Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 16:11
General
-
Target
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe
-
Size
3.8MB
-
MD5
61cdf7e4eca424c763178c94c7ef760f
-
SHA1
f2096fd54988dbf5a8a9dab58bbd2f919661c5ab
-
SHA256
688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86
-
SHA512
6eb87a0bc294d6e4920fc82e9ae2ec397f2a3e31fde8a03644f21216e91aa27148b99e5ae8c92ef9a930ec20c9306a97b33e316fb8b8b981cde9a5df10920812
-
SSDEEP
98304:nyBQbqAIBax9N1kCvwYxgAmZtd6xcN2QBYMYhRkbp97:nyIioXwYOAgd6KX9Y/y3
Malware Config
Extracted
redline
91.243.32.73:7171
-
auth_value
f0eaa7ad30bc41521e3d61c8504e5715
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe"C:\Users\Admin\AppData\Local\Temp\688851b3d020213958e978a00a32113326d2ee66a6bfc5cceb279e393da2ea86.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F1gaSebe_crypted.exeC:\Users\Admin\AppData\Local\Temp\F1gaSebe_crypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Shortfalls.exeC:\Users\Admin\AppData\Local\Temp\Shortfalls.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51b8ae5c577608b9f780b3ad704679e0a
SHA14402007d8e5ca59fe704d543a417c77e39dce762
SHA256039a6fd68c38bd081e9bca0181187df2653e501b5795d24ad6f895cf81c50bdf
SHA5129cc97013331ef3d4fbce1d1656ee5a28c193a50eabbf8fd75f2f1a8c57c00d2b32f82bdb35896209e3d7e24babfed607656b6e4a11a910fa099fbc25340587b3
-
Filesize
807KB
MD55f6b473388665e4c29cf86b97acd05f0
SHA16cc67923b21ef5df391b211243e9bca3f47851dc
SHA256616ceb62d1c53a9837635e51abd73b8c717a9d20b1cc882d1420a46c385d8304
SHA512de3253a8714558da0621dbfcf72e4bceeed563785158f2830061f54d6b14b6a1eeb5d7abf349b9566ebcbb38afc4a0f8757ef94eae58e4eea578a98b4633fd66
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
824KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
2.9MB
-
Filesize
9.9MB
-
Filesize
3.6MB
-
Filesize
9.9MB
-
Filesize
2.9MB
-
Filesize
2.0MB
-
Filesize
9.9MB