Overview

overview

10

Static

static

3

1668096fbf...95.exe

windows10-2004-x64

10

2159151861...2d.exe

windows10-2004-x64

10

22c5bd0a3e...19.exe

windows10-2004-x64

10

2a0ae333a9...1a.exe

windows7-x64

3

2a0ae333a9...1a.exe

windows10-2004-x64

10

4f86d48b3d...df.exe

windows10-2004-x64

10

53ecffef24...36.exe

windows10-2004-x64

10

75ccbf328f...af.exe

windows10-2004-x64

10

77ba6e9303...c2.exe

windows10-2004-x64

10

798aee8abb...5b.exe

windows10-2004-x64

10

79eaddd1dc...70.exe

windows10-2004-x64

10

80ada740eb...52.exe

windows10-2004-x64

10

9e3cf610e6...f0.exe

windows7-x64

10

9e3cf610e6...f0.exe

windows10-2004-x64

10

a5bd0160df...49.exe

windows10-2004-x64

10

aee53fccee...da.exe

windows10-2004-x64

10

af9c5ff480...30.exe

windows7-x64

3

af9c5ff480...30.exe

windows10-2004-x64

10

bfe644d3bd...29.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

dda511575f...2f.exe

windows10-2004-x64

10

ff541e0752...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb.exe

  • Size

    479KB

  • MD5

    75455a1d7efce484f8b3d7814af0e5ff

  • SHA1

    d0fd6f9781558482370265a22b8378c569c5ce97

  • SHA256

    ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb

  • SHA512

    d2e7b2008cbdfde8f15eaf6f4fe6767f1b1325079b2ab3ca9e0c4344e4a4bdc94d1f6d34f02a5311dec3472654ed541ad35c3cc32faa4d5c0eea0472e14a8e6d

  • SSDEEP

    12288:8Mr8y90kFoPbEy+EEG8HUF8OANI9lhCsnr:oyv6Pw7g80OqhNr

Score
10/10
redlinedivaninfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes
  • auth_value

    b414986bebd7f5a3ec9aee0341b8e769

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb.exe
    "C:\Users\Admin\AppData\Local\Temp\ff541e0752957750759a393b41c2885b8177a2e7daf8234bf11068c537e215bb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0490603.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0490603.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4493183.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4493183.exe
        3⤵
        • Executes dropped EXE
        PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0490603.exe
    Filesize

    307KB

    MD5

    178900fadde843a93e4ff30c5e82076f

    SHA1

    846b7fd87a8e9807d348ba472ffd1532686760e1

    SHA256

    9f09125a1d6ca941189332f36d6bfe71d1aba536faab6319c1f65613cb7b8ee4

    SHA512

    71bf9707928ccc338f459ea58da8fabde1e27aa5701b7c134b750f0bbe88f1f8167ac0e22e363a0e031c32c7382f08a8fa401ab54a36ffb5a5fb41455a08e36a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4493183.exe
    Filesize

    168KB

    MD5

    920f957df0f2679f7f336c895da5216a

    SHA1

    cbeb9e0a0289c894879b7b793137a53c3021b51b

    SHA256

    5e2d69dde65bb6080ad286f01ec4d748d5cba5177ef987a5582cfe58fcdda601

    SHA512

    be560d4b2b178dc18c26c4bbe652acbd2c24dd386b8eb1b395a410b538f3e3e098bb03d832ffdb5e578916d09135fac918ebb772cbf41089a2999fe0d5d3dde6

    Download Submit
  • memory/1684-14-0x0000000073E9E000-0x0000000073E9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-15-0x0000000000A70000-0x0000000000A9E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1684-16-0x0000000002D60000-0x0000000002D66000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1684-17-0x000000000ADD0000-0x000000000B3E8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1684-18-0x000000000A8E0000-0x000000000A9EA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1684-19-0x000000000A810000-0x000000000A822000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1684-20-0x0000000073E90000-0x0000000074640000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1684-21-0x000000000A870000-0x000000000A8AC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1684-22-0x0000000004DB0000-0x0000000004DFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1684-23-0x0000000073E9E000-0x0000000073E9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-24-0x0000000073E90000-0x0000000074640000-memory.dmp
    Filesize

    7.7MB

    Download