Overview

overview

10

Static

static

3

8fa971565e...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe

  • Size

    507KB

  • MD5

    7162ec3a578b9f26be3d3cb8254d802c

  • SHA1

    27ead8d8d80fb52ce4cf47af3fcb26738b57b976

  • SHA256

    8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75

  • SHA512

    3b1b0fcbfcd1160b3356c8e3e67847e6b3a091745984ef5933f7b38bd554f58e63583ac7694aa6ca6fe2490029c53e4c3ad6e8ab5ea7a98df64d5b5daec82ee4

  • SSDEEP

    12288:FlIy900UbnirQrWWuu0byZ0lqdXpUVW28:oy0zh0WrqUd

Score
10/10
redlinedrakeinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

drake

C2

83.97.73.131:19071

Attributes
  • auth_value

    74ce6ffe4025a2e4027fb727915e7d7c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Detects executables packed with ConfuserEx Mod 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe
    "C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe
        3⤵
        • Executes dropped EXE
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe
    Filesize

    436KB

    MD5

    57e96ebc3cc98f77feacc020065c546e

    SHA1

    05a6a299c4030ae6d09602b2e3ff1f49ac4f6867

    SHA256

    8161b65c2497f2ed46c15884e5b06c2d87513294c4a1602a9a582aa16cf1f06f

    SHA512

    c0e87def74a40b6e4980282da47adb23319a338cc577f6e1428a87079b5a88a254c58c2e32039505b12482002fb263a46506a65115a7b3a3e83656177522e084

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe
    Filesize

    1.3MB

    MD5

    cc785bb007bed97870e64d2452e67592

    SHA1

    c6f53caa6f87f72acca4c17bfd66e84610d3458b

    SHA256

    ccdde049dae409075c3b116cbcc7277c1bd155b979b91e64491ab2cb616490e4

    SHA512

    1c69f6ff73c52cae6713d4eaf1e8818f8bc3eff6de3b0ed3aa539d64518efae26978b75139043e5212bb86a08eaa400882aa1f09d38589e53714e72a63ad2c6b

    Download Submit
  • memory/2872-14-0x0000000000401000-0x0000000000403000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2872-15-0x0000000000750000-0x0000000000780000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2872-19-0x0000000000400000-0x0000000000550000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2872-20-0x0000000002610000-0x0000000002616000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2872-21-0x0000000004C10000-0x0000000005228000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2872-22-0x0000000005230000-0x000000000533A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2872-23-0x0000000004BE0000-0x0000000004BF2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2872-24-0x0000000005340000-0x000000000537C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2872-25-0x00000000053E0000-0x000000000542C000-memory.dmp
    Filesize

    304KB

    Download