Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:56

General

  • Target

    7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495.exe

  • Size

    968KB

  • MD5

    001fd77dc866551558dbdabe0918c8fe

  • SHA1

    ee2bc863795256c1573dce130ff05d9e0aa4778b

  • SHA256

    7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495

  • SHA512

    459497de8b051b9086e7d3a57fa06a50903666e61fb2a9815c80692b525821c4bcb75a44eea540aad9cb6214bf646d5a533496353373de616cd8656dc6cb7da6

  • SSDEEP

    12288:d4r/VjTk4fZ0JeFGdfIBmq4KRl8EtDYzbYzTL2dpuwiuZndFmhqVJxMI:o/lTk4fZ0JpdfIBm8IgTLBwUu7MI

Malware Config

Extracted

Family

redline

Botnet

6077866846

C2

https://pastebin.com/raw/KE5Mft0T

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495.exe
    "C:\Users\Admin\AppData\Local\Temp\7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4492
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3332-0-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

    • memory/3332-1-0x000000007486E000-0x000000007486F000-memory.dmp

      Filesize

      4KB

    • memory/3332-2-0x0000000005320000-0x0000000005386000-memory.dmp

      Filesize

      408KB

    • memory/3332-3-0x0000000005E80000-0x0000000006498000-memory.dmp

      Filesize

      6.1MB

    • memory/3332-5-0x0000000005A00000-0x0000000005B0A000-memory.dmp

      Filesize

      1.0MB

    • memory/3332-4-0x00000000058D0000-0x00000000058E2000-memory.dmp

      Filesize

      72KB

    • memory/3332-6-0x0000000074860000-0x0000000075010000-memory.dmp

      Filesize

      7.7MB

    • memory/3332-7-0x000000007486E000-0x000000007486F000-memory.dmp

      Filesize

      4KB

    • memory/3332-8-0x0000000074860000-0x0000000075010000-memory.dmp

      Filesize

      7.7MB