Overview

overview

10

Static

static

3

0237b61e61...e4.exe

windows7-x64

3

0237b61e61...e4.exe

windows10-2004-x64

10

0cbf9c5b59...f9.exe

windows10-2004-x64

10

0edb945c8d...dd.exe

windows10-2004-x64

10

13ca0bbb32...3f.exe

windows10-2004-x64

10

1465a638f9...f2.exe

windows10-2004-x64

10

1b0729839d...dd.exe

windows10-2004-x64

10

27bf431b08...9f.exe

windows10-2004-x64

10

34b8fdeeaf...27.exe

windows10-2004-x64

10

488c7cb3b3...18.exe

windows10-2004-x64

10

4bc64c0375...75.exe

windows10-2004-x64

10

4f85c3e4ec...fe.exe

windows10-2004-x64

10

55b18033bb...53.exe

windows7-x64

3

55b18033bb...53.exe

windows10-2004-x64

10

60e7e1ac00...07.exe

windows10-2004-x64

10

979a97cb16...99.exe

windows10-2004-x64

10

b3eb736a5d...9f.exe

windows10-2004-x64

10

d57352b171...d0.exe

windows10-2004-x64

10

d62f03a558...b6.exe

windows10-2004-x64

10

e72a6e51db...6d.exe

windows10-2004-x64

10

f5c9c18cca...6b.exe

windows10-2004-x64

10

fdb9b25099...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d.exe

  • Size

    853KB

  • MD5

    03c70427b7f46efb268904efce07e208

  • SHA1

    6201e0eb7f063348a80543fce2e4f92f064624b6

  • SHA256

    e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d

  • SHA512

    28112660c5df88ef4affbf1cf27105f54bb25f532d6d820d9ff8d72bf02a29dc2b3b3fe211c7383db7cb49ec6caec7d238ceac70cce8f29bd650aaa9958f78d4

  • SSDEEP

    24576:gydW77VD+If1MjC21MKDHlSX6YdG16mys76:ndY7N+7RKeH0XXA6mn7

Score
10/10
redlinekirainfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d.exe
    "C:\Users\Admin\AppData\Local\Temp\e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1528662.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1528662.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7382281.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7382281.exe
        3⤵
        • Executes dropped EXE
        PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1528662.exe
    Filesize

    752KB

    MD5

    825d5e2098da7edd0c17fac952d6d721

    SHA1

    d44c1a96f5ffb32a8bb7ea72208a79cd4095b1fd

    SHA256

    49c98de2deb82f2134ed6b01213a6c063719e1e263c4468b8ba55342c4864a2b

    SHA512

    0d32ad9e6105e7885dc52d6ef434ca2536af2ca3f89841eb72e905b47bf345a9f9e6a92d4844b6f0911ca2a4612b1ebf4d33b2ad05d5e891d0ed471644c2dd3d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7382281.exe
    Filesize

    692KB

    MD5

    1c4dcd796dc1a5ad10db4a05a2178325

    SHA1

    f0d182ea2e5842e33a6e1075b002d3b426baeb7f

    SHA256

    3fbe14a076fd872f94dec8ce14edc7f6b05442b16a31da805585a36cc5b55090

    SHA512

    84fabc37a9787bb89add60da24fa769d2144247ae09dce1647514145b8eed551db541ec6fdfe84f29662970cbb4981539e6c03241b449464928831a2859bdcac

    Download Submit
  • memory/1676-18-0x0000000000401000-0x0000000000402000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1676-14-0x0000000000440000-0x0000000000470000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1676-19-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1676-20-0x0000000002560000-0x0000000002566000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1676-21-0x0000000004C50000-0x0000000005268000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1676-23-0x0000000004B20000-0x0000000004B32000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1676-24-0x0000000005380000-0x00000000053BC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1676-22-0x0000000005270000-0x000000000537A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1676-25-0x0000000005420000-0x000000000546C000-memory.dmp
    Filesize

    304KB

    Download