Overview

overview

10

Static

static

3

807d3d0819...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-02-2025 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    807d3d0819b6de19ae75c283cea664d8f8668e26992a66f152750cb4006faf59N.exe

  • Size

    305KB

  • MD5

    5c24587733cc0d4f5c3678f1c0d33270

  • SHA1

    ccbf39baf7d376cb8034835e863167b2368b598d

  • SHA256

    807d3d0819b6de19ae75c283cea664d8f8668e26992a66f152750cb4006faf59

  • SHA512

    811e983bfcc299e0967b7121e97fb8cbbf3f7ebf7952dc2b04cd832dfc420db9c0619084f53c1434f1ff8a34a81a5c50bba05e04fb716ee9f4e16406d812715d

  • SSDEEP

    6144:KNy+bnr+Qp0yN90QENBc1K9QBiwyhULM/0/J/uClXItQi98e7kXuzz/K:vMrIy90nq1WQB+i/B/lYtMmK

Score
10/10
redlinemuzadefense_evasiondiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

muza

C2

185.161.248.75:4132

Attributes
  • auth_value

    99f39e1ac98e0c0a729ab27594e72bc3

Signatures

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\807d3d0819b6de19ae75c283cea664d8f8668e26992a66f152750cb4006faf59N.exe
    "C:\Users\Admin\AppData\Local\Temp\807d3d0819b6de19ae75c283cea664d8f8668e26992a66f152750cb4006faf59N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5678607.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5678607.exe
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies Windows Defender notification settings
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7265291.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7265291.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2580
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzlCOTczQzYtNkZENi00MjMxLUE2NTUtRjQxNkFFQTVFMzEzfSIgdXNlcmlkPSJ7MjdCNDFBRjgtODE1RS00Q0Y2LTkzOEYtQzI1N0M4Njg4NkMxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjI1Nzk3QjgtODU3OS00MTQzLUE1RkMtRkJDNTA4MTYxQ0E5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTExMTIxMDIzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a5678607.exe
    Filesize

    185KB

    MD5

    d35dd01de0b97ea05b1e9b08d32c5e0c

    SHA1

    1b0c8df17eaa12c00be520147a81881372f32718

    SHA256

    ce9bc8132dbcb980ee7abf4b676526e06d6df9fcb75ef2f638eba0064705d2ac

    SHA512

    d484bc261243ea11ee0b33f0ed7ab58da5e4510b85222d26bf9a70a975a2d9864c6808115e370dc2569a60532c329d47025144b2210013ece331f870cf025dd7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7265291.exe
    Filesize

    145KB

    MD5

    ef64d773363e66abc7f5dabf1b36d8c4

    SHA1

    a13c83d215983928b29a096a369380b2dc24a3f9

    SHA256

    3db09dcf0e953608cd9ab2d35ce6a1c4d28bb48957f27a6a661aa092f0133642

    SHA512

    2dd14ebb4ba5d46ff16e848cebcb414c5d7317412b197004776310e7b25bbb6c8a7415262ed883d5927e6b58c629bf43f5278fd4272bc3222fab859ba83ebba5

    Download Submit

  • memory/2580-57-0x0000000073E90000-0x0000000073F3B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/2580-55-0x0000000005570000-0x00000000055BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2580-54-0x00000000053F0000-0x000000000542C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2580-53-0x0000000005390000-0x00000000053A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2580-52-0x0000000005460000-0x000000000556A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2580-51-0x00000000058F0000-0x0000000005F08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2580-50-0x00000000009A0000-0x00000000009CA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2580-49-0x0000000073E90000-0x0000000073F3B000-memory.dmp

    Filesize

    684KB

    Download

  • memory/3540-24-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-42-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3540-32-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-30-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-28-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-27-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-38-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-22-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-18-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-16-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-14-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-20-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-13-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-34-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-43-0x0000000073EE0000-0x0000000074690000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3540-45-0x0000000073EE0000-0x0000000074690000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3540-41-0x0000000073EE0000-0x0000000074690000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3540-40-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-36-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3540-12-0x0000000073EE0000-0x0000000074690000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3540-11-0x0000000004AC0000-0x0000000004ADC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3540-10-0x0000000004C40000-0x00000000051E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3540-9-0x0000000073EE0000-0x0000000074690000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3540-8-0x00000000021F0000-0x000000000220E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3540-7-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

    Filesize

    4KB

    Download