Overview

overview

10

Static

static

3

v5084366.exe

windows7-x64

10

v5084366.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2023 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    v5084366.exe

  • Size

    749KB

  • MD5

    d13cdcc7a3e4b53c6353806332e2a38c

  • SHA1

    3c077fca0e2c0164d0b3e64bf736ff657617eb64

  • SHA256

    4d84a8443fa38a0e67764103a311bf6a6a69683b9686cc4d861a88566d4c4f71

  • SHA512

    5a58fe0028a274999ed288adc9be7a584c1c76c2ef4dc3df6f44e67b9aeb475499135449c1ec9adf4ec2413dc4e6ec6d87ae2134311ccafd0ad75c0c44e8af70

  • SSDEEP

    12288:RMrMy90V4IbzNlS1XPir2vE3tknE7xwgT/L8hjAog2vr+YAbYb:5yg4IvvStqavOknsq6j8yogYr/AM

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.122:19062

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\v5084366.exe
    "C:\Users\Admin\AppData\Local\Temp\v5084366.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exe
    Filesize

    305KB

    MD5

    a266b9b8ecb3ee0394b4287b24b42259

    SHA1

    32bacbfd2e17f7b514c3dc8791c0deed296d438f

    SHA256

    fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

    SHA512

    bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exe
    Filesize

    305KB

    MD5

    a266b9b8ecb3ee0394b4287b24b42259

    SHA1

    32bacbfd2e17f7b514c3dc8791c0deed296d438f

    SHA256

    fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

    SHA512

    bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exe
    Filesize

    185KB

    MD5

    7d2a4f1c088908e87dd8d7935cc6f094

    SHA1

    9cc267650862a01dfad47c00511e5e14e44e088f

    SHA256

    377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

    SHA512

    a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exe
    Filesize

    185KB

    MD5

    7d2a4f1c088908e87dd8d7935cc6f094

    SHA1

    9cc267650862a01dfad47c00511e5e14e44e088f

    SHA256

    377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

    SHA512

    a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exe
    Filesize

    145KB

    MD5

    c57b1dcdc09d6f2024fc7f879cada615

    SHA1

    9ca7169888f1284c856dbaa756c2e03baa9d7295

    SHA256

    ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

    SHA512

    2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exe
    Filesize

    145KB

    MD5

    c57b1dcdc09d6f2024fc7f879cada615

    SHA1

    9ca7169888f1284c856dbaa756c2e03baa9d7295

    SHA256

    ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

    SHA512

    2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exe
    Filesize

    305KB

    MD5

    a266b9b8ecb3ee0394b4287b24b42259

    SHA1

    32bacbfd2e17f7b514c3dc8791c0deed296d438f

    SHA256

    fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

    SHA512

    bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\v3439787.exe
    Filesize

    305KB

    MD5

    a266b9b8ecb3ee0394b4287b24b42259

    SHA1

    32bacbfd2e17f7b514c3dc8791c0deed296d438f

    SHA256

    fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

    SHA512

    bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exe
    Filesize

    185KB

    MD5

    7d2a4f1c088908e87dd8d7935cc6f094

    SHA1

    9cc267650862a01dfad47c00511e5e14e44e088f

    SHA256

    377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

    SHA512

    a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\a3426371.exe
    Filesize

    185KB

    MD5

    7d2a4f1c088908e87dd8d7935cc6f094

    SHA1

    9cc267650862a01dfad47c00511e5e14e44e088f

    SHA256

    377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

    SHA512

    a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exe
    Filesize

    145KB

    MD5

    c57b1dcdc09d6f2024fc7f879cada615

    SHA1

    9ca7169888f1284c856dbaa756c2e03baa9d7295

    SHA256

    ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

    SHA512

    2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\b7297900.exe
    Filesize

    145KB

    MD5

    c57b1dcdc09d6f2024fc7f879cada615

    SHA1

    9ca7169888f1284c856dbaa756c2e03baa9d7295

    SHA256

    ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

    SHA512

    2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

    Download Submit
  • memory/316-112-0x0000000000A00000-0x0000000000A2A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/316-113-0x0000000000A90000-0x0000000000AD0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/316-114-0x0000000000A90000-0x0000000000AD0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1508-85-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-99-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-87-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-89-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-91-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-93-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-95-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-97-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-101-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-83-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-105-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-103-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-81-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-79-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-78-0x0000000002150000-0x0000000002166000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1508-77-0x0000000004A50000-0x0000000004A90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1508-76-0x0000000004A50000-0x0000000004A90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1508-75-0x0000000002150000-0x000000000216C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1508-74-0x0000000000A50000-0x0000000000A6E000-memory.dmp
    Filesize

    120KB

    Download