Analysis

  • max time kernel
    130s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:27

General

  • Target

    eadc8b7eba6e15614161bb91b8de6cff4d56f767901f6aceb9baed7b0fe0b110.exe

  • Size

    333KB

  • MD5

    3c77db8ee7d08d76b14c5fc09137df15

  • SHA1

    cc7f65cf6094c1cef4533d73b969a3c0a719d5ff

  • SHA256

    eadc8b7eba6e15614161bb91b8de6cff4d56f767901f6aceb9baed7b0fe0b110

  • SHA512

    6c9d537c77b713356587a42fc487979058cd63b6d428802565aa9ac6f83beccd5fb23ed96ed32f09e07573c05e3018b1d96515f0762a9c5c0fe8b8ba44a3f288

  • SSDEEP

    6144:e1RwZfFQDOioMvzATd5W0jbSXRYygh2qjjjjjjjJ42J2VfdweP4ql732W1sV+0Xp:e/zDOioMvzA+iygAqjjjjjjjJafKxI3W

Malware Config

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eadc8b7eba6e15614161bb91b8de6cff4d56f767901f6aceb9baed7b0fe0b110.exe
    "C:\Users\Admin\AppData\Local\Temp\eadc8b7eba6e15614161bb91b8de6cff4d56f767901f6aceb9baed7b0fe0b110.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3328-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

  • memory/3328-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

  • memory/3328-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

  • memory/4332-2-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/4332-4-0x000000007486E000-0x000000007486F000-memory.dmp

    Filesize

    4KB

  • memory/4332-5-0x00000000050E0000-0x0000000005146000-memory.dmp

    Filesize

    408KB

  • memory/4332-6-0x0000000005BF0000-0x0000000006208000-memory.dmp

    Filesize

    6.1MB

  • memory/4332-7-0x0000000005640000-0x0000000005652000-memory.dmp

    Filesize

    72KB

  • memory/4332-8-0x0000000005770000-0x000000000587A000-memory.dmp

    Filesize

    1.0MB

  • memory/4332-9-0x0000000074860000-0x0000000075010000-memory.dmp

    Filesize

    7.7MB

  • memory/4332-10-0x000000007486E000-0x000000007486F000-memory.dmp

    Filesize

    4KB

  • memory/4332-11-0x0000000074860000-0x0000000075010000-memory.dmp

    Filesize

    7.7MB