Analysis
-
max time kernel
55s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
14-02-2023 17:31
General
-
Target
ff419a41b3501a305d8e577eb8481cd4.exe
-
Size
478KB
-
MD5
ff419a41b3501a305d8e577eb8481cd4
-
SHA1
242fa76c343f67bc948778a546524bb1b9dcc4cf
-
SHA256
d8476c2062a499285bd361f92f96837a6d36a744e359bb85185cca3d0034a24c
-
SHA512
ea4fd4a90ab5fc4ece9270588aefac35fb516e2ab13daaa65b01db670ef0d61d7b17e4f57ab696bc8097f42d3b3e2724a248406313dc4f95296cccbfbbba6bfd
-
SSDEEP
12288:8Mrky90ZhqWKvW/RxEGr6Y4ZH+y2+KfLVYLe2xd3:Qy6J95IY9H+wLVhu
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 4 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff419a41b3501a305d8e577eb8481cd4.exe"C:\Users\Admin\AppData\Local\Temp\ff419a41b3501a305d8e577eb8481cd4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njH48Vf.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njH48Vf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bGX54ce.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bGX54ce.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dGF20xP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dGF20xP.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lPf70fY.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lPf70fY.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
374KB
MD59d6457606e86e9fe643abb9d803461fe
SHA1fa8e8c853187f25581bf4aeda2a0706ed28831e9
SHA25666bb5d858dd0909522e43b0a45a65776fda4ab402b86bf86c34593df254223f2
SHA5126739e72d7d08353ff9089d73a7159519fce132a4544b7910d16d3ef7bc72dfd18130e579409a5eb7f9b736a28183f7262159c9a11f61e508e37046f9a897a865
-
Filesize
374KB
MD59d6457606e86e9fe643abb9d803461fe
SHA1fa8e8c853187f25581bf4aeda2a0706ed28831e9
SHA25666bb5d858dd0909522e43b0a45a65776fda4ab402b86bf86c34593df254223f2
SHA5126739e72d7d08353ff9089d73a7159519fce132a4544b7910d16d3ef7bc72dfd18130e579409a5eb7f9b736a28183f7262159c9a11f61e508e37046f9a897a865
-
Filesize
235KB
MD5760791b22909e7d142a6c97e4aa18476
SHA1912f22fb3409888fda2e71d7868242bad21681e2
SHA25630a7dd0b713c452b66bbe4dbde9f345919d3fb2b8fdbd0b2afe00c0913dd4c2d
SHA512415657cf57d4a74e8a221939a091b9ad87aad4ccd55d8667d8bfdd5b8a93a02ab359543a7ff936fdc866be5a39f0b4b73822f385dc9000d1a97a9d5f117a156e
-
Filesize
235KB
MD5760791b22909e7d142a6c97e4aa18476
SHA1912f22fb3409888fda2e71d7868242bad21681e2
SHA25630a7dd0b713c452b66bbe4dbde9f345919d3fb2b8fdbd0b2afe00c0913dd4c2d
SHA512415657cf57d4a74e8a221939a091b9ad87aad4ccd55d8667d8bfdd5b8a93a02ab359543a7ff936fdc866be5a39f0b4b73822f385dc9000d1a97a9d5f117a156e
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
374KB
MD59d6457606e86e9fe643abb9d803461fe
SHA1fa8e8c853187f25581bf4aeda2a0706ed28831e9
SHA25666bb5d858dd0909522e43b0a45a65776fda4ab402b86bf86c34593df254223f2
SHA5126739e72d7d08353ff9089d73a7159519fce132a4544b7910d16d3ef7bc72dfd18130e579409a5eb7f9b736a28183f7262159c9a11f61e508e37046f9a897a865
-
Filesize
374KB
MD59d6457606e86e9fe643abb9d803461fe
SHA1fa8e8c853187f25581bf4aeda2a0706ed28831e9
SHA25666bb5d858dd0909522e43b0a45a65776fda4ab402b86bf86c34593df254223f2
SHA5126739e72d7d08353ff9089d73a7159519fce132a4544b7910d16d3ef7bc72dfd18130e579409a5eb7f9b736a28183f7262159c9a11f61e508e37046f9a897a865
-
Filesize
235KB
MD5760791b22909e7d142a6c97e4aa18476
SHA1912f22fb3409888fda2e71d7868242bad21681e2
SHA25630a7dd0b713c452b66bbe4dbde9f345919d3fb2b8fdbd0b2afe00c0913dd4c2d
SHA512415657cf57d4a74e8a221939a091b9ad87aad4ccd55d8667d8bfdd5b8a93a02ab359543a7ff936fdc866be5a39f0b4b73822f385dc9000d1a97a9d5f117a156e
-
Filesize
235KB
MD5760791b22909e7d142a6c97e4aa18476
SHA1912f22fb3409888fda2e71d7868242bad21681e2
SHA25630a7dd0b713c452b66bbe4dbde9f345919d3fb2b8fdbd0b2afe00c0913dd4c2d
SHA512415657cf57d4a74e8a221939a091b9ad87aad4ccd55d8667d8bfdd5b8a93a02ab359543a7ff936fdc866be5a39f0b4b73822f385dc9000d1a97a9d5f117a156e
-
Filesize
235KB
MD5760791b22909e7d142a6c97e4aa18476
SHA1912f22fb3409888fda2e71d7868242bad21681e2
SHA25630a7dd0b713c452b66bbe4dbde9f345919d3fb2b8fdbd0b2afe00c0913dd4c2d
SHA512415657cf57d4a74e8a221939a091b9ad87aad4ccd55d8667d8bfdd5b8a93a02ab359543a7ff936fdc866be5a39f0b4b73822f385dc9000d1a97a9d5f117a156e
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
3.3MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
3.3MB
-
Filesize
96KB
-
-
Filesize
104KB
-
Filesize
128KB
-
Filesize
180KB
-
Filesize
8KB
-
Filesize
200KB
-
-
-
Filesize
40KB
-