Overview

overview

10

Static

static

3

8cc1ca7c41...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cc1ca7c41e396d1727a18477423b50e30534b74b36ede665d880aedc0e2fd5f.exe

  • Size

    567KB

  • MD5

    c3184b982d1bef5643c8e3e2e4b5e1cd

  • SHA1

    edc68b7ece39ce0449850c0e165619612a729c9c

  • SHA256

    8cc1ca7c41e396d1727a18477423b50e30534b74b36ede665d880aedc0e2fd5f

  • SHA512

    3418dcb8b144cde16328d4e40db30dc32f721209ca137eb45c801774eadb323fbdbce07ecf02bc4ab892a8bfbbb59581ed481cb07315251a49cd6b8598e8353b

  • SSDEEP

    12288:dMr8y9042ZNpX/+THJgNVSh9YRmFPmMIVyCac:5yLyF+DJ76R5j

Score
10/10
redlinedarmdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cc1ca7c41e396d1727a18477423b50e30534b74b36ede665d880aedc0e2fd5f.exe
    "C:\Users\Admin\AppData\Local\Temp\8cc1ca7c41e396d1727a18477423b50e30534b74b36ede665d880aedc0e2fd5f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3487846.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3487846.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788264.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788264.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3487846.exe
    Filesize

    307KB

    MD5

    1abc33a80111ffcaa09e549d42da9b1a

    SHA1

    9f4e62c72433a7c6383daab82b7b80c0f699b138

    SHA256

    002b6415620f2025a3df7f6538668e06f487267b6eca08b087ead6da428eac41

    SHA512

    5389ccffc6f187ca1452faab57293270f789746e505545749d970d6e2ebdecaa5f819e77303d1d0e4a13a450fed5c34dd2b210f430f64d3297dff33f77e21eac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8788264.exe
    Filesize

    168KB

    MD5

    c7cc39620d95fa796c6841847cadcd8a

    SHA1

    546f18b48455efcd9eb935e4981af1458b9a9781

    SHA256

    f4af7e23c9cbca6c5dc6c201e12a813da444f8487c978fc2bb5f2c8cf893162a

    SHA512

    fd64cd8271f99e909be4065d6fe12458d205aed6c0b4bcd2809f9bc442c6780ed0436218a09986e53bcbfd778c7e93fd59cfc35d310a8b530472344e9506fa73

    Download Submit

  • memory/3904-14-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-15-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3904-16-0x0000000002F70000-0x0000000002F76000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3904-17-0x000000000B010000-0x000000000B628000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3904-18-0x000000000AB10000-0x000000000AC1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3904-19-0x000000000AA40000-0x000000000AA52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3904-20-0x0000000073EA0000-0x0000000074650000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3904-22-0x0000000002E30000-0x0000000002E7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3904-21-0x000000000AAA0000-0x000000000AADC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3904-23-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3904-24-0x0000000073EA0000-0x0000000074650000-memory.dmp

    Filesize

    7.7MB

    Download