Overview

overview

10

Static

static

3

a13a1f2fe5...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2023 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a13a1f2fe5ee62cfd08004277f557664.exe

  • Size

    611KB

  • MD5

    a13a1f2fe5ee62cfd08004277f557664

  • SHA1

    af8581903c06152c9650deba3abe92260fa891e2

  • SHA256

    8982eecbc6365b0320c57d0d186f0b0569a6cb619da669f5a87ad3ad7b09e698

  • SHA512

    acf62fed3e86b850152349a6cae3b0d68d493f6ad09e5594f1528c15e93392635caad1d237ba1ab4fc4a539340d21e16d49102489bc58c05e9a5b9d123e94357

  • SSDEEP

    12288:yivy90H6buQKNrjeqrvbg7tvXyfl7W1FgQNPuZtPF:yky5buQcmuWvXgW16ePu/d

Score
10/10
redlineinfostealerpersistencespyware

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a13a1f2fe5ee62cfd08004277f557664.exe
    "C:\Users\Admin\AppData\Local\Temp\a13a1f2fe5ee62cfd08004277f557664.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lessoutsourcing.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lessoutsourcing.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3788
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lessoutsourcing.exe
    Filesize

    1.3MB

    MD5

    cf8e316f1d6361352ced42c91f9410e1

    SHA1

    c34b228f33d4e9a37a6cc37fc0163cd2908b0131

    SHA256

    4f443b5e9f2635471f6f1af9b2941f8c811802c619547800b14c5eb90e6c2751

    SHA512

    540478e0782ec35beb61a2f3753223e177d4dde1355fb618ffc332c5940f1247a792e370bf4ca0bf26d10ea97694ade98ec55177db65d357e96ad27da4196f13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lessoutsourcing.exe
    Filesize

    1.3MB

    MD5

    cf8e316f1d6361352ced42c91f9410e1

    SHA1

    c34b228f33d4e9a37a6cc37fc0163cd2908b0131

    SHA256

    4f443b5e9f2635471f6f1af9b2941f8c811802c619547800b14c5eb90e6c2751

    SHA512

    540478e0782ec35beb61a2f3753223e177d4dde1355fb618ffc332c5940f1247a792e370bf4ca0bf26d10ea97694ade98ec55177db65d357e96ad27da4196f13

    Download Submit

  • memory/3788-9-0x0000000006200000-0x000000000624C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3788-6-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3788-7-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3788-8-0x0000000006010000-0x0000000006074000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3788-17-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3788-10-0x0000000006250000-0x000000000629C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3788-11-0x00000000062D0000-0x000000000631C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3788-12-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3788-13-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3788-14-0x0000000006920000-0x0000000006EC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3788-5-0x0000000000290000-0x00000000003D4000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4760-18-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4760-26-0x0000000007D20000-0x0000000007D6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4760-19-0x0000000007A00000-0x0000000007A92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4760-20-0x0000000007C90000-0x0000000007CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4760-21-0x00000000079F0000-0x00000000079FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4760-22-0x0000000008AE0000-0x00000000090F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4760-23-0x0000000007C50000-0x0000000007C62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4760-24-0x0000000007DB0000-0x0000000007EBA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4760-25-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4760-15-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4760-27-0x0000000008590000-0x00000000085F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4760-28-0x00000000095F0000-0x0000000009666000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4760-29-0x0000000009840000-0x0000000009A02000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4760-30-0x0000000009F40000-0x000000000A46C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4760-31-0x0000000009780000-0x000000000979E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4760-32-0x0000000006760000-0x00000000067B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4760-34-0x0000000075110000-0x00000000758C0000-memory.dmp

    Filesize

    7.7MB

    Download