Overview

overview

10

Static

static

3

1668096fbf...95.exe

windows10-2004-x64

10

2159151861...2d.exe

windows10-2004-x64

10

22c5bd0a3e...19.exe

windows10-2004-x64

10

2a0ae333a9...1a.exe

windows7-x64

3

2a0ae333a9...1a.exe

windows10-2004-x64

10

4f86d48b3d...df.exe

windows10-2004-x64

10

53ecffef24...36.exe

windows10-2004-x64

10

75ccbf328f...af.exe

windows10-2004-x64

10

77ba6e9303...c2.exe

windows10-2004-x64

10

798aee8abb...5b.exe

windows10-2004-x64

10

79eaddd1dc...70.exe

windows10-2004-x64

10

80ada740eb...52.exe

windows10-2004-x64

10

9e3cf610e6...f0.exe

windows7-x64

10

9e3cf610e6...f0.exe

windows10-2004-x64

10

a5bd0160df...49.exe

windows10-2004-x64

10

aee53fccee...da.exe

windows10-2004-x64

10

af9c5ff480...30.exe

windows7-x64

3

af9c5ff480...30.exe

windows10-2004-x64

10

bfe644d3bd...29.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

dda511575f...2f.exe

windows10-2004-x64

10

ff541e0752...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb.exe

  • Size

    479KB

  • MD5

    75455a1d7efce484f8b3d7814af0e5ff

  • SHA1

    d0fd6f9781558482370265a22b8378c569c5ce97

  • SHA256

    ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb

  • SHA512

    d2e7b2008cbdfde8f15eaf6f4fe6767f1b1325079b2ab3ca9e0c4344e4a4bdc94d1f6d34f02a5311dec3472654ed541ad35c3cc32faa4d5c0eea0472e14a8e6d

  • SSDEEP

    12288:8Mr8y90kFoPbEy+EEG8HUF8OANI9lhCsnr:oyv6Pw7g80OqhNr

Score
10/10
redlinedivaninfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes
  • auth_value

    b414986bebd7f5a3ec9aee0341b8e769

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb.exe
    "C:\Users\Admin\AppData\Local\Temp\ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0490603.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0490603.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4493183.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4493183.exe
        3⤵
        • Executes dropped EXE
        PID:2588
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8
    1⤵
      PID:4104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0490603.exe
      Filesize

      307KB

      MD5

      178900fadde843a93e4ff30c5e82076f

      SHA1

      846b7fd87a8e9807d348ba472ffd1532686760e1

      SHA256

      9f09125a1d6ca941189332f36d6bfe71d1aba536faab6319c1f65613cb7b8ee4

      SHA512

      71bf9707928ccc338f459ea58da8fabde1e27aa5701b7c134b750f0bbe88f1f8167ac0e22e363a0e031c32c7382f08a8fa401ab54a36ffb5a5fb41455a08e36a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4493183.exe
      Filesize

      168KB

      MD5

      920f957df0f2679f7f336c895da5216a

      SHA1

      cbeb9e0a0289c894879b7b793137a53c3021b51b

      SHA256

      5e2d69dde65bb6080ad286f01ec4d748d5cba5177ef987a5582cfe58fcdda601

      SHA512

      be560d4b2b178dc18c26c4bbe652acbd2c24dd386b8eb1b395a410b538f3e3e098bb03d832ffdb5e578916d09135fac918ebb772cbf41089a2999fe0d5d3dde6

      Download Submit

    • memory/2588-14-0x0000000073BEE000-0x0000000073BEF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2588-15-0x0000000000940000-0x000000000096E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2588-16-0x00000000013D0000-0x00000000013D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2588-17-0x000000000AC50000-0x000000000B268000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2588-18-0x000000000A7B0000-0x000000000A8BA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2588-19-0x000000000A6E0000-0x000000000A6F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2588-20-0x000000000A740000-0x000000000A77C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2588-21-0x0000000073BE0000-0x0000000074390000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2588-22-0x0000000004C90000-0x0000000004CDC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2588-23-0x0000000073BEE000-0x0000000073BEF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2588-24-0x0000000073BE0000-0x0000000074390000-memory.dmp

      Filesize

      7.7MB

      Download