Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 22:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    040577076cade266c03b6839658804c259d4e29b17f0cd7012b6aec03535c30a.exe

  • Size

    313KB

  • MD5

    6c7b2cee060867f844491ec8f5bb4825

  • SHA1

    bb810a76eeea74519e2924196120996dc8845a23

  • SHA256

    040577076cade266c03b6839658804c259d4e29b17f0cd7012b6aec03535c30a

  • SHA512

    03821503927641560e7781bb83452276443942b8ff6c364ff2a5069381a65688e574c256cf071c6d38f4cf355c11f846d27aaed201135c1b3b7756d129a9e250

  • SSDEEP

    6144:xhRyVgzj8gv/iK67WgO6hQdv1UTVFo8s/fvi4WTqILU0hLW+8vYKOPryBC:Fvj8gv/+Wp/dtjP/3i4W/LU0hFnKOPGg

Score
10/10
redlinelogsdiller cloud (tg: @logsdillabot)credential_accessdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

147.45.47.36:14537

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\040577076cade266c03b6839658804c259d4e29b17f0cd7012b6aec03535c30a.exe
    "C:\Users\Admin\AppData\Local\Temp\040577076cade266c03b6839658804c259d4e29b17f0cd7012b6aec03535c30a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1708

Network

    No results found
  • 147.45.47.36:14537
    RegAsm.exe
    460.9kB
     14.8kB
     360
    149
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Tmp907E.tmp
    Filesize

    2KB

    MD5

    1420d30f964eac2c85b2ccfe968eebce

    SHA1

    bdf9a6876578a3e38079c4f8cf5d6c79687ad750

    SHA256

    f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

    SHA512

    6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

    Download Submit

  • memory/1708-3-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1708-11-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1708-14-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1708-9-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1708-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1708-6-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1708-5-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1708-4-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2432-0-0x000000007450E000-0x000000007450F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2432-1-0x0000000000DF0000-0x0000000000E44000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2432-15-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.