Overview

overview

10

Static

static

3

ddd287cb13...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddd287cb1306522fae88c757401f166ed9b75850a4cf05b3f759ccb121d66fb1.exe

  • Size

    567KB

  • MD5

    1fae1af8eac0df5f8aaf220b812d0933

  • SHA1

    aff9e68930833d647693627029bfb7a6188c2577

  • SHA256

    ddd287cb1306522fae88c757401f166ed9b75850a4cf05b3f759ccb121d66fb1

  • SHA512

    08954efc58eb900b43ef0792bb3b6cc40521a9a4e0875ff566e61eacfa0d209e364bee9cd6c36459f460ab5d4533a7d780746147cb7a43be4c51efa78ffc8211

  • SSDEEP

    12288:0MrQy90uhyLqOXEJMKsvuafWjWtelPQ22CPj5kJFnDBM/7FBc2k+Jr:0y/yPXEJbs4jcpLnnNMgR+Jr

Score
10/10
redlinedarmdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddd287cb1306522fae88c757401f166ed9b75850a4cf05b3f759ccb121d66fb1.exe
    "C:\Users\Admin\AppData\Local\Temp\ddd287cb1306522fae88c757401f166ed9b75850a4cf05b3f759ccb121d66fb1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7352858.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7352858.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8108556.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8108556.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7352858.exe
    Filesize

    307KB

    MD5

    89cc8e5dd4b86cf66a5f3b4b9a175d82

    SHA1

    12ff097bfad990331c07084ffee309632661e05f

    SHA256

    d4ef44fb391e87a1146114767de55e2d49249ce07dcd9dd5e5d8d1d2c8d3905b

    SHA512

    eede72e88ba70738501524f7397a0f7cf68cae6d579957b5ab3f2374f19c6ba5699198b70ca1842827140ea88e985935e90f0f81c1309f453d1f6fa5a53dd9c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8108556.exe
    Filesize

    168KB

    MD5

    6ca0d3f259e46a9fd11dff86aa69c672

    SHA1

    c144eb3bf64db53ea692dfb4978e368b3e01654c

    SHA256

    10de925c939699459cd818c760f7581ae1ec9d7b07d1e0a20afadec61a852c8c

    SHA512

    73e1453997e495fddf803d3d9ffdf4f2fdd1bef19291c69ecbbb7b94d305fbceb95fba039e06f5930cc872d1e1423d78ccc77fa9214ad0a7b08f4622073641d3

    Download Submit

  • memory/2088-14-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2088-15-0x0000000000D00000-0x0000000000D30000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2088-16-0x0000000003140000-0x0000000003146000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2088-17-0x0000000005D80000-0x0000000006398000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2088-18-0x0000000005880000-0x000000000598A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2088-19-0x00000000057B0000-0x00000000057C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2088-20-0x0000000005810000-0x000000000584C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2088-21-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2088-22-0x0000000005990000-0x00000000059DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2088-23-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2088-24-0x0000000074AF0000-0x00000000752A0000-memory.dmp

    Filesize

    7.7MB

    Download