Overview

overview

10

Static

static

3

f31d9030c5...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f31d9030c5d189c69e04fdf53d1f930521dfda80cafd8467544da8f6a72bcb6d.exe

  • Size

    567KB

  • MD5

    e462b360679a4f91fc3f980179facaa1

  • SHA1

    54cbcf297853c56f291de4cf62951dd3e8103ae1

  • SHA256

    f31d9030c5d189c69e04fdf53d1f930521dfda80cafd8467544da8f6a72bcb6d

  • SHA512

    54f9c178dcc1e4cad6c262aef57183d3c3a987939cd477c04d3d193a5af46916f86373880390ab4420e7ffa59acb8d83fb9b0ff1a4556f5ff3cd3b10db427c5b

  • SSDEEP

    12288:jMr+y90kBzSAPv+sHgODNoPbTIAQ5L/FLJ7K0U4Di:By7BzXPI7DTIB/FLJ7KN2i

Score
10/10
redlinedarmdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f31d9030c5d189c69e04fdf53d1f930521dfda80cafd8467544da8f6a72bcb6d.exe
    "C:\Users\Admin\AppData\Local\Temp\f31d9030c5d189c69e04fdf53d1f930521dfda80cafd8467544da8f6a72bcb6d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814500.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814500.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7543287.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7543287.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5814500.exe
    Filesize

    307KB

    MD5

    aa081f9d22ec81b1f241715e752cd660

    SHA1

    a2e6d820f3d653c801f8dc435a2e4e709bc79e4e

    SHA256

    ece9e4ba7629dfba02c2078aa0161a0ed48cbfb4b717fed302952e52c30901f6

    SHA512

    c163a1027a358cc3e451ac80440ed01a677445609f15b262dbd6f22847d417c705c6bf97b58c72ec4609ce3e5ef8c6d374d6e91e724f2a410cf3d77e4278842b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7543287.exe
    Filesize

    168KB

    MD5

    483e00f98eb4aa8de2cce99b4525b7a5

    SHA1

    55031d27f03928b96a14f8c752e5fa642813d629

    SHA256

    a88871435492bccdd742aa6f85d7cbd969aa7a6a26c2143e08aa0774801fd7ff

    SHA512

    938eadabd691220abfbd4254df285081531b8d7603c2634adef5a2836c0513766d230e0040ae0b97ab9c0980985e46a0790f3f0dc38bc16cbae8b703a914d63b

    Download Submit

  • memory/4432-14-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4432-15-0x00000000003A0000-0x00000000003D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4432-16-0x00000000027F0000-0x00000000027F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4432-17-0x0000000005450000-0x0000000005A68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4432-18-0x0000000004F40000-0x000000000504A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4432-19-0x0000000004E60000-0x0000000004E72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4432-20-0x0000000074B20000-0x00000000752D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4432-21-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4432-22-0x0000000005050000-0x000000000509C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4432-23-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4432-24-0x0000000074B20000-0x00000000752D0000-memory.dmp

    Filesize

    7.7MB

    Download