Overview

overview

10

Static

static

3

0f6ce02639...df.exe

windows10-2004-x64

10

17dbf09aca...d0.exe

windows7-x64

3

17dbf09aca...d0.exe

windows10-2004-x64

10

1b624e343d...55.exe

windows10-2004-x64

10

2faa75c50b...6d.exe

windows7-x64

3

2faa75c50b...6d.exe

windows10-2004-x64

10

4be1f370e8...6b.exe

windows7-x64

3

4be1f370e8...6b.exe

windows10-2004-x64

10

576cad65a8...60.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

6eeb3d69d9...69.exe

windows7-x64

3

6eeb3d69d9...69.exe

windows10-2004-x64

10

77b8709187...06.exe

windows7-x64

3

77b8709187...06.exe

windows10-2004-x64

10

7f4e227924...bb.exe

windows7-x64

3

7f4e227924...bb.exe

windows10-2004-x64

10

8a870280a0...35.exe

windows7-x64

3

8a870280a0...35.exe

windows10-2004-x64

10

8db6f54494...1f.exe

windows10-2004-x64

10

b21367ffaa...ef.exe

windows10-2004-x64

10

b62068be50...da.exe

windows10-2004-x64

10

be5114d10d...f3.exe

windows10-2004-x64

10

d191282ff4...7a.exe

windows10-2004-x64

10

de9167b772...91.exe

windows10-2004-x64

10

f6dc0b4c65...d6.exe

windows10-2004-x64

10

f85eca1ce9...65.exe

windows7-x64

3

f85eca1ce9...65.exe

windows10-2004-x64

10

f8dfa98c4e...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0.exe

  • Size

    332KB

  • MD5

    d67ab3cb264ae5190625cb455a83d79f

  • SHA1

    234b6c25d1d8768e4b3753c93b4cf54bb5ccd7d1

  • SHA256

    17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0

  • SHA512

    9c75563fa91765b4aec47385a9f7bc17b5d779285ec9b9c7c39fed5e0335a4baffa2133e444b47d9535c449d09506c9ca0ecf4e9de62a10c977691815b338099

  • SSDEEP

    6144:C3TwjHHEJ9B4S9re5BAYhePRmygho+ASr/FvRbsW0fRaSZ+0Xp:CDrJ9B4S9rPiygO+ASBRZk1s0Xp

Score
10/10
redline5637482599discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

5637482599

C2

https://pastebin.com/raw/NgsUAPya

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0.exe
    "C:\Users\Admin\AppData\Local\Temp\17dbf09aca5536c41f48cdee19e90cc995aeb0b0973ec6bca572f03b1ead46d0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1168-10-0x0000000005F40000-0x0000000005F7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1168-17-0x0000000006F50000-0x0000000006F6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1168-8-0x0000000005B60000-0x0000000005C6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1168-2-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1168-4-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1168-5-0x0000000005480000-0x00000000054E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1168-6-0x0000000005FA0000-0x00000000065B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1168-18-0x0000000007C00000-0x0000000007C50000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1168-20-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1168-9-0x0000000074DA0000-0x0000000075550000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1168-7-0x0000000005A30000-0x0000000005A42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1168-11-0x00000000069C0000-0x0000000006A0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1168-12-0x0000000006CE0000-0x0000000006EA2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1168-13-0x00000000073E0000-0x000000000790C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1168-14-0x0000000006EB0000-0x0000000006F42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1168-15-0x0000000007EC0000-0x0000000008464000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1168-16-0x0000000007040000-0x00000000070B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4008-1-0x0000000001090000-0x0000000001091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4008-0-0x0000000001090000-0x0000000001091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4008-3-0x0000000001090000-0x0000000001091000-memory.dmp

    Filesize

    4KB

    Download