Overview

overview

10

Static

static

3

05b48b2909...29.exe

windows10-2004-x64

10

18c3050e5a...e4.exe

windows10-2004-x64

10

2577bd2a22...1d.exe

windows10-2004-x64

10

28839ba22b...c4.exe

windows10-2004-x64

10

4efca8805f...a2.exe

windows10-2004-x64

10

6603f1832a...ef.exe

windows10-2004-x64

10

6ba0db3b66...b3.exe

windows10-2004-x64

10

74fe770b34...18.exe

windows10-2004-x64

10

b6b53c7022...c9.exe

windows10-2004-x64

10

eedc883713...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991.exe

  • Size

    857KB

  • MD5

    327d4c708883a33864d87e20fe338e4e

  • SHA1

    113fd0267f24bbce914cc6c40946666f949e71e2

  • SHA256

    eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991

  • SHA512

    0eaf67c2f43322a3078c09930b4824bd57d6550cb37f5685e328a110a0c858e20ca8a099c6edd92ceae3ec1028077439c341cb8a8ba5c8774152a47479ecac51

  • SSDEEP

    24576:Gyes+XVnvEZEwluVaizN/nbr+pr72IbKJZz:VesgvEZcVa+hnbKp3KJZ

Score
10/10
redlinekirainfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991.exe
    "C:\Users\Admin\AppData\Local\Temp\eedc883713775fd0c74224f0bedec2b1e88a105737c823318fc8ba819901d991.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9805759.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9805759.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0710540.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0710540.exe
        3⤵
        • Executes dropped EXE
        PID:5112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9805759.exe
    Filesize

    756KB

    MD5

    f98eed837070cc219dc5331bc36d117a

    SHA1

    d0c93b7ecbf2934c8df9bba0058f8d94c9d1c7da

    SHA256

    760eb9b5afc8a931af44278e674c54b0b357c2151d73bed1d1238f9a38f0cf46

    SHA512

    03845798a6e608e493e0de08585eae5d80873838d147c63a862160808dc7beaa64a44660261b3b916d1a56a1329437b2e88bbbdd274698614317ada11a00b377

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0710540.exe
    Filesize

    692KB

    MD5

    7e4aad172821286679bf9378f5cce6f3

    SHA1

    bd2f9f11dc1648fbe063e7814357258fdaee0314

    SHA256

    a659fd0bb5bd226b5c89e39ab71496d7d883ddea60dce663af8e2c22f396e784

    SHA512

    7eb7adaa6a85c325145020c243401a179f1ee16c23a9a4e98b8dda84070203382dc3f404fa73233fe4040eab8a87df01bacfe26ed82a5ea8e41267706ca84869

    Download Submit

  • memory/5112-15-0x0000000000440000-0x0000000000470000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5112-18-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5112-19-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5112-20-0x0000000004BA0000-0x0000000004BA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/5112-21-0x0000000004C50000-0x0000000005268000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5112-22-0x0000000005270000-0x000000000537A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5112-23-0x0000000004C20000-0x0000000004C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5112-24-0x0000000005380000-0x00000000053BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5112-25-0x0000000005420000-0x000000000546C000-memory.dmp

    Filesize

    304KB

    Download