Overview

overview

10

Static

static

3

26583f6be7...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26583f6be79bec8a5732749d492f27045a4f2c3a0eb6613eb2bb737d835ae3ffN.exe

  • Size

    419KB

  • MD5

    7a114faa1e2932c8cf6b963472abe050

  • SHA1

    6f4cd6776dd8c0338a32fbe2f7c4fcd840972253

  • SHA256

    26583f6be79bec8a5732749d492f27045a4f2c3a0eb6613eb2bb737d835ae3ff

  • SHA512

    484578973f4ee5394cfe7c1162ee1c0a38178f52331a58b729310a975f659206ce2211b4bbee415c3680fb90179738a9cba33c73319d7d0cf23b069d525a7cd9

  • SSDEEP

    12288:3Mr9y90lSBK5eAWyl///vdZOr3PtSpycV7eka4BPllo3Zx5t:mydk5LWS//twPEEe9aCPDwZxf

Score
10/10
redlineronurdiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26583f6be79bec8a5732749d492f27045a4f2c3a0eb6613eb2bb737d835ae3ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\26583f6be79bec8a5732749d492f27045a4f2c3a0eb6613eb2bb737d835ae3ffN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLX17rQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLX17rQ.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLX17rQ.exe
    Filesize

    265KB

    MD5

    22fa9dc8d6bb6629c530256635becb49

    SHA1

    5041d1a1d4b8c6e442ca2d5a089c1ba146f9ed21

    SHA256

    bb9b0f0b2564e1817399025d209a51878f070a9c0370d341398cf1c4caea59c8

    SHA512

    b99fd8e8aff01cb53668189cf751ae020d8e004278d56f4ee8db06a2f1776a4ad5015fc848cdc3de90d3bbeb8ba45b237ee426662f6a296a2cf3d976be41b549

    Download Submit

  • memory/3480-8-0x0000000000650000-0x0000000000750000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3480-9-0x0000000000820000-0x000000000086B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3480-10-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3480-11-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3480-12-0x00000000025B0000-0x00000000025F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3480-13-0x0000000004E10000-0x00000000053B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3480-14-0x0000000002650000-0x0000000002694000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3480-16-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-28-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-78-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-74-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-72-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-71-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-68-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-66-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-65-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-62-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-60-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-59-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-56-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-54-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-52-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-50-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-48-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-46-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-44-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-42-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-40-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-38-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-34-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-32-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-30-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-26-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-24-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-22-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-20-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-18-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-76-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-36-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-15-0x0000000002650000-0x000000000268E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3480-921-0x00000000053C0000-0x00000000059D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3480-922-0x0000000004C70000-0x0000000004D7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3480-923-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3480-924-0x00000000059E0000-0x0000000005A1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3480-925-0x0000000005B20000-0x0000000005B6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3480-926-0x0000000000650000-0x0000000000750000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3480-927-0x0000000000820000-0x000000000086B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3480-928-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download