Overview

overview

10

Static

static

3

c551a44b80...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c551a44b8006f79fc9e974a653618cc29408cb2da20f06b9477b1d44665bc8de.exe

  • Size

    770KB

  • MD5

    f712ba8c4457a7b1f5b75b9eb66023a0

  • SHA1

    4201554d45faab946cff8b5327d5b8491ef31cad

  • SHA256

    c551a44b8006f79fc9e974a653618cc29408cb2da20f06b9477b1d44665bc8de

  • SHA512

    112d97aebe90d4080df2f0a92785a342609a473b708e5ab8e3fc4e3dadab014e59d4b87ba0531678d11e495a914059d1c60a914c854e565f863da9e483dddc82

  • SSDEEP

    24576:2ySrK08SNLXZRMlDVM0cWzor+s0muZ3Vv:FP0fNLpiV5XzoKsduZ3Z

Score
10/10
redlinemixadiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes
  • auth_value

    9d14534b25ac495ab25b59800acf3bb2

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c551a44b8006f79fc9e974a653618cc29408cb2da20f06b9477b1d44665bc8de.exe
    "C:\Users\Admin\AppData\Local\Temp\c551a44b8006f79fc9e974a653618cc29408cb2da20f06b9477b1d44665bc8de.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3560595.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3560595.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4122372.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4122372.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2148909.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2148909.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3668
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3728096.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3728096.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3560595.exe
    Filesize

    488KB

    MD5

    6c83dccf7068c5e4823e2f3b6f909023

    SHA1

    964b1d259fb408f4876fc6850117af14b7564ed5

    SHA256

    ff1be372fd874893378538a2cb5bd3dd6d43bd1ee291ea8cc491091cf9010666

    SHA512

    f1b09bcf5153e211a442333d1c040d835616ee022225a32ec5e1678df8edd67bf047f81893168d13caaffdd01d9bfce00b23f61effd8518b801b59ceec0a90de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4122372.exe
    Filesize

    316KB

    MD5

    b4bdc012fea5596aae2172c4e8f489bb

    SHA1

    e5d7f7d5604321872aa2a93e7424482ee97bd905

    SHA256

    de2b9236995c77b16ab4012a918178b75292e38536f266e67d011563cdf26ccb

    SHA512

    cc49baeb0890e7e7e5eac58215cfa2c0d3e8436687ba6f176a40bb2af1d4ec28a4fc4201579f8d8d30e8fe11def52865f47f63335868544f88c3e9a409a1f15b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2148909.exe
    Filesize

    185KB

    MD5

    f0163b510cf2717a206039be22861d2c

    SHA1

    76a69295ea8aca57c550fd38c45a9d7d0c058618

    SHA256

    2709065630f3ca2b27ed588d1dc5c6a045284ce16917f123ca1db257a6d1cb6c

    SHA512

    6c8f3f56bd751f1e842bd5c45f60d0f6acbeeab6e5331d401f9bc9ce8ab3b6565c10f1eafc5cc0cc3ccdb24ee97aaa2a093d3d5df15ce00c62350745729df1e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3728096.exe
    Filesize

    168KB

    MD5

    897f9dc9a025756215d04ff3437df610

    SHA1

    3ff245a31c220d02c179d9d8dd0945094d5ea512

    SHA256

    d6d5f4bba03d23d90f211f9f442541f08a84b80d5b99ce67e0e971bda66ec084

    SHA512

    39fe57d28711667b320c0a9c2393759d898e39813de581ad673900f3b36eff229cad963f73a84864c699b0322b67f96127c2eb726103137eb3402b3c3d491bbe

    Download Submit

  • memory/2748-62-0x0000000004BA0000-0x0000000004BEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2748-61-0x000000000A970000-0x000000000A9AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2748-60-0x000000000A910000-0x000000000A922000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2748-59-0x000000000A9E0000-0x000000000AAEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2748-58-0x000000000AE60000-0x000000000B478000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2748-57-0x0000000002A60000-0x0000000002A66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2748-56-0x0000000000A30000-0x0000000000A5E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3668-51-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-24-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-37-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-35-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-33-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-31-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-29-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-27-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-25-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-41-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-43-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-45-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-47-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-49-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-39-0x00000000050A0000-0x00000000050B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3668-23-0x00000000050A0000-0x00000000050BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3668-22-0x0000000004AB0000-0x0000000005054000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3668-21-0x0000000002510000-0x000000000252E000-memory.dmp

    Filesize

    120KB

    Download