Overview

overview

10

Static

static

3

0033b9ed1c...40.exe

windows7-x64

3

0033b9ed1c...40.exe

windows10-2004-x64

10

1277233607...ba.exe

windows10-2004-x64

10

138ff2ce9b...de.exe

windows10-2004-x64

7

3a88637efb...d4.exe

windows10-2004-x64

8

5a4570005d...a4.exe

windows7-x64

3

5a4570005d...a4.exe

windows10-2004-x64

10

6ade7154c7...fb.exe

windows7-x64

3

6ade7154c7...fb.exe

windows10-2004-x64

10

8167afa496...61.exe

windows7-x64

3

8167afa496...61.exe

windows10-2004-x64

10

86a6beb680...62.exe

windows10-2004-x64

10

8bd2da3bdd...7e.exe

windows10-2004-x64

10

9b9cb00d14...04.exe

windows10-2004-x64

10

9e375a6be4...d0.exe

windows7-x64

3

9e375a6be4...d0.exe

windows10-2004-x64

10

a228d77265...ea.exe

windows7-x64

3

a228d77265...ea.exe

windows10-2004-x64

10

b565c9e6f0...8a.exe

windows7-x64

3

b565c9e6f0...8a.exe

windows10-2004-x64

10

dffc83be30...0a.exe

windows10-2004-x64

10

ebff69daab...05.exe

windows10-2004-x64

10

ee1d385890...f3.exe

windows7-x64

3

ee1d385890...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe

  • Size

    479KB

  • MD5

    869d623180dff73397b5f34058e106f2

  • SHA1

    1af73065d328029ee3d82ddd8f625ad3a9d9bcff

  • SHA256

    9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04

  • SHA512

    bc8a1c93dea8662be47d3737435605efca351a80803e3b41f71da9914153eb0c320d572085e1b2671875951c3311634beae8002e984c1a69f7e98a7258c90498

  • SSDEEP

    12288:NMrLy90WwlKPPzKp3NwVDYy0GqUI6TJ60b:Cy0eLqNwVDYBG7IuN

Score
10/10
redlinedimasevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes
  • auth_value

    a5db9b1c53c704e612bccc93ccdb5539

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe
    "C:\Users\Admin\AppData\Local\Temp\9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8339271.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8339271.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3532406.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3532406.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8874809.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8874809.exe
        3⤵
        • Executes dropped EXE
        PID:1872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8339271.exe
    Filesize

    307KB

    MD5

    a28b1e892c10ba5e054b20faf5519263

    SHA1

    d9988318cdfbb97edaa2712790cc35f3181ff7b4

    SHA256

    8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e

    SHA512

    fe5ef2074e8f98a066568c6ecd35bae22a556c41f5546820b1e078c0e1fe5458b15e422b9cc4c8459d307e50a0c28b9256c497f47a9fdf5e6aa6de2496c5f3e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3532406.exe
    Filesize

    185KB

    MD5

    3e630811e041742e84b8ea3e59c277d1

    SHA1

    8a9c6d88e0d8ce0bd9e03658fa832d238a5eccd1

    SHA256

    960b92763e28e9b1ff62f7b8774351557c3abbf50adf9255ab5767b2851dd20b

    SHA512

    8d8c4d270f3c4ed32a0dbd0d07e5bd67c8cee508870a8b0a814b17e3c6255e9439054b62cde1d9b293ac50ab37fc10c63cdeccb33f65e6197fd5e7327432685e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8874809.exe
    Filesize

    145KB

    MD5

    8cbdb1bc227685c0b07cf0022188ca55

    SHA1

    db385aabb4a08bcabfcaba8606eb4ea20ab61609

    SHA256

    4d916a161e438b629309131ba9510f57158456d5484925161561089db28b227d

    SHA512

    3960c636f656a7e731d0215a9959adc9bad017cf9fe1b0a208da70155a694544a64744d7724ba534ac0fcd0b7208a99adde90b195fdde2ef19710258f95a47ea

    Download Submit
  • memory/1872-60-0x0000000005910000-0x000000000595C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1872-59-0x0000000005790000-0x00000000057CC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1872-58-0x0000000005730000-0x0000000005742000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1872-57-0x0000000005800000-0x000000000590A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1872-56-0x0000000005CA0000-0x00000000062B8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1872-55-0x0000000000D30000-0x0000000000D5A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2648-41-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-33-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-27-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-49-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-47-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-46-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-43-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-21-0x0000000074000000-0x00000000747B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2648-39-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-37-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-35-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-23-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-31-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-29-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-25-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-22-0x0000000004F60000-0x0000000004F77000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2648-51-0x0000000074000000-0x00000000747B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2648-20-0x00000000050A0000-0x0000000005132000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2648-19-0x0000000074000000-0x00000000747B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2648-17-0x0000000074000000-0x00000000747B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2648-18-0x0000000004F60000-0x0000000004F7C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2648-16-0x0000000004970000-0x0000000004F14000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2648-15-0x00000000020C0000-0x00000000020DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2648-14-0x000000007400E000-0x000000007400F000-memory.dmp
    Filesize

    4KB

    Download