Overview

overview

10

Static

static

3

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    518KB

  • MD5

    c15c91c578b84e19b66599a4eaa29636

  • SHA1

    2baf692d598ade6f2348fa5a875857abb70e4ca9

  • SHA256

    dee9ad32eab4891fb956f119086543a5220518547f24794812f42e012b0cc1d4

  • SHA512

    2268017aa29e327707f3471957296056c496c7ba835c6ddca7f4bed59b1882d93bbaab46c9f4ae1c5ab120f9ceda8a4a096566ad37b23103829676c8cf3b7d77

  • SSDEEP

    12288:pbA9s8w7P9Ca47E6uUlVGd7KaL7mTIFc/K9lTdovsC:KsDb4nKwaXmMy/K/Th

Score
10/10
redlinelogsdiller cloud (tg: @logsdillabot)infostealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.96:28380

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Modifies system certificate store
      PID:3408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Tmp3662.tmp
    Filesize

    2KB

    MD5

    1420d30f964eac2c85b2ccfe968eebce

    SHA1

    bdf9a6876578a3e38079c4f8cf5d6c79687ad750

    SHA256

    f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

    SHA512

    6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

    Download Submit
  • memory/1520-1-0x0000000000260000-0x00000000002E6000-memory.dmp
    Filesize

    536KB

    Download
  • memory/3408-24-0x00000000061A0000-0x0000000006216000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3408-25-0x0000000006930000-0x000000000694E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3408-5-0x0000000005540000-0x00000000055D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3408-6-0x0000000005790000-0x00000000057A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3408-7-0x00000000055E0000-0x00000000055EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3408-3-0x0000000074C10000-0x00000000753C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3408-0-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/3408-4-0x0000000005AF0000-0x0000000006094000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3408-28-0x0000000006F70000-0x0000000007588000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3408-29-0x0000000006AC0000-0x0000000006BCA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3408-30-0x0000000006A00000-0x0000000006A12000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3408-31-0x0000000006A60000-0x0000000006A9C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3408-32-0x0000000006BD0000-0x0000000006C1C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3408-33-0x0000000074C10000-0x00000000753C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3408-34-0x0000000005790000-0x00000000057A0000-memory.dmp
    Filesize

    64KB

    Download