Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    187s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/07/2023, 03:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    y2304387.exe

  • Size

    402KB

  • MD5

    f44f6a62eb3dc2e91d9b84dd2ee414e8

  • SHA1

    37ecc776dfa73fd79d7ca23c4b9a76a79afa5886

  • SHA256

    910cf85ab1ead9267c7d45a7e1ef1d2ff282ac429e426a9654d585fc5ffacfbe

  • SHA512

    0282420ef84484b1715a2a81330e0f75cb996ef89db384e27fdfd64c055b1a834192b46423fe28b4939cc077d6ce82c8f1ce19a18e376c02cb96ac59cc395f19

  • SSDEEP

    6144:Kny+bnr+5p0yN90QEZ30q+MET3AkTFGwjeprT4PDH9HdTbetaR7VrXq+xVfOLP:9Mr5y9070qbETnoaepH8H9HV617

Score
10/10
redlinefuroddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes
  • auth_value

    d2386245fe11799b28b4521492a5879d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\y2304387.exe
    "C:\Users\Admin\AppData\Local\Temp\y2304387.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5177269.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5177269.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6914964.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6914964.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3212

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
          Filesize

          226B

          MD5

          957779c42144282d8cd83192b8fbc7cf

          SHA1

          de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

          SHA256

          0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

          SHA512

          f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5177269.exe
          Filesize

          185KB

          MD5

          2290f56f8dd64187e33c3be402e430e0

          SHA1

          6fd61710d5fb8a281761de9ba78e062d899b49fa

          SHA256

          f5d0994af44b1d75ed6d0d652528a691a9a95d28c949e1ef64686ad25b8601a6

          SHA512

          31288524f6d82568d3a003a1a8d732474035645dbd40551a41c4dfc8c1396e38a51943945cc1ccc6a1ab9c7ca62fd7d3d2732ffae04eaac222bc1c99e14a1282

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5177269.exe
          Filesize

          185KB

          MD5

          2290f56f8dd64187e33c3be402e430e0

          SHA1

          6fd61710d5fb8a281761de9ba78e062d899b49fa

          SHA256

          f5d0994af44b1d75ed6d0d652528a691a9a95d28c949e1ef64686ad25b8601a6

          SHA512

          31288524f6d82568d3a003a1a8d732474035645dbd40551a41c4dfc8c1396e38a51943945cc1ccc6a1ab9c7ca62fd7d3d2732ffae04eaac222bc1c99e14a1282

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6914964.exe
          Filesize

          1.3MB

          MD5

          610a13dbc8136e246df029939fac0577

          SHA1

          d8faa8cdaa48aa9e86f73b7aa734371b14533344

          SHA256

          2ad9871429f41f0c4d514c392db875ba187799b2537b1cecfd50e5f8c3e378e2

          SHA512

          6db43a3295c60dd0f3218db0ecb9aec4f0825df4232f1539948a7405ea19c84e2c981f85b305ede0b6df7964fa3a39068937940061f79fdafb63b60997d5952a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l6914964.exe
          Filesize

          1.3MB

          MD5

          610a13dbc8136e246df029939fac0577

          SHA1

          d8faa8cdaa48aa9e86f73b7aa734371b14533344

          SHA256

          2ad9871429f41f0c4d514c392db875ba187799b2537b1cecfd50e5f8c3e378e2

          SHA512

          6db43a3295c60dd0f3218db0ecb9aec4f0825df4232f1539948a7405ea19c84e2c981f85b305ede0b6df7964fa3a39068937940061f79fdafb63b60997d5952a

          Download Submit

        • memory/3212-147-0x000000000A6B0000-0x000000000A6C2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3212-154-0x000000000B4D0000-0x000000000B520000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3212-143-0x0000000002540000-0x0000000002546000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3212-144-0x0000000009F70000-0x000000000A576000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/3212-145-0x000000000A580000-0x000000000A68A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3212-157-0x000000000B830000-0x000000000BD5C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/3212-146-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3212-148-0x000000000A6D0000-0x000000000A70E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3212-149-0x000000000A780000-0x000000000A7CB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3212-150-0x000000000A8C0000-0x000000000A936000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3212-151-0x000000000A940000-0x000000000A9D2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3212-152-0x000000000A9E0000-0x000000000AA46000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3212-153-0x000000000AF20000-0x000000000B41E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/3212-138-0x00000000001D0000-0x0000000000200000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3212-155-0x000000000B650000-0x000000000B812000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3212-156-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3404-129-0x00000000001D0000-0x00000000001DA000-memory.dmp

          Filesize

          40KB

          Download