Overview

overview

10

Static

static

3

a7c0f19721...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7c0f197214dae7c70095bda45ed3ec54c40cfa7f7026084318d14426f72880a.exe

  • Size

    642KB

  • MD5

    ec295c3f47a4605dc55b9dbf2e8e81bb

  • SHA1

    87ca6686af19ab2ec8c0b3ac9ec4d2b2989842d1

  • SHA256

    a7c0f197214dae7c70095bda45ed3ec54c40cfa7f7026084318d14426f72880a

  • SHA512

    9e40114850ac95abd3ea8333fd5668d9e8383557bf524e4fb8dff3d0f5e97fe3bd074bd4461339534358ecab1889587e3ab41ea9509d3503667d43a8607888c8

  • SSDEEP

    12288:LMrVy90xCe0bduMxZ1byiHCgVB3zxhYnuR88HpvmwDsz8WOJu5pxhN2DJ:OySkLbyWC89+48MsiC5pxz2DJ

Score
10/10
redlinedarmdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7c0f197214dae7c70095bda45ed3ec54c40cfa7f7026084318d14426f72880a.exe
    "C:\Users\Admin\AppData\Local\Temp\a7c0f197214dae7c70095bda45ed3ec54c40cfa7f7026084318d14426f72880a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0269060.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0269060.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3012789.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3012789.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0269060.exe
    Filesize

    383KB

    MD5

    10ad02aa3e4a740c5f96429d1dc731ab

    SHA1

    e2a6a0a6755c728716ee4c86b28c5a18c7ae69ed

    SHA256

    69737e6666e5e974cf85764e0eceddc2d6bfc73c769a5973b3e9316d41a1c6bd

    SHA512

    4d999b454cf8816e3b66a4174354d9acf62cfb1ca70bf6a382e495cdef30a77eff4f893e8d36ac383902b28a2dfb87d37f926bbb2d8772b020b5e3edc3d9e679

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3012789.exe
    Filesize

    168KB

    MD5

    d6a163465f8a46acc11e0a950ff5dd41

    SHA1

    5e01f9e662bc4c75a56fb959296f3ecaf468bb44

    SHA256

    46680c82702662e3b0eb9e012838247eec39e9cbdaf0e584236b1c2cb2aad3e9

    SHA512

    bbf9c0f2b9972e96ed9fd85cf330a2eb90a2ba143d65792996a7fec97ecaf8a3c7b042fde3fba5a88a5ac8a6afdd89cbb1d71e97427e60fe46bd23c3f153f246

    Download Submit

  • memory/3824-14-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3824-15-0x0000000000950000-0x0000000000980000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3824-16-0x0000000005270000-0x0000000005276000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3824-17-0x0000000005A10000-0x0000000006028000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3824-18-0x0000000005500000-0x000000000560A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3824-19-0x0000000005410000-0x0000000005422000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3824-20-0x0000000005470000-0x00000000054AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3824-21-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-22-0x0000000005610000-0x000000000565C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3824-23-0x0000000073C1E000-0x0000000073C1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3824-24-0x0000000073C10000-0x00000000743C0000-memory.dmp

    Filesize

    7.7MB

    Download