Overview

overview

10

Static

static

1

nitrogen.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2023, 14:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    nitrogen.exe

  • Size

    564KB

  • MD5

    25af44a770129f892ae848f39b1382b4

  • SHA1

    ab3a11cbaa8b9ee9072b3d7ca406ed1a76032fd9

  • SHA256

    da02ca08066fcaba7be915dd04fb03a3f1ef494fcb9931ee93db500e00280872

  • SHA512

    a968770e878b9c68c82768bd1a71bb003770bfa88704f37a5272b3592d08479384dc84714535fa3445373c0c0abb2143d86c6f559d1ce8f352b25b2470927bb9

  • SSDEEP

    12288:MOHlJFblyvSOgVA4TQS03ULaHNqrxlKIQNoZZJ6Ku5gMKmRxgDMkr:LHFlyavVA4TkEaHNYK3u6vFLgb

Score
10/10
redlineinfostealer

Malware Config

Extracted

Family

redline

C2

193.203.202.185:20856

Attributes
  • auth_value

    662246af7f290874d3816d23ebbc55c1

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nitrogen.exe
    "C:\Users\Admin\AppData\Local\Temp\nitrogen.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:2180
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2184

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2108-25-0x00000000021F0000-0x0000000002250000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2108-10-0x00000000006C0000-0x00000000006C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-3-0x0000000002430000-0x0000000002431000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-4-0x00000000023D0000-0x00000000023D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-5-0x00000000023F0000-0x00000000023F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-2-0x0000000002420000-0x0000000002421000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-6-0x0000000002450000-0x0000000002451000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-8-0x0000000003330000-0x0000000003331000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-7-0x0000000002470000-0x0000000002471000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-9-0x0000000003320000-0x0000000003323000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2108-14-0x0000000003340000-0x0000000003341000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-13-0x0000000003350000-0x0000000003351000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-11-0x00000000006D0000-0x00000000006D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-12-0x0000000003360000-0x0000000003361000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-24-0x0000000000400000-0x0000000000553000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2108-15-0x0000000003370000-0x0000000003371000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-16-0x0000000003380000-0x0000000003381000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-19-0x00000000000A0000-0x00000000001A0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2108-1-0x00000000021F0000-0x0000000002250000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2108-0-0x0000000000400000-0x0000000000553000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2180-34-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2180-26-0x00000000745F0000-0x0000000074DA0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2180-27-0x0000000004FD0000-0x00000000055E8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2180-28-0x0000000004A60000-0x0000000004A72000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2180-29-0x0000000004B90000-0x0000000004C9A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2180-18-0x0000000000570000-0x0000000000590000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2180-31-0x0000000004AC0000-0x0000000004AFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2180-32-0x0000000004B00000-0x0000000004B4C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2180-33-0x00000000745F0000-0x0000000074DA0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2180-30-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2184-35-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-36-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-37-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-42-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-41-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-43-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-44-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-45-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-47-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2184-46-0x000001A4916E0000-0x000001A4916E1000-memory.dmp

            Filesize

            4KB

            Download