Overview

overview

10

Static

static

3

e2cb840743...1e.exe

windows7-x64

10

e2cb840743...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2cb8407436a5a2ed6f1220df5805900cf1df475eb9493a81508e61748144e1e.exe

  • Size

    244KB

  • MD5

    7b41368bae47e4e02a054fad1155da9b

  • SHA1

    210cb9b322dc316f25b1c614af26174eb7dceda1

  • SHA256

    e2cb8407436a5a2ed6f1220df5805900cf1df475eb9493a81508e61748144e1e

  • SHA512

    525c76bd414657480f7f543326c13d7c84149cb8f172d10039de3ce66751cb1afc04b7d5b374b917405401f54883e594cb52e29f34a521debdfb959a71eded6f

  • SSDEEP

    6144:PUmnhkRWlYBmwedJWh3FO9F9JCm7Xyn2APRNXyJ0yiwMREUxL0w4bJsEy:LnhkRWvWh3FO9F9JCm7Xyn2APbXymwM5

Score
10/10
redlinegoogle2discoveryinfostealer

Malware Config

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2cb8407436a5a2ed6f1220df5805900cf1df475eb9493a81508e61748144e1e.exe
    "C:\Users\Admin\AppData\Local\Temp\e2cb8407436a5a2ed6f1220df5805900cf1df475eb9493a81508e61748144e1e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 252
      2⤵
      • Program crash
      PID:1364
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5028 -ip 5028
    1⤵
      PID:1592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3768-2-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3768-6-0x0000000000680000-0x0000000000903000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/3768-7-0x0000000005F80000-0x0000000006598000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3768-8-0x0000000007910000-0x0000000007A1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3768-9-0x0000000007850000-0x0000000007862000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3768-10-0x00000000078B0000-0x00000000078EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3768-11-0x0000000008320000-0x000000000836C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5028-0-0x00000000008EC000-0x00000000008EE000-memory.dmp

      Filesize

      8KB

      Download