Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 05:30

General

  • Target

    d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693.exe

  • Size

    332KB

  • MD5

    ce35bf4ea4182f8e3524a14e10e90972

  • SHA1

    c9a5c28fdbff5ad0a285291142abe592fe9e8688

  • SHA256

    d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693

  • SHA512

    fd454377a77f900510b2855e6e9954cc7648277404cdd85b8e85b1f2d8e0667e9aea261c660b8d88551d1cdd816bc77d8719edac10b63067aa75f1fc7ee38341

  • SSDEEP

    6144:U1Bwp/lwz9PI8/T6f5mUz7S3RMyghFbHDju9DPUgAOGsf+0Xp:UPjz9PI8/Tzeygzbjju9YgAd0Xp

Malware Config

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/KE5Mft0T

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693.exe
    "C:\Users\Admin\AppData\Local\Temp\d6c7041aa6a01fcdc7f6a9f60c8eaf8edcbcc73cb1802bc3623346b3b3219693.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/860-1-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/860-3-0x000000007431E000-0x000000007431F000-memory.dmp

    Filesize

    4KB

  • memory/860-4-0x0000000005320000-0x0000000005386000-memory.dmp

    Filesize

    408KB

  • memory/860-5-0x0000000005E70000-0x0000000006488000-memory.dmp

    Filesize

    6.1MB

  • memory/860-6-0x00000000058D0000-0x00000000058E2000-memory.dmp

    Filesize

    72KB

  • memory/860-7-0x0000000005A00000-0x0000000005B0A000-memory.dmp

    Filesize

    1.0MB

  • memory/860-8-0x0000000074310000-0x0000000074AC0000-memory.dmp

    Filesize

    7.7MB

  • memory/860-9-0x000000007431E000-0x000000007431F000-memory.dmp

    Filesize

    4KB

  • memory/860-10-0x0000000074310000-0x0000000074AC0000-memory.dmp

    Filesize

    7.7MB

  • memory/4836-0-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

  • memory/4836-2-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB