Overview

overview

10

Static

static

1

$O00l1ArAi...er.zip

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    128s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    25-12-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $O00l1ArAi1nstaller.zip

  • Size

    331KB

  • MD5

    e5685d7badcd511b3847631402de6143

  • SHA1

    088b2ee9859eec98eae62483a459248ec60f947d

  • SHA256

    aaaff084052e3062d911bf5859a4a6bafdf09b5dc2fe8c201ed932ef9b8c92a2

  • SHA512

    1e3a9792954f23c1e63cdaab42128e4714911f8a06f6669e10bce8e2fd6f38c561b7d3205486ec2c517f45b9d5dbc4372c311875706a80dfaa4e32d5b5059859

  • SSDEEP

    6144:8yxRrFZp/PeqsuEJefOqsCSfz8dP3x/S1F294bnojHUOGtz+vp4WU:8yXrp/7sBcfwXo5Hizozuti5U

Score
10/10
redlinediscoveryinfostealer

Malware Config

Extracted

Family

redline

C2

185.196.9.26:6302

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$O00l1ArAi1nstaller.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\7zO06D01287\$O00l1ArAi1nstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO06D01287\$O00l1ArAi1nstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1492
    • C:\Users\Admin\AppData\Local\Temp\7zO06DEC8C7\$O00l1ArAi1nstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO06DEC8C7\$O00l1ArAi1nstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3948
    • C:\Users\Admin\AppData\Local\Temp\7zO06D04038\$O00l1ArAi1nstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO06D04038\$O00l1ArAi1nstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1128
    • C:\Users\Admin\AppData\Local\Temp\7zO06DECD38\$O00l1ArAi1nstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO06DECD38\$O00l1ArAi1nstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3936
    • C:\Users\Admin\AppData\Local\Temp\7zO06DFE228\$O00l1ArAi1nstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO06DFE228\$O00l1ArAi1nstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3480
    • C:\Users\Admin\AppData\Local\Temp\7zO06D24718\$O00l1ArAi1nstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO06D24718\$O00l1ArAi1nstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$O00l1ArAi1nstaller.exe.log
    Filesize

    42B

    MD5

    84cfdb4b995b1dbf543b26b86c863adc

    SHA1

    d2f47764908bf30036cf8248b9ff5541e2711fa2

    SHA256

    d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

    SHA512

    485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zO06D01287\$O00l1ArAi1nstaller.exe
    Filesize

    384KB

    MD5

    51e03c02d99ef6ebbf99a129dafce711

    SHA1

    bb8267b0677884a2681687f1a5e60fa35194ac06

    SHA256

    03cbedf30b8339311d32d8df4895d36030b9f1f7917beba54b47d716674467c1

    SHA512

    7623101de16700802f269ad15e18be069b9711b5f25ad0672083c707e487bad3fd288c364e2220c567d9104bfa32416b11aa88e46c4b565efde4ba1b4b0a3124

    Download Submit

  • C:\Users\Admin\AppData\Roaming\msvcp110.dll
    Filesize

    570KB

    MD5

    5401467483efc8330d66e4fe98f03cc8

    SHA1

    6f0e567a34e8bef55d46edf1f5982d71bd92b481

    SHA256

    f4341d1dc746b79c91ba341455bdaff7cc32cc75292d0fcd9f3f7eed01a3bda7

    SHA512

    67ef910b8fc0a0a05f3c00ad8c3db4fb60e00423747d80115f91fd01cf17b9101ef84b790c06aea4dc25a44163d5d70c4030177b00c2b576d46f8bdcf0167472

    Download Submit

  • memory/1172-15-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1172-16-0x0000000000500000-0x0000000000568000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1172-17-0x00000000029B0000-0x00000000029B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1172-106-0x0000000074B50000-0x0000000075301000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1172-24-0x0000000074B50000-0x0000000075301000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1172-27-0x0000000074B50000-0x0000000075301000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1492-28-0x0000000005050000-0x00000000055F6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1492-30-0x00000000049B0000-0x00000000049BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1492-31-0x0000000006620000-0x0000000006C38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1492-32-0x0000000004D50000-0x0000000004E5A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1492-33-0x0000000004B30000-0x0000000004B42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1492-34-0x0000000004B90000-0x0000000004BCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1492-35-0x0000000004C40000-0x0000000004C8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1492-29-0x00000000049D0000-0x0000000004A62000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1492-25-0x0000000000160000-0x00000000001B2000-memory.dmp

    Filesize

    328KB

    Download