Overview

overview

10

Static

static

10

f78477275d...58.exe

windows7-x64

10

f78477275d...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe

  • Size

    488KB

  • MD5

    4c596d32f75e3a84e48c36e8fc8025fd

  • SHA1

    6a03c9d53e10c752b66b677e528fbcd1a70a6d0c

  • SHA256

    f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858

  • SHA512

    0b159fe0b1766c27c89f65069fb3d33a59b3fc3efd7519629497df3ec07eda1b938819a2b0faa6cf2c305a736c3c93d409d42901c744644e11867a06bd7796c2

  • SSDEEP

    6144:k9Cq6V1jfMRWYYIveLu6SE8jvx09SJTs7ci4aMC7WGS3swOco36deigavwVfe5K0:fV1DopYIe1SE8juQOf4RCw3dJTxuuB

Score
10/10
neshtaredlineworld10discoveryinfostealerpersistencespywarestealer

Malware Config

Extracted

Family

redline

Botnet

world10

C2

jamesmillion.xyz:15772

Attributes
  • auth_value

    a74a2e49cd85c6f93cb4e7fc8691721c

Signatures

  • Detect Neshta payload 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
    "C:\Users\Admin\AppData\Local\Temp\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Local\Temp\3582-490\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\f78477275d79d0eead0b62d3355df9be273518c54eeac3719a97823365cee858.exe
    Filesize

    448KB

    MD5

    0ac0c1ea046c89a6cc91855a4ce4df71

    SHA1

    16d53ce774b365a409fd959eb80e6367ccb34a3f

    SHA256

    388092169b96794dec2d6a0bcff4c60dfad79fdf5d49282cfe7bf6a6b59d75c0

    SHA512

    19a46366a3653f45e3e770259850601dd8fe618d009170944fbf23bf7375f3e840f81fa8ef5cfe8fef4de12879fdff6dd99f42cf2357dc97e50b74ae667d7716

    Download Submit

  • memory/3952-110-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-896-0x00000000058A0000-0x00000000058B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3952-27-0x0000000000590000-0x0000000000690000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3952-30-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/3952-42-0x0000000002680000-0x00000000026CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3952-62-0x0000000004BC0000-0x0000000005164000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3952-66-0x00000000051B0000-0x00000000051FA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3952-122-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-140-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-138-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-136-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-134-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-132-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-131-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-128-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-126-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-124-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-120-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-118-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-116-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-114-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-112-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-900-0x0000000000590000-0x0000000000690000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3952-28-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/3952-98-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-102-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-100-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-106-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-96-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-94-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-92-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-88-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-86-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-84-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-82-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-80-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-78-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-77-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-104-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-90-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-895-0x0000000005200000-0x0000000005818000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3952-108-0x00000000051B0000-0x00000000051F5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/3952-897-0x00000000058C0000-0x00000000059CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3952-898-0x00000000059D0000-0x0000000005A0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3952-899-0x0000000005A60000-0x0000000005AAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3952-29-0x0000000000400000-0x0000000000475000-memory.dmp

    Filesize

    468KB

    Download

  • memory/3952-902-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download