Overview

overview

10

Static

static

3

66561bb149...in.exe

windows7-x64

10

66561bb149...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66561bb14913a1cd899dc375baedc0c1.bin.exe

  • Size

    514KB

  • MD5

    66561bb14913a1cd899dc375baedc0c1

  • SHA1

    281c6863850a9153481aff043ea8be11ac50a451

  • SHA256

    4c6b2a92796f1b86ef518b1af829c22c319471f2bc4b119f6b6ead9607d6e7dc

  • SHA512

    6e7066bc6c04f6f4729f4ad728a905c9d8287ce692669a0b3764a5e297d1006b63d3af725a854a9880d275c2a1e6d5b8a72f71268d3597c384948d93425807f7

  • SSDEEP

    12288:i0Nutyq5ViplmKWKpzfrxTL+R/lqW5OMy:n0ribTWKpzfrZS2W5

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

167.235.64.195:31839

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66561bb14913a1cd899dc375baedc0c1.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\66561bb14913a1cd899dc375baedc0c1.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\AppData\Local\Temp\66561bb14913a1cd899dc375baedc0c1.bin.exe
      C:\Users\Admin\AppData\Local\Temp\66561bb14913a1cd899dc375baedc0c1.bin.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1236-12-0x00000000051A0000-0x00000000051DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1236-11-0x0000000005140000-0x0000000005152000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1236-7-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1236-9-0x0000000006000000-0x0000000006618000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1236-17-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1236-15-0x0000000006A30000-0x0000000006A80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1236-6-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1236-8-0x00000000050D0000-0x00000000050E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1236-14-0x0000000005A60000-0x0000000005AC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1236-13-0x00000000051F0000-0x000000000523C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1236-10-0x00000000052B0000-0x00000000053BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4484-5-0x0000000005570000-0x000000000557A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4484-0-0x0000000000A40000-0x0000000000AC6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/4484-19-0x00000000056C0000-0x00000000056D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-2-0x0000000005990000-0x0000000005F34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4484-1-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4484-4-0x00000000056C0000-0x00000000056D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-18-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4484-3-0x00000000054C0000-0x0000000005552000-memory.dmp

    Filesize

    584KB

    Download