Overview

overview

10

Static

static

3

7d863f745a...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d863f745aff8be47f59a02b0ee35cb04df9f0712c5166ec4a63bc536d22838eN.exe

  • Size

    431KB

  • MD5

    4c8e4b5bcd17a67b5ecc83990f26df06

  • SHA1

    3598069bbb31d06951a4bdac6f254a6d895b5ace

  • SHA256

    a0d930d236945df6c9f9a824ca649d4d8b615589a93d7ca54d3deec9e749876b

  • SHA512

    7075188d4d2119d5fb3efa5f530454030ed207f2bf498af6d7e68c1d28da3efded059f3f5fadce29fd647d932d504885f9fb9aed8f3c0c4225641d8bb0e0d771

  • SSDEEP

    6144:K3y+bnr+op0yN90QE2ooBH8o9+vzM8Fc5Nx61gyyQ2RolKBKODeL4eek:ZMrYy90Dvn1gyyQWqUKkeek

Score
10/10
redlineramondiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

193.233.20.23:4123

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d863f745aff8be47f59a02b0ee35cb04df9f0712c5166ec4a63bc536d22838eN.exe
    "C:\Users\Admin\AppData\Local\Temp\7d863f745aff8be47f59a02b0ee35cb04df9f0712c5166ec4a63bc536d22838eN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wQx39Fp17.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wQx39Fp17.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3000

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.23:4123
    wQx39Fp17.exe
    260 B
     5
  • 193.233.20.23:4123
    wQx39Fp17.exe
    260 B
     5
  • 193.233.20.23:4123
    wQx39Fp17.exe
    260 B
     5
  • 193.233.20.23:4123
    wQx39Fp17.exe
    260 B
     5
  • 193.233.20.23:4123
    wQx39Fp17.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    72.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    72.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wQx39Fp17.exe
    Filesize

    309KB

    MD5

    441b17f0487dc36149c75db8de221900

    SHA1

    f68e92e22ac01b119249d5f77f8e020a09826bac

    SHA256

    9b8322af3ba338f9cac9629dbe0d34397201fda416e9819966b7f2ac75ee9f01

    SHA512

    0918633dfb67fb15521da7f01e7072dd4c27339d757849bf81e3f3c04b928cbc7bea3ad875fda9a085618fbd1189e891085c07c1e5ef98a6abddc30a7be6dadf

    Download Submit

  • memory/3000-10-0x0000000000400000-0x0000000000594000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3000-9-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3000-8-0x0000000000840000-0x0000000000940000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3000-11-0x0000000000400000-0x0000000000594000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3000-12-0x00000000024A0000-0x00000000024E6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3000-13-0x0000000004BD0000-0x0000000005174000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3000-14-0x0000000005180000-0x00000000051C4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3000-76-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-78-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-74-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-72-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-70-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-68-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-66-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-64-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-62-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-60-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-58-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-56-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-52-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-50-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-48-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-46-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-45-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-42-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-40-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-38-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-36-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-34-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-32-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-28-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-26-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-24-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-22-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-20-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-18-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-54-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-30-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-16-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-15-0x0000000005180000-0x00000000051BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3000-921-0x00000000051D0000-0x00000000057E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3000-922-0x0000000005870000-0x000000000597A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3000-923-0x00000000059B0000-0x00000000059C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3000-924-0x00000000059D0000-0x0000000005A0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3000-925-0x0000000005B20000-0x0000000005B6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3000-926-0x0000000000840000-0x0000000000940000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3000-927-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.