Overview

overview

10

Static

static

3

dd58888fdf...80.exe

windows7-x64

10

dd58888fdf...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2023, 21:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dd58888fdff857aaada05a63639dd62eb18db59ff49d719b9d08c92399224480.exe

  • Size

    451KB

  • MD5

    55bc839b3cfeccbef02b0895d33bfda1

  • SHA1

    2aaed760d01c2574c4ffc6e6aa26048669a23211

  • SHA256

    dd58888fdff857aaada05a63639dd62eb18db59ff49d719b9d08c92399224480

  • SHA512

    dddc3954b64c30f3508725b7a86fb22d221a5c9d1587d6c7b22d88f1fd2a8fce8ed79b9418da7d2941b210bf211182e9e9b1c062c566537522ee6a7ff52b63a8

  • SSDEEP

    6144:qiZtz1epr90wnWQgI7qEP4smV+/Eb1yHEwH/fwEBF2YEZrxp6ZTNSNBZN:VZtBO+lI7q5V2EAHLcrxU1A

Score
10/10
redline@cham1ngdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@cham1ng

C2

45.15.156.167:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd58888fdff857aaada05a63639dd62eb18db59ff49d719b9d08c92399224480.exe
    "C:\Users\Admin\AppData\Local\Temp\dd58888fdff857aaada05a63639dd62eb18db59ff49d719b9d08c92399224480.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Cab431A.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar432D.tmp
          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          Download Submit

        • memory/2520-0-0x0000000000340000-0x0000000000392000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2520-4-0x00000000740E0000-0x00000000747CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2520-5-0x0000000004F10000-0x0000000004F50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2520-40-0x00000000740E0000-0x00000000747CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2520-41-0x0000000004F10000-0x0000000004F50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2520-43-0x00000000740E0000-0x00000000747CE000-memory.dmp

          Filesize

          6.9MB

          Download