Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-10-2024 16:13
General
-
Target
G K M 9 5.rar
-
Size
9.6MB
-
MD5
39eaf06aff90c74b0fb6b2d98c939f6f
-
SHA1
48af9760de8234c93d7f7b2af5d429950ece6190
-
SHA256
314166f9dde25b13c5cca86e65a67b26dbae5dcf17dccf7c5a5eb21d3ff76316
-
SHA512
69aabefdf3438a004b49ee0ec04571d072e7e2df93b1925e997e25d8cc25c02fa960d025bf1cdcddf428437835f6a75f8d50c7dc5420ea61a7571bfbd628696c
-
SSDEEP
196608:+9D+lduWOcYQXeOVzkB9ASy6rSniS6SAxAm4y5G/VqMpb7LS8D8nY:+AEctXvVzkB9xyESQhfPw/wY
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\G K M 9 5.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO0D6D1AA7\GTA 5 Mod Menu.exe"C:\Users\Admin\AppData\Local\Temp\7zO0D6D1AA7\GTA 5 Mod Menu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD546796db8acd3ff52d5daa757a0acc12d
SHA1090afe3863790f1e8d9420309538aa5fa846b29d
SHA256b38f4158c414aace2b77f2743822d2b05b1b456f4b339192c48804fdae25a184
SHA5125b3647b1f2963177513f5a336563e3a8563fe4e6d1c8e00ad4e554f298fca03c200f99a384b24672daed897bed9eef15442dd99afacd5e9992dd27d053f151bb
-
Filesize
572KB
MD51a3e6dcd6b446b86f6cc2c11efe0bf35
SHA139d1b7a080d0d8149b68ac7a459a7b8d512204cd
SHA256d64e6e381b5341fd164b2bd8435dce7db1f622ea947242e96ba5696eb0095b5b
SHA512769982e0c23aecd622c6efd77773c8836325fe3a71e9e8cc33cc956e4ae23811f1a82d8dc7406a3fc3405b83656fba670334297f3414d0f708d8438d85112814
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
328KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
388KB
-
Filesize
1.0MB
-
Filesize
5.6MB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
320KB