Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/05/2024, 00:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83d9f77c09f624b493653c9f77230a052d1d729212c2ee73a630d9d59cb96ac4.exe

  • Size

    315KB

  • MD5

    f74808a0cb7b3ce6a8ff12875f93d5dc

  • SHA1

    8c4104605e2c55218b0422b6589ea825cebe4b62

  • SHA256

    83d9f77c09f624b493653c9f77230a052d1d729212c2ee73a630d9d59cb96ac4

  • SHA512

    6f06898ad7fb1a1e3d779e0831683707e3dc3bc2e2622681758f72540f3568a0271eee641d2d9f9b1b2d9fffe459bda36b24359d775c45075e5d91054f2a8dc3

  • SSDEEP

    6144:C89pI60nbM8uPZy3+8KID/MuO/S8JvFbxGQnM6XwQTCyvl2XaXHS:t9+60nbnuEMzLJvFbk6gQ2c2X0HS

Score
10/10
redline7001210066discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83d9f77c09f624b493653c9f77230a052d1d729212c2ee73a630d9d59cb96ac4.exe
    "C:\Users\Admin\AppData\Local\Temp\83d9f77c09f624b493653c9f77230a052d1d729212c2ee73a630d9d59cb96ac4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2004
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4108

    Network

    • flag-us
      DNS
      pastebin.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      pastebin.com
      IN A
      Response
      pastebin.com
      IN A
      104.20.3.235
      pastebin.com
      IN A
      172.67.19.24
      pastebin.com
      IN A
      104.20.4.235
    • flag-us
      DNS
      aifiller.sbs
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      aifiller.sbs
      IN A
      Response
      aifiller.sbs
      IN A
      116.203.6.63
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      63.6.203.116.in-addr.arpa
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      63.6.203.116.in-addr.arpa
      IN PTR
      Response
      63.6.203.116.in-addr.arpa
      IN PTR
      static636203116clients your-serverde
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      235.3.20.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      235.3.20.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.229.43
    • flag-us
      DNS
      self.events.data.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprdcus03.centralus.cloudapp.azure.com
      onedscolprdcus03.centralus.cloudapp.azure.com
      IN A
      13.89.178.27
    • 104.20.3.235:443
      pastebin.com
      tls
      RegAsm.exe
      805 B
       6.0kB
       8
      8
    • 116.203.6.63:443
      aifiller.sbs
      https
      RegAsm.exe
      2.0MB
       38.5kB
       1493
      735
    • 8.8.8.8:53
      pastebin.com
      dns
      RegAsm.exe
      325 B
       555 B
       5
      5

      DNS Request

      pastebin.com

      DNS Response

      104.20.3.235
      172.67.19.24
      104.20.4.235

      DNS Request

      aifiller.sbs

      DNS Response

      116.203.6.63

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      63.6.203.116.in-addr.arpa

      DNS Request

      43.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      235.3.20.104.in-addr.arpa
      dns
      223 B
       471 B
       3
      3

      DNS Request

      235.3.20.104.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.229.43

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      13.89.178.27

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3164-0-0x0000000002980000-0x0000000002981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4108-1-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4108-2-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4108-3-0x0000000004F00000-0x0000000004F66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4108-4-0x0000000005A30000-0x0000000006048000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4108-5-0x0000000005480000-0x0000000005492000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4108-6-0x00000000055B0000-0x00000000056BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4108-7-0x0000000074DB0000-0x0000000075561000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4108-8-0x0000000006290000-0x00000000062CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4108-9-0x00000000062D0000-0x000000000631C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4108-10-0x00000000065F0000-0x00000000067B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4108-11-0x0000000006CF0000-0x000000000721C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4108-12-0x00000000067C0000-0x0000000006852000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4108-13-0x00000000077D0000-0x0000000007D76000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4108-14-0x00000000068E0000-0x0000000006956000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4108-15-0x00000000068B0000-0x00000000068CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4108-16-0x0000000006C90000-0x0000000006CE0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4108-18-0x0000000074DB0000-0x0000000075561000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.