Overview

overview

10

Static

static

3

5869d1ffca...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5869d1ffcad9a127d859e7a75eb47413d105afba46c319beaa78dda4f0378625.exe

  • Size

    555KB

  • MD5

    70eb3e75824a645963fa68f14e8732a8

  • SHA1

    96ddccc5bba996c9f5fc7407ccd2e2ce44f4bccb

  • SHA256

    5869d1ffcad9a127d859e7a75eb47413d105afba46c319beaa78dda4f0378625

  • SHA512

    94d6e41dfdf25929dff526ea839bef99310ac50f05ebb6f616a07b605f0d448b07bbcb789cf28af4b7cb1cbb57fb590b0918dc15615ef6519bcf86b809263553

  • SSDEEP

    12288:lMrty90tZrkYqgvIxT+aYLzB+SG+bg+Px/XSk7arLXngc:Ayui5OIDYLzBHVgMCk7cp

Score
10/10
redlinedarmdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5869d1ffcad9a127d859e7a75eb47413d105afba46c319beaa78dda4f0378625.exe
    "C:\Users\Admin\AppData\Local\Temp\5869d1ffcad9a127d859e7a75eb47413d105afba46c319beaa78dda4f0378625.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6242626.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6242626.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9408090.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9408090.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6242626.exe
    Filesize

    383KB

    MD5

    934498cb7364346e18d305e1d3d1d36f

    SHA1

    dacb8ff3d6714287ad9270581b9602871c0566c5

    SHA256

    e075aa250bccaa9810f72b42c7851abb8e59948391e5659b31d0da0142a96541

    SHA512

    c3def509fcdb2723fb047eb11a5b81790e0ce4d90975994993456e0a16714f43721cdc5da2d78bb5be6ab298d3d5468e35bf2a0a32e9d9ea64b3a876efb02773

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9408090.exe
    Filesize

    168KB

    MD5

    8bf2cc7124dc0673cb89159455b89259

    SHA1

    90f7e2ef1502ca53efb993819f836f3b1a570ba2

    SHA256

    f65c0508b1d498cf5141538fcbb04da0ac6941cd8f8bb5d5260bc7ba729c2da6

    SHA512

    a174094dc60f85bec08a6f37233ca2f2ecc45397b1ba793b118ca28bb3e6551faabc03dd6ce5f0e02b9189616cd40ef3399f22f5f974b0d90ac427c849ec03dd

    Download Submit

  • memory/4468-14-0x000000007417E000-0x000000007417F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-15-0x00000000007B0000-0x00000000007E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4468-16-0x00000000029A0000-0x00000000029A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4468-17-0x0000000005750000-0x0000000005D68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4468-18-0x0000000005240000-0x000000000534A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4468-19-0x0000000005130000-0x0000000005142000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4468-20-0x0000000005190000-0x00000000051CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4468-21-0x0000000074170000-0x0000000074920000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4468-22-0x00000000051E0000-0x000000000522C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4468-23-0x000000007417E000-0x000000007417F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-24-0x0000000074170000-0x0000000074920000-memory.dmp

    Filesize

    7.7MB

    Download