Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    07978cb9567193f8fbf259763e411533

  • SHA1

    2a5b283f94790aa0c9c4b3cac10ff658715d10f9

  • SHA256

    9cc458ba7d97a5db07e7a42561b0d55e4adfce7e41a4a477b06e3b0fd5e871bf

  • SHA512

    47b955fda524d689ded15ef0744f3dbd1f96082c3dd6330649d135c5b402cf87d5db320353c971e27d87fde10866c929773dd5cf8903cc973e8422daf5eec280

  • SSDEEP

    24576:BJxY5KgFimILMhkVSjFgHdg2HO6a9DhvhWWs4Sf:BdgFimILMhAQF8g8O6a3vKf

Score
10/10
redlinesmokiez285infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

smokiez285

C2

194.169.175.232:45451

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 392
      2⤵
      • Program crash
      PID:1952
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4280 -ip 4280
    1⤵
      PID:3420

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3416-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3416-1-0x0000000075140000-0x00000000758F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3416-2-0x0000000007E60000-0x0000000008404000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3416-3-0x0000000007950000-0x00000000079E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3416-4-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3416-5-0x0000000007A50000-0x0000000007A5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3416-6-0x0000000008A30000-0x0000000009048000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3416-7-0x0000000008410000-0x000000000851A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3416-8-0x0000000007C20000-0x0000000007C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3416-9-0x0000000007CB0000-0x0000000007CEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3416-10-0x0000000007C50000-0x0000000007C9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3416-11-0x0000000008590000-0x00000000085F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3416-12-0x0000000075140000-0x00000000758F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3416-13-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3416-14-0x0000000006590000-0x00000000065E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3416-15-0x000000000C730000-0x000000000C8F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3416-16-0x000000000CE30000-0x000000000D35C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3416-18-0x0000000075140000-0x00000000758F0000-memory.dmp

      Filesize

      7.7MB

      Download