Overview

overview

10

Static

static

3

005cc897c6...01.exe

windows7-x64

3

005cc897c6...01.exe

windows10-2004-x64

10

0f5dadb4ff...d5.exe

windows10-2004-x64

10

15191ca573...45.exe

windows10-2004-x64

10

1f1cdd32ef...a5.exe

windows7-x64

3

1f1cdd32ef...a5.exe

windows10-2004-x64

10

33277efd72...bf.exe

windows7-x64

3

33277efd72...bf.exe

windows10-2004-x64

10

39b1b5acca...89.exe

windows10-2004-x64

10

41914bb3aa...45.exe

windows10-2004-x64

10

4dc93952d5...05.exe

windows10-2004-x64

10

636c6831e9...2d.exe

windows10-2004-x64

10

6371475aa9...ca.exe

windows10-2004-x64

10

6d98d2425a...11.exe

windows7-x64

3

6d98d2425a...11.exe

windows10-2004-x64

10

7d59382353...89.exe

windows7-x64

3

7d59382353...89.exe

windows10-2004-x64

10

7e9155d192...9c.exe

windows10-2004-x64

10

817be3f5a4...87.exe

windows10-2004-x64

10

84d690a678...8a.exe

windows10-2004-x64

10

8a833f1e2a...9a.exe

windows10-2004-x64

10

a6207c613c...04.exe

windows7-x64

3

a6207c613c...04.exe

windows10-2004-x64

10

b843b5d179...78.exe

windows10-2004-x64

10

bc0a361a97...2b.exe

windows10-2004-x64

10

ccede3ed34...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33277efd72a246f701b9c69dc414ee0ebab7e3cb5f576fa767dd942f09ac2dbf.exe

  • Size

    273KB

  • MD5

    c296de24cfb32f1d09275c9b40927968

  • SHA1

    f6c706e5385f58f9c2d7a4d985939fba186cd516

  • SHA256

    33277efd72a246f701b9c69dc414ee0ebab7e3cb5f576fa767dd942f09ac2dbf

  • SHA512

    5ac2fb1b8ce388eb499bd5044e724a4e85eae9bad3fdb93c7442caf6741544e7a6c00c7b89902e2b899e0d8f9e2c5fbb099a651085bfad7ab7716fc28291497b

  • SSDEEP

    6144:K3LM7xuP5m0WGhvTd8AvI9S3XXv2o+T5Zsf1SKMZa6n:eM7xkPPvrv2o+T5ISK+Fn

Score
10/10
redline7001210066discoveryinfostealer

Malware Config

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/NgsUAPya

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33277efd72a246f701b9c69dc414ee0ebab7e3cb5f576fa767dd942f09ac2dbf.exe
    "C:\Users\Admin\AppData\Local\Temp\33277efd72a246f701b9c69dc414ee0ebab7e3cb5f576fa767dd942f09ac2dbf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2968
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
          PID:1780
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1776

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1776-6-0x0000000005D10000-0x0000000006328000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1776-8-0x0000000005860000-0x000000000596A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1776-13-0x00000000743B0000-0x0000000074B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1776-2-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1776-4-0x00000000743BE000-0x00000000743BF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1776-5-0x0000000005180000-0x00000000051E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1776-12-0x00000000743BE000-0x00000000743BF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1776-11-0x0000000006570000-0x00000000065BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1776-10-0x0000000006530000-0x000000000656C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1776-9-0x00000000743B0000-0x0000000074B60000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1776-7-0x0000000005730000-0x0000000005742000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4616-0-0x0000000001310000-0x0000000001311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4616-1-0x0000000001310000-0x0000000001311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4616-3-0x0000000001310000-0x0000000001311000-memory.dmp

        Filesize

        4KB

        Download