000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4184-177-0x0000000019200000-0x0000000019250000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4184-176-0x0000000018F40000-0x0000000018F5E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4184-174-0x0000000017F80000-0x0000000017FBC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4292-142-0x000000000A2A0000-0x000000000A2AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4292-138-0x0000000000DE0000-0x0000000005826000-memory.dmp
      Filesize

      74.3MB

      Download
    • memory/4292-140-0x000000000A1D0000-0x000000000A262000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4292-165-0x000000000A180000-0x000000000A190000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4292-139-0x000000000A880000-0x000000000AE24000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4292-141-0x000000000A180000-0x000000000A190000-memory.dmp
      Filesize

      64KB

      Download