Overview

overview

10

Static

static

3

522707cd42...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    522707cd425ca9de34b3772fa55c0b6a707af9cd109d9bad5c0d8fe3e419a55c.exe

  • Size

    304KB

  • MD5

    6f9da3e946ca35ee56eb0010b74bb501

  • SHA1

    949c04d86516215f53b61abbfa52a157d223b015

  • SHA256

    522707cd425ca9de34b3772fa55c0b6a707af9cd109d9bad5c0d8fe3e419a55c

  • SHA512

    e086ad9b8ecd9c7e6d336b7ab052e0219161da25d280fc7755b34f822e25a66f72c45dc3fee05e9ae7340ff0d8029be83d15a65c6c558d0ff206a8880b70bee8

  • SSDEEP

    6144:KBy+bnr+Cp0yN90QEfSt7N//6JvBXXS57xe9x:vMrqy90F0Jqb+Ex

Score
10/10
redlinedomadiscoveryinfostealerpersistence

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes
  • auth_value

    8be53af7f78567706928d0abef953ef4

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\522707cd425ca9de34b3772fa55c0b6a707af9cd109d9bad5c0d8fe3e419a55c.exe
    "C:\Users\Admin\AppData\Local\Temp\522707cd425ca9de34b3772fa55c0b6a707af9cd109d9bad5c0d8fe3e419a55c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f6578919.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f6578919.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f6578919.exe
    Filesize

    145KB

    MD5

    da6c57e9e0409dcba02e3f9f4c97ac3d

    SHA1

    4285254859f7e0a8e1613e8bda4ac3f957222b4c

    SHA256

    492fa793dde62ae5c0b0eb351295f672ff0f1db16197231dab0ed7d9d6535bf8

    SHA512

    283c84418a7af53657c098b8173bcb97bb2d6823c05275bab5a0472f7ac708840b5c56ea8e3ee6bad4cb22a65091ee8fcc4d3b9eecfc4d2f1f8089ab93d55451

    Download Submit

  • memory/1752-7-0x000000007428E000-0x000000007428F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1752-8-0x0000000000270000-0x000000000029A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1752-9-0x00000000050D0000-0x00000000056E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1752-10-0x0000000004C00000-0x0000000004D0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1752-11-0x0000000004B50000-0x0000000004B62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1752-12-0x0000000004B70000-0x0000000004BAC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1752-13-0x0000000004BB0000-0x0000000004BFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1752-14-0x000000007428E000-0x000000007428F000-memory.dmp

    Filesize

    4KB

    Download