Overview

overview

10

Static

static

1

a9a79e838a...25.exe

windows7-x64

10

a9a79e838a...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2023, 01:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425.exe

  • Size

    530KB

  • MD5

    9d98887da237676528795fc16cc28242

  • SHA1

    5fac23c5983cb857dec0ac79f4d9491f9a3cb99d

  • SHA256

    a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425

  • SHA512

    2262ed94830c4bc627f6f924d966442dc4d08084515e46cbaabd7adf07b2b4e64df65b7b6dd6583e6d43f5a474ee9d8f92a05ef190b993d8502c59c29e8471ca

  • SSDEEP

    12288:4MrNy902v5yPNzLa5YdCKvVFZuMBJhRX3wDb1YJks:VyxvsPNvaKbvFR/hRIbqJr

Score
10/10
redlinefabiofuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Extracted

Family

redline

Botnet

fabio

C2

193.233.20.27:4123

Attributes
  • auth_value

    56b82736c3f56b13be8e64c87d2cf9e5

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425.exe
    "C:\Users\Admin\AppData\Local\Temp\a9a79e838aa44a567de917e6cfceac32d31d490be8721790d73faee90fa37425.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4476
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1656
          4⤵
          • Program crash
          PID:4876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3704 -ip 3704
    1⤵
      PID:4388

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
            Filesize

            175KB

            MD5

            1390e22edc77aa421eb0357375b442ef

            SHA1

            015409efc11c4f5f6f091a1517e47021aa32b9ec

            SHA256

            47b53226bcd1f0d32e065794a916066df71f6c150f7a0f93f159f0135c9839ec

            SHA512

            2c0c8b152c91c1759a8a8afb6e04bea08d548e21ba73b98bc73d0c34d77c04004f051ccb6b65231dce2ab54f3d84baa6677a35edf203813629cea2af7be3429a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uhRt50LD40Wo.exe
            Filesize

            175KB

            MD5

            1390e22edc77aa421eb0357375b442ef

            SHA1

            015409efc11c4f5f6f091a1517e47021aa32b9ec

            SHA256

            47b53226bcd1f0d32e065794a916066df71f6c150f7a0f93f159f0135c9839ec

            SHA512

            2c0c8b152c91c1759a8a8afb6e04bea08d548e21ba73b98bc73d0c34d77c04004f051ccb6b65231dce2ab54f3d84baa6677a35edf203813629cea2af7be3429a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
            Filesize

            385KB

            MD5

            d8e3f421348ce110fa5822c0bba850cc

            SHA1

            5bdc351bfd86409cbe5e09c628f5ea2a0ceb4618

            SHA256

            06c3ce6329fca61382dec0158bf047f796d7dd13930a1393d2f77820c8a15e67

            SHA512

            40aa9e349a6d4535490e5c7265d74eeefc1d72f7564129951632ebce74a9c1e1e5b8ce7aa7f6b1db9cdff5b2b54c121c579b18ff84c020a0e010d505e140c9a6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhM0717qJ.exe
            Filesize

            385KB

            MD5

            d8e3f421348ce110fa5822c0bba850cc

            SHA1

            5bdc351bfd86409cbe5e09c628f5ea2a0ceb4618

            SHA256

            06c3ce6329fca61382dec0158bf047f796d7dd13930a1393d2f77820c8a15e67

            SHA512

            40aa9e349a6d4535490e5c7265d74eeefc1d72f7564129951632ebce74a9c1e1e5b8ce7aa7f6b1db9cdff5b2b54c121c579b18ff84c020a0e010d505e140c9a6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
            Filesize

            11KB

            MD5

            882a67e5fd493f6bd53c1017fc83560b

            SHA1

            1ded2aad86cbbd08642c958dde824ae21064f045

            SHA256

            54b69b90a598a0481908d727d34b90c87c93eca5ef74ad44afe09971e77fae00

            SHA512

            5cbf8aeb1e6ce65397a24018a49a0c9c3b6863d11bfaf7d0ea432bc756995700cbc80ef13da3a8ceab818416dbca95da7721a69b55a1158ca5e04832cd2e7820

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf50YH01UP26.exe
            Filesize

            11KB

            MD5

            882a67e5fd493f6bd53c1017fc83560b

            SHA1

            1ded2aad86cbbd08642c958dde824ae21064f045

            SHA256

            54b69b90a598a0481908d727d34b90c87c93eca5ef74ad44afe09971e77fae00

            SHA512

            5cbf8aeb1e6ce65397a24018a49a0c9c3b6863d11bfaf7d0ea432bc756995700cbc80ef13da3a8ceab818416dbca95da7721a69b55a1158ca5e04832cd2e7820

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
            Filesize

            294KB

            MD5

            10466b602e1c396979e43b57cd69bdc2

            SHA1

            dd1e099b5b8b216f8894f100427eec39023ddb4e

            SHA256

            78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

            SHA512

            0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf34gN25AR02.exe
            Filesize

            294KB

            MD5

            10466b602e1c396979e43b57cd69bdc2

            SHA1

            dd1e099b5b8b216f8894f100427eec39023ddb4e

            SHA256

            78104c47615ced3ba71d64a76627b6fac8b81e9b6d10c3c2713e4054fd8c1c1a

            SHA512

            0e93a5fb25762f5295cbb68a299fefbdac4d450f55f0636917da8a48782616abed7056557c41f29ef883b42cf21cce94447dc03b68e3ce35cae3f72c7addfa4e

            Download Submit

          • memory/1992-1084-0x00000000008C0000-0x00000000008F2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1992-1085-0x00000000054B0000-0x00000000054C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-187-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-201-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-154-0x0000000000670000-0x00000000006BB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/3704-156-0x0000000004E30000-0x0000000004E40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-157-0x0000000004E30000-0x0000000004E40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-158-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-159-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-161-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-163-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-165-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-167-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-169-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-171-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-173-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-175-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-177-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-179-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-181-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-183-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-185-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-153-0x0000000004E40000-0x00000000053E4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3704-189-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-191-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-193-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-195-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-197-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-199-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-155-0x0000000004E30000-0x0000000004E40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-203-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-205-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-207-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-209-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-213-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-215-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-211-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-217-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-219-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-221-0x0000000004C80000-0x0000000004CBE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/3704-1064-0x00000000053F0000-0x0000000005A08000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/3704-1065-0x0000000005A10000-0x0000000005B1A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/3704-1066-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3704-1067-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/3704-1068-0x0000000004E30000-0x0000000004E40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-1070-0x0000000005DC0000-0x0000000005E52000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3704-1071-0x0000000005E60000-0x0000000005EC6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3704-1072-0x0000000004E30000-0x0000000004E40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-1073-0x0000000004E30000-0x0000000004E40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-1074-0x00000000067E0000-0x0000000006856000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3704-1075-0x0000000006860000-0x00000000068B0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3704-1076-0x00000000068B0000-0x0000000006A72000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3704-1077-0x0000000006A80000-0x0000000006FAC000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/3704-1078-0x0000000004E30000-0x0000000004E40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4476-147-0x0000000000510000-0x000000000051A000-memory.dmp

            Filesize

            40KB

            Download