Overview

overview

10

Static

static

3

e43c161ce3...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e43c161ce3fca02aacc3de6553fbac800ceceb3e4c5ec09224db0c419bc36ad2.exe

  • Size

    1.1MB

  • MD5

    c31e9349b22897713ed5711d3c86ca8a

  • SHA1

    1f60d3f0b63b09fcf809a8d7d83a9017bc2eb80d

  • SHA256

    e43c161ce3fca02aacc3de6553fbac800ceceb3e4c5ec09224db0c419bc36ad2

  • SHA512

    bf6c3ca40b470fcff31fb8a181fbdcfc5039256456ab3d095c20e35ab831ef358034e42cf99e3428ce53e32966e0619de720c5517e72e31ec57ad41b95bd80b2

  • SSDEEP

    24576:/yeWwFPH27hiEMVo3RQiN3FyvmQ/l+bFvl/HeyynJatTa8V:KRwFHEMVoBh17QyHeyka9a

Score
10/10
redlinemastadiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masta

C2

185.161.248.75:4132

Attributes
  • auth_value

    57f23b6b74d0f680c5a0c8ac9f52bd75

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e43c161ce3fca02aacc3de6553fbac800ceceb3e4c5ec09224db0c419bc36ad2.exe
    "C:\Users\Admin\AppData\Local\Temp\e43c161ce3fca02aacc3de6553fbac800ceceb3e4c5ec09224db0c419bc36ad2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1797132.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1797132.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4620032.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4620032.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6667213.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6667213.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1092
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1040187.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1040187.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1797132.exe
    Filesize

    750KB

    MD5

    1cc93bc35c1cb83b81c1c3f66105b73b

    SHA1

    f193e42cba1e44eb7453579ed5374ec0ea13a364

    SHA256

    9f704df2d090f38379eea2ab6709ee680aad4cb8e58b74a4ebef26c11ac70814

    SHA512

    036ef20c98d6500228ac202b6d8c333b594739efc2e1704433624cff11db11761126d222b9204f4711e02283c0c9cdb3d4c2f1ae5fa5e56cbeccdeb5646e2338

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4620032.exe
    Filesize

    305KB

    MD5

    f44b15db3b3010e06df00a2be29458cb

    SHA1

    a985df4a5aa2824732bdc615cc856eadda7fa882

    SHA256

    2adcbf7d02fb4997339d916c7d468c1b3807ce12125ce8240710592b8f535cf6

    SHA512

    19cde18ce7d5b50f21bbe33331e0cc097704f4bdf9013b6dd175a2ee46f96c56b83a7eea721d09728f0b0cfd050760a56f4f7c4f1a9d5c7945b8e602f60169e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6667213.exe
    Filesize

    183KB

    MD5

    d18dd7e957d8eab39abe21eefd498331

    SHA1

    2d7b11252dbb1ed8cefff8d63d447b0f697a0060

    SHA256

    57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

    SHA512

    c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1040187.exe
    Filesize

    145KB

    MD5

    f549fc7dead5905b5ccf8898dd17773c

    SHA1

    38d70807ea6c27642126e93662c2daf173695982

    SHA256

    65861e8f54a2422e61d7db500b890db8d2c19d3abdd8e384e55c192e528bd474

    SHA512

    86ae977656fc2d37c96e4092e4f05f2046d6beb8c7c7af665136bd6aa073f397f2b73a4007a3563eec76dbf9a95d67fcf09c7275e76c426b5e722415d079df95

    Download Submit

  • memory/1092-47-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-29-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-49-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-22-0x0000000004A20000-0x0000000004FC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1092-45-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-43-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-41-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-37-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-51-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-33-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-31-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-23-0x0000000004980000-0x000000000499C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1092-27-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-25-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-24-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-39-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-35-0x0000000004980000-0x0000000004996000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-21-0x00000000022B0000-0x00000000022CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5056-56-0x0000000000830000-0x000000000085A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/5056-57-0x0000000005770000-0x0000000005D88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5056-58-0x00000000052F0000-0x00000000053FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5056-59-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5056-60-0x0000000005280000-0x00000000052BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5056-61-0x0000000005400000-0x000000000544C000-memory.dmp

    Filesize

    304KB

    Download