Overview

overview

10

Static

static

3

db89fd6e0e...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 00:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db89fd6e0e2e944b540d2e90a1350012eae56501531b401347e31358921a6fdf.exe

  • Size

    587KB

  • MD5

    f3c3c20f46f7a98b3608f8aa407bb3a4

  • SHA1

    ceff944e8ae34dd49172c24eac5a795a979080f2

  • SHA256

    db89fd6e0e2e944b540d2e90a1350012eae56501531b401347e31358921a6fdf

  • SHA512

    1f529865f162c16e47d7cf18fb213723cf622f12c85bb247857326839467b60e4f91a2d06e0b0a4c20b05cc077eeed914f0d1249e3c843620d864967593fbc3d

  • SSDEEP

    12288:8MrMy90eM2iNCHSrTl1CWGe4pnputqoG2OQXwr+Ki2x:oyZMF3TljGe4pn9oG2Cr5iK

Score
10/10
redlinedarisdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes
  • auth_value

    3491f24ae0250969cd45ce4b3fe77549

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db89fd6e0e2e944b540d2e90a1350012eae56501531b401347e31358921a6fdf.exe
    "C:\Users\Admin\AppData\Local\Temp\db89fd6e0e2e944b540d2e90a1350012eae56501531b401347e31358921a6fdf.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9266430.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9266430.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3017854.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3017854.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9266430.exe
    Filesize

    416KB

    MD5

    dd46480c9af78444ec8278d36194d3bf

    SHA1

    6f0f1148e7669158ce12ffe84746a064b95d1b1e

    SHA256

    c37f14237bbeaf9e7aeff23959abf87a3aae8aeaafd2901b63fb619ccc0a183c

    SHA512

    62dc060360057565ff5d6ab353ea652f1068e02ef49d66401323a2e403c7f22ec43271276076089881eb0eecb6556ed661ca5d8fc22fdf4f1d3bef9c16e13566

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3017854.exe
    Filesize

    168KB

    MD5

    67fc85272ffaf67c28b2544ecba404a8

    SHA1

    d4345d7a66c0cb2a9f0a14e99efeb0c66bb8091a

    SHA256

    ecba127d193bcdc022602eab7c7c231d70c8228556125d10cd2e050523ec13c9

    SHA512

    8eb9d103682c1a4e7c25659976d0c6bc649e49755fc46f08e7c98a4c63c7ecc90d51a206a9933b4d5ef5f908e6acfeb40a6d29ebd9aac58b707375ac2c9c8551

    Download Submit

  • memory/1252-14-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1252-15-0x0000000000E60000-0x0000000000E8E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1252-16-0x0000000001650000-0x0000000001656000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1252-17-0x000000000B180000-0x000000000B798000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1252-18-0x000000000ACD0000-0x000000000ADDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1252-19-0x000000000AC00000-0x000000000AC12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1252-20-0x000000000AC60000-0x000000000AC9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1252-21-0x0000000073C40000-0x00000000743F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1252-22-0x00000000051C0000-0x000000000520C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1252-23-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1252-24-0x0000000073C40000-0x00000000743F0000-memory.dmp

    Filesize

    7.7MB

    Download