Overview

overview

10

Static

static

1

a986b94a31...cd.exe

windows7-x64

10

a986b94a31...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a986b94a31e310e278d84bfcf760d060554ddaf1635e66c3c12bf26585cb2fcd.exe

  • Size

    479KB

  • MD5

    c4ee44f541e85b4b25e2371a24d05688

  • SHA1

    d8a8d1364ff8708784974317f17d42f607f3ed64

  • SHA256

    a986b94a31e310e278d84bfcf760d060554ddaf1635e66c3c12bf26585cb2fcd

  • SHA512

    feb94c1a29343a51ccdae3b7e83f06824b7adfaddd8ef4ef8fc12205de96405a64e39bbd5b5f9614cdd0dd52e9d54be9a59b945142c321e086a1450d051bbf78

  • SSDEEP

    12288:Wglvla0ACnuZqHB33YE8Mn1zVC4vvBfgYIuJ9j9RIrPlEO:RACuOd3YE8MLZgzW9jfult

Score
10/10
redline@hitok4111discoveryinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

@hitok4111

C2

185.215.113.22:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a986b94a31e310e278d84bfcf760d060554ddaf1635e66c3c12bf26585cb2fcd.exe
    "C:\Users\Admin\AppData\Local\Temp\a986b94a31e310e278d84bfcf760d060554ddaf1635e66c3c12bf26585cb2fcd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 288
      2⤵
      • Program crash
      PID:3368
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1572 -ip 1572
    1⤵
      PID:852
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
      1⤵
        PID:552

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Tmp30DF.tmp
        Filesize

        2KB

        MD5

        1420d30f964eac2c85b2ccfe968eebce

        SHA1

        bdf9a6876578a3e38079c4f8cf5d6c79687ad750

        SHA256

        f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

        SHA512

        6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

        Download Submit

      • memory/1448-27-0x00000000075C0000-0x0000000007BD8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1448-29-0x00000000074D0000-0x00000000074E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1448-3-0x0000000005E10000-0x00000000063B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1448-4-0x0000000005860000-0x00000000058F2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1448-5-0x0000000005840000-0x000000000584A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1448-6-0x0000000074F90000-0x0000000075740000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1448-1-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/1448-23-0x0000000006540000-0x00000000065B6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1448-24-0x0000000006C30000-0x0000000006C4E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1448-30-0x0000000007530000-0x000000000756C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1448-2-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-28-0x0000000008E40000-0x0000000008F4A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1448-42-0x0000000074F90000-0x0000000075740000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1448-31-0x0000000007570000-0x00000000075BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1448-34-0x0000000009A60000-0x0000000009AC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1448-35-0x000000000A210000-0x000000000A3D2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1448-36-0x000000000A910000-0x000000000AE3C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1448-37-0x000000000A3E0000-0x000000000A430000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1448-38-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-39-0x0000000074F90000-0x0000000075740000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1448-40-0x0000000074F90000-0x0000000075740000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1572-0-0x0000000000F44000-0x0000000000F45000-memory.dmp

        Filesize

        4KB

        Download