Overview

overview

10

Static

static

3

0d6ae7d3e5...46.exe

windows10-2004-x64

10

14841ccb83...75.exe

windows10-2004-x64

10

18e108c298...24.exe

windows7-x64

3

18e108c298...24.exe

windows10-2004-x64

10

2945802616...90.exe

windows10-2004-x64

10

3278025d1e...83.exe

windows10-2004-x64

10

3977873bc2...45.exe

windows10-2004-x64

10

3ee99efba0...30.exe

windows7-x64

3

3ee99efba0...30.exe

windows10-2004-x64

10

4111ebb7fa...25.exe

windows7-x64

3

4111ebb7fa...25.exe

windows10-2004-x64

10

5f784993eb...f4.exe

windows10-2004-x64

10

614cff5590...9a.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

6db47e7857...ad.exe

windows10-2004-x64

10

a0808edece...c8.exe

windows7-x64

3

a0808edece...c8.exe

windows10-2004-x64

10

a510057561...96.exe

windows10-2004-x64

10

d5f7db4382...70.exe

windows10-2004-x64

10

da4db9abb9...ce.exe

windows7-x64

3

da4db9abb9...ce.exe

windows10-2004-x64

10

ebfcc654cd...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    614cff559007c756d485e21c8344fe2ac72354f9e4af563e870926f665edb39a.exe

  • Size

    770KB

  • MD5

    bd6694c7f76fdba409fc12ba82452d8c

  • SHA1

    f079703f5a5c0e84c2eef5a5d51b2fd211d0a27f

  • SHA256

    614cff559007c756d485e21c8344fe2ac72354f9e4af563e870926f665edb39a

  • SHA512

    f96d600abd6c2607607d3e92c0347ca20d7c0f3fa1c1e0b09d0426de9ddae3340abb38e6fcf31d9f28473e98f548460a0cc7d1c8414cf0a7390c40a967cb002a

  • SSDEEP

    12288:mMrxy90t+1umrLE/nguxpZ0lNlMGhoX/cBtT3vHoMGcOFTUcXn4:Hyc+1Bq7mMv+F3QHRFTq

Score
10/10
redlinedebroinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\614cff559007c756d485e21c8344fe2ac72354f9e4af563e870926f665edb39a.exe
    "C:\Users\Admin\AppData\Local\Temp\614cff559007c756d485e21c8344fe2ac72354f9e4af563e870926f665edb39a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5544770.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5544770.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8040960.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8040960.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8594975.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8594975.exe
          4⤵
          • Executes dropped EXE
          PID:1280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5544770.exe
    Filesize

    488KB

    MD5

    6db49a95e667692ec21e46a40379b81f

    SHA1

    2d4a57435a5ff349ac5b9db8485a4a1e7d4aa700

    SHA256

    0c6c2d02897cd3a48d87eb9ffccb7da326368f5af9973827701f7f11a02f33f8

    SHA512

    ef16e77b5398ce12031a69603d9a0c8a97661193e88e1d8f3cefd8e6848f7044554feade11190d0b580901894a11aea539d7715156bd91b02c075579a9c53329

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8040960.exe
    Filesize

    316KB

    MD5

    615269e97f8005dfc3152683f5d02a7c

    SHA1

    116bb50aa0a3cb1ab8bf9073d74285345772aa36

    SHA256

    b564c7d66b835f031b882f6d0377e051cff14795584ea7bd34dc4552cd7fb7d4

    SHA512

    1ddc985a2a9c4a6207d413cc02ce95e30b7ee76e19c971c92ed2222ca164cb1433ea52c35d3b2a3ba8f4b5fb52b63a982af5bb627c97209505585ff63b503ef3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8594975.exe
    Filesize

    168KB

    MD5

    7d03b32d830d2b1ca87ed15f1b4ed47f

    SHA1

    f2b13e48e91e5aac429921ae40e868518bfa80f5

    SHA256

    2b38b49dbbbb0d078179250736b369715cd60c17ce6b4492cc38b6e579be6154

    SHA512

    ca6705962c52ffad4a228d5eca37d385214994c4e45dd600d4777851687115b1eae7cd00803e961461f5cbe38392deb1551351fb21ae131678beb3a8e3f478cf

    Download Submit

  • memory/1280-21-0x0000000000B30000-0x0000000000B5E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1280-22-0x0000000005450000-0x0000000005456000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1280-23-0x0000000005A90000-0x00000000060A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1280-24-0x0000000005580000-0x000000000568A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1280-25-0x00000000054B0000-0x00000000054C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1280-26-0x0000000005510000-0x000000000554C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1280-27-0x0000000005690000-0x00000000056DC000-memory.dmp

    Filesize

    304KB

    Download