Overview

overview

10

Static

static

3

b5e7eebe80...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5e7eebe80e0f986a50e3a63872d5abb0338a1d08e3bd0ceea7c252dc4384ea2.exe

  • Size

    770KB

  • MD5

    201a26f05697f3523efd6d871b65601d

  • SHA1

    c2e289166082fda4ca780fdcffbf7e6dcb169cd8

  • SHA256

    b5e7eebe80e0f986a50e3a63872d5abb0338a1d08e3bd0ceea7c252dc4384ea2

  • SHA512

    d694e6d10f3354781230766fa0d081dd954981c95b6b31afef9b6c11b1f4b3d46b72203bb91ba7d4c4e3a99d49ffdb3cc2aacd98df9cca49cc08d0f42be365bd

  • SSDEEP

    12288:HMrMy90E+mezIh3d52auzb3yWnpPaiqWINSTRJLbgzA:nyB/e+eamby0CiSNSTx

Score
10/10
redlinemixadiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5e7eebe80e0f986a50e3a63872d5abb0338a1d08e3bd0ceea7c252dc4384ea2.exe
    "C:\Users\Admin\AppData\Local\Temp\b5e7eebe80e0f986a50e3a63872d5abb0338a1d08e3bd0ceea7c252dc4384ea2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3008565.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3008565.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8997710.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8997710.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6909561.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6909561.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3884
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7156476.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7156476.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3008565.exe
    Filesize

    488KB

    MD5

    3461e2e9bf9c457784d8bb2fcaf83cba

    SHA1

    96be99545a2f5e80bf218e63bf2dbb764be4b48a

    SHA256

    2fccde63155d6871d900cb7db09a2d2ddb328177e80ed7ef93ed49cc6e788172

    SHA512

    8bba6d7848f9b15dbdf17d5dc00039dddbc9d9078b018bb6dff9ff65d0079cc37c4c37ca3cb0d69321e79205056609776eb03f28747d35d6c6c7d18ad60997b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8997710.exe
    Filesize

    316KB

    MD5

    5f7104c2daf21a5d38c78caabb67a961

    SHA1

    71b971df5521e73693e2f1511a143cf6f7ba38dc

    SHA256

    9a6aca66926812cdffc6ef9e26162aa55e356341c2e8a762adfe0f0b7451d260

    SHA512

    6c18d0edb32a94f73bbd3c137c6df7112f942b5ae8add0cb0ff26dbf8916c9b8e30a6128f5b691cee5a4bbd001cdbee9a1de7f9f72b6625585ff184ab0ce6e17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6909561.exe
    Filesize

    184KB

    MD5

    d4c640fb500618ad6c9fc5fe7d3e784d

    SHA1

    850df0880e1685ce709b44afbbb365cab4f0fec4

    SHA256

    a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

    SHA512

    a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7156476.exe
    Filesize

    168KB

    MD5

    b78bd4049c09ad47d4c53611c3baac4f

    SHA1

    f6abd37dce2fec4f25ffd6ce0ad12c8db4d8fbb3

    SHA256

    eb2ffb839b323a1ac2b735fddd388eb6eb6423bdbd82831c193a5fdaaea691d9

    SHA512

    a9c1636ba94f2952e7114505cb210130bb44f08d4bf6679d7ff88e4ebb137272338c38f5f2d1b9e7bc300d201bfb8927004700b5f3b6d4432470a0dc9d072961

    Download Submit

  • memory/2320-62-0x0000000005770000-0x00000000057BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2320-61-0x0000000005720000-0x000000000575C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2320-60-0x00000000056C0000-0x00000000056D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2320-59-0x00000000057D0000-0x00000000058DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2320-58-0x0000000005CE0000-0x00000000062F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2320-57-0x0000000002DE0000-0x0000000002DE6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2320-56-0x0000000000C00000-0x0000000000C2E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3884-47-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-24-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-37-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-35-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-33-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-31-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-29-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-25-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-51-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-27-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-39-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-41-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-43-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-45-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-49-0x0000000004990000-0x00000000049A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3884-23-0x0000000004990000-0x00000000049AC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3884-22-0x00000000049E0000-0x0000000004F84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3884-21-0x0000000000870000-0x000000000088E000-memory.dmp

    Filesize

    120KB

    Download