Overview

overview

10

Static

static

1

bd225935b6...40.exe

windows7-x64

10

bd225935b6...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 17:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bd225935b6b2ea18b54d886175ff37be05a0bea5dc242ee7b535fbc0b6117140.exe

  • Size

    1.5MB

  • MD5

    c2a12d49dfe6eee829e756f23da12892

  • SHA1

    9aaabbad78b1b78d4be89e54b6aa54e64530f962

  • SHA256

    bd225935b6b2ea18b54d886175ff37be05a0bea5dc242ee7b535fbc0b6117140

  • SHA512

    cc724df549003bfe96831da5d08a4e94fcc9cf50421851215b60d0f343be06adf17e8a982ded2853175d4c1eb9ac0fa876379bcb8935680809ebf61c321e0193

  • SSDEEP

    49152:0YHmYObiYdcFMSz3gbXyiz3htazmq7H1P:0kOoMSz3gbXyiz3htwV

Score
10/10
redlineinfostealerspyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd225935b6b2ea18b54d886175ff37be05a0bea5dc242ee7b535fbc0b6117140.exe
    "C:\Users\Admin\AppData\Local\Temp\bd225935b6b2ea18b54d886175ff37be05a0bea5dc242ee7b535fbc0b6117140.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:860

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/860-14-0x0000000008750000-0x0000000008D68000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/860-15-0x00000000051D0000-0x00000000051E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/860-2-0x00000000005F0000-0x000000000064A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/860-24-0x00000000099D0000-0x00000000099EE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/860-8-0x0000000074C90000-0x0000000075440000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/860-9-0x0000000007B80000-0x0000000008124000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/860-10-0x00000000075D0000-0x0000000007662000-memory.dmp

          Filesize

          584KB

          Download

        • memory/860-11-0x0000000074C90000-0x0000000075440000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/860-12-0x0000000007780000-0x0000000007790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/860-13-0x0000000007790000-0x000000000779A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/860-23-0x0000000009EE0000-0x000000000A40C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/860-16-0x0000000007940000-0x0000000007A4A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/860-22-0x00000000097E0000-0x00000000099A2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/860-17-0x0000000007780000-0x0000000007790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/860-18-0x0000000008130000-0x000000000816C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/860-19-0x00000000078E0000-0x000000000792C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/860-20-0x0000000000F30000-0x0000000000F96000-memory.dmp

          Filesize

          408KB

          Download

        • memory/860-21-0x0000000009590000-0x0000000009606000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1456-0-0x0000000000330000-0x000000000050A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1456-1-0x0000000000330000-0x000000000050A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1456-7-0x0000000000330000-0x000000000050A000-memory.dmp

          Filesize

          1.9MB

          Download