Overview

overview

10

Static

static

3

f19f717ad7...82.exe

windows7-x64

10

f19f717ad7...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f19f717ad7c54c77927d0dea905fefde98774d31ec2f41195c66a230daf61d82.exe

  • Size

    786KB

  • MD5

    3a409e60e12edf880cde21eafc8386be

  • SHA1

    279616bf483a128cfc605986b12e372d39cb45b4

  • SHA256

    f19f717ad7c54c77927d0dea905fefde98774d31ec2f41195c66a230daf61d82

  • SHA512

    63be79f9945870b2e1fbc2f4732425495a126de1634448f04ae195a0004f3d78b09606735dbf16e0972cdd8d441afc553fcb99c916736ca62e1c2c12c24f114c

  • SSDEEP

    24576:fF6TpqOooaAzC/Naeyagrgi2K9dA+Mbj:d6NH5z4keyzrgi3LA

Score
10/10
redlinebotdiscoveryexecutioninfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

Bot

C2

87.120.120.4:1912

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f19f717ad7c54c77927d0dea905fefde98774d31ec2f41195c66a230daf61d82.exe
    "C:\Users\Admin\AppData\Local\Temp\f19f717ad7c54c77927d0dea905fefde98774d31ec2f41195c66a230daf61d82.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f19f717ad7c54c77927d0dea905fefde98774d31ec2f41195c66a230daf61d82.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eWJubxGoXXs.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWJubxGoXXs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC0.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3036
    • C:\Users\Admin\AppData\Local\Temp\f19f717ad7c54c77927d0dea905fefde98774d31ec2f41195c66a230daf61d82.exe
      "C:\Users\Admin\AppData\Local\Temp\f19f717ad7c54c77927d0dea905fefde98774d31ec2f41195c66a230daf61d82.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpEC0.tmp
    Filesize

    1KB

    MD5

    b93ead8381770089f5aaa313f93ad73c

    SHA1

    702b7ef85133c78c3cc2dbe44744f1c53b6659d3

    SHA256

    4f4a0c3e05e70d5c94bf79c1940af75470476ea34ceea8e4fa22c15857f636e2

    SHA512

    7ed1f84323889dc50030a263c89b512b69aa557273d6653e410ec4227c0f471aebbd1d216ff7168eb03c4fc3bdaaf5d752ec15155fad792449a73dc79a9cf1dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7ODGVQHDR20S2S8A72G1.temp
    Filesize

    7KB

    MD5

    3bdb9a0affaaf827e28c7a8ccdece24a

    SHA1

    9cca751f23e90f918d220f3bd943a91358cd4711

    SHA256

    5580d8683b64e6a8ab0db2fd3e251124d5470f29a6fa4d9bbfcdf6d84e62294b

    SHA512

    302f2d9bb956dcecef1a1ddb1e6eb4757c3b16c824030dc0a4b4d36a2fd4a1210f8cffb986352ea50c701e56a01c935885b4cde8c0a2d6bb211c1991bc5a39a9

    Download Submit

  • memory/1720-4-0x0000000000560000-0x000000000057C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1720-3-0x0000000004DF0000-0x0000000004EB2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/1720-0-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-5-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-6-0x0000000073FA0000-0x000000007468E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1720-7-0x0000000005470000-0x0000000005506000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1720-2-0x0000000073FA0000-0x000000007468E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1720-1-0x0000000000FD0000-0x000000000109C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1720-32-0x0000000073FA0000-0x000000007468E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2640-30-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2640-29-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2640-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2640-26-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2640-24-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2640-20-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2640-22-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2640-31-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download