Overview

overview

10

Static

static

3

8ead519fe6...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ead519fe625136d44acea909d53cce77170f464766ee9866e657d5da3d0ac3dN.exe

  • Size

    383KB

  • MD5

    f42d3b2418e9070834ff20c658bda960

  • SHA1

    27e43adf97a15f154f8526713440f47c9ba5c079

  • SHA256

    8ead519fe625136d44acea909d53cce77170f464766ee9866e657d5da3d0ac3d

  • SHA512

    49666c347e7041220c7d41cdcc6e3c71be7c1dc603e647ef2696e4d1df071c09f6e535ffdb05488c75f4ea96c4b7aa46f3d3d52eb7f25d355db406f37f76c504

  • SSDEEP

    6144:KUy+bnr+Vp0yN90QEiUHh4HZn7E1XELEOIHjdY/fR8N2Zt3Ng12YACiU0Wy:UMrpy90zH0gyXIHhY/fR8yNe9ACi9

Score
10/10
redlinedarmdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ead519fe625136d44acea909d53cce77170f464766ee9866e657d5da3d0ac3dN.exe
    "C:\Users\Admin\AppData\Local\Temp\8ead519fe625136d44acea909d53cce77170f464766ee9866e657d5da3d0ac3dN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3484762.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3484762.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3484762.exe
    Filesize

    168KB

    MD5

    b9dba72e75119e43a214c42c3e7cc14b

    SHA1

    903dcde565c8962366dbc998facd9842500952f3

    SHA256

    6f9ebc43b178bc733d1660cb261e1d3bcdb0fd7c0c338dee092cbee852f3a143

    SHA512

    32d08c2e79f039123ea16cd338880739fde621923f02c0a82314f96bef912f079b8a9d90a9b156d4ed96ad08724ed1ee43fadd248fd7df629e88cc1ae71e74d4

    Download Submit

  • memory/700-7-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/700-8-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/700-9-0x0000000003270000-0x0000000003276000-memory.dmp

    Filesize

    24KB

    Download

  • memory/700-10-0x000000000B3D0000-0x000000000B9E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/700-11-0x000000000AF50000-0x000000000B05A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/700-12-0x000000000AE80000-0x000000000AE92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/700-13-0x000000000AEE0000-0x000000000AF1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/700-14-0x0000000073F80000-0x0000000074730000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/700-15-0x0000000003130000-0x000000000317C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/700-16-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/700-17-0x0000000073F80000-0x0000000074730000-memory.dmp

    Filesize

    7.7MB

    Download