Overview

overview

10

Static

static

3

a4c7de237f...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4c7de237f0963ae7a5cbbf74883a596982c07f8faf99e6ffe1ae0bdc62905d3.exe

  • Size

    308KB

  • MD5

    8c1ce078b966f39071af18d2497fcbbc

  • SHA1

    1ba00d48c94a89c652db274a494d73dc92142f90

  • SHA256

    a4c7de237f0963ae7a5cbbf74883a596982c07f8faf99e6ffe1ae0bdc62905d3

  • SHA512

    54ac8f6bf225f68f957ea5cbc16cf2778aa1229de5c8ea56e1d7384f1aab681a062a4f7ee98748b813d83ba5c2a58edb8593dd685c32deac7531b959c4ab9082

  • SSDEEP

    6144:K2y+bnr+Op0yN90QEBwSAlP3tIyGHy8lhdSklzz:qMrqy90wrxGSerzz

Score
10/10
redlinedumuddiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4c7de237f0963ae7a5cbbf74883a596982c07f8faf99e6ffe1ae0bdc62905d3.exe
    "C:\Users\Admin\AppData\Local\Temp\a4c7de237f0963ae7a5cbbf74883a596982c07f8faf99e6ffe1ae0bdc62905d3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7230738.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7230738.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7230738.exe
    Filesize

    168KB

    MD5

    3ee9630058761a6d107e2f82dee6486d

    SHA1

    d34b1278bd31e5ba8a93a10b64ac56dd1c16f5c0

    SHA256

    fd9f7fcc8101eed7636b008190879f36fa101947c53103cbad1fe00ea1331f86

    SHA512

    a85ad1ebf87a743e624f314562da1dc490aeeaee86403185f8fa60973690672d4e244b30d1249f905970ce33a5aaad57137bacb24a66178d4fbd1b59a9298744

    Download Submit

  • memory/2064-7-0x00000000746DE000-0x00000000746DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2064-8-0x00000000003C0000-0x00000000003F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2064-9-0x0000000002660000-0x0000000002666000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2064-10-0x0000000005430000-0x0000000005A48000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2064-11-0x0000000004F50000-0x000000000505A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2064-12-0x0000000004E80000-0x0000000004E92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2064-13-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2064-14-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2064-15-0x0000000005060000-0x00000000050AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2064-16-0x00000000746DE000-0x00000000746DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2064-17-0x00000000746D0000-0x0000000074E80000-memory.dmp

    Filesize

    7.7MB

    Download