Analysis
-
max time kernel
54s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
14/02/2023, 10:34
General
-
Target
2e2693e2b3805e55b01dc22afed31a18b22d9d97beb9e581e1a7c05cd864f102.exe
-
Size
528KB
-
MD5
38d0a603b47656510ee5a6f43f357ea7
-
SHA1
01df5ef71c6f1991eb6ff9f1fbd0f507436bc1b7
-
SHA256
2e2693e2b3805e55b01dc22afed31a18b22d9d97beb9e581e1a7c05cd864f102
-
SHA512
768d1e471b924fdead96f3b0f101eb990a39d1837810d43fb3901f2fef639875fd1ba2d1661856ade2617160e6cbfe1fda3369712f97519726016a15d1cc32d5
-
SSDEEP
12288:EMrky90pI6HDDhdizNnZKrETGXMvgD1se79lrLVOSm1eyJ6:4yoWZsEicvgnZ951
Malware Config
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Extracted
redline
dubka
193.233.20.13:4136
-
auth_value
e5a9421183a033f283b2f23139b471f0
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e2693e2b3805e55b01dc22afed31a18b22d9d97beb9e581e1a7c05cd864f102.exe"C:\Users\Admin\AppData\Local\Temp\2e2693e2b3805e55b01dc22afed31a18b22d9d97beb9e581e1a7c05cd864f102.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vRP24.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vRP24.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dsD55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dsD55.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ncq43Fr.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ncq43Fr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sFa71.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sFa71.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
424KB
MD55e12ca7819c6446fc6475448a5d55630
SHA198b7f790664b354ed1d619060965787a9b28dad0
SHA2566ff725e04d4a1701090310296e0a2a0b6a4a90f54b4c6abd8caa886f919e8468
SHA51220c9e6d4314ced963fb687ebb9ff6cde7811a5228fced14664958fc0137a1ee3c48effa1d8c393c030806ebc5e0b99eb638b357f4efcd385c3bc3cb3d0b0c729
-
Filesize
424KB
MD55e12ca7819c6446fc6475448a5d55630
SHA198b7f790664b354ed1d619060965787a9b28dad0
SHA2566ff725e04d4a1701090310296e0a2a0b6a4a90f54b4c6abd8caa886f919e8468
SHA51220c9e6d4314ced963fb687ebb9ff6cde7811a5228fced14664958fc0137a1ee3c48effa1d8c393c030806ebc5e0b99eb638b357f4efcd385c3bc3cb3d0b0c729
-
Filesize
278KB
MD55e7ad96227ac97ea047c202bab0a79dd
SHA1700c285600d0d8324660dac5326eaae1b1891645
SHA2561e55c8ff6e68cb300f581fd5003dd36f35835d00f9c8938a3a0eb9b7cded4875
SHA51227af17d76db10679b00a15ef754ebc41e830bc4fbcd93073d1cfba416824e800da10e636bd44ce8f177281c4a706c41c9af58ea82e9db54c81d038d7b18af08f
-
Filesize
278KB
MD55e7ad96227ac97ea047c202bab0a79dd
SHA1700c285600d0d8324660dac5326eaae1b1891645
SHA2561e55c8ff6e68cb300f581fd5003dd36f35835d00f9c8938a3a0eb9b7cded4875
SHA51227af17d76db10679b00a15ef754ebc41e830bc4fbcd93073d1cfba416824e800da10e636bd44ce8f177281c4a706c41c9af58ea82e9db54c81d038d7b18af08f
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
175KB
MD5dd0c9e110c68ce1fa5308979ef718f7b
SHA1473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA51229bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
188KB
-
Filesize
3.4MB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
272KB
-
Filesize
3.4MB
-
Filesize
300KB
-
Filesize
5.0MB
-
Filesize
280KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
300KB
-
Filesize
200KB