Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    04/08/2023, 04:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    260e954d4df65c05e5b42a90e776b5657ec8a13ffbf520e79ab0dbaad5a54f8a.exe

  • Size

    2.5MB

  • MD5

    0d9a733c112c47e0293dece98f7dd2d9

  • SHA1

    679a8d9b67f1384aacb26cabb6e07b6da72a30c4

  • SHA256

    260e954d4df65c05e5b42a90e776b5657ec8a13ffbf520e79ab0dbaad5a54f8a

  • SHA512

    2a051ae06a7c1dc3946128ed1f4cacb905a4b661cf03eff2c64372bd1a87d54e7b62c4a33388eafe84e9c92ed9ce1e46c8a600a0d88ff04dcf63eb2129e54121

  • SSDEEP

    12288:e3wupYk4ubGyS9AcJSqrE4fdv4OT4rP453Tu4XfUH2HF9+h54K4HH:egupYkvbGyS90Qv4OPZ9UCFs0

Score
10/10
redline1112224312infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

1112224312

C2

https://pastebin.com/raw/NgsUAPya

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\260e954d4df65c05e5b42a90e776b5657ec8a13ffbf520e79ab0dbaad5a54f8a.exe
    "C:\Users\Admin\AppData\Local\Temp\260e954d4df65c05e5b42a90e776b5657ec8a13ffbf520e79ab0dbaad5a54f8a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2480-55-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2480-60-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2480-58-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2480-61-0x0000000074870000-0x0000000074F5E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2480-62-0x00000000047F0000-0x0000000004830000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2480-63-0x0000000074870000-0x0000000074F5E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2528-54-0x00000000009E0000-0x0000000000B88000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2528-56-0x00000000009E0000-0x0000000000B88000-memory.dmp

          Filesize

          1.7MB

          Download