Analysis
-
max time kernel
141s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
09/03/2023, 04:55
General
-
Target
f23a6139ec60560c50b0ab8988cb14b00f9fff47b3051b9e9b61db6eb9fa8b99.exe
-
Size
577KB
-
MD5
745fbb32399979f2ad7bc01c13d54054
-
SHA1
f5c54548eb3194536592fbfbce2e2e34eb3d2bf7
-
SHA256
f23a6139ec60560c50b0ab8988cb14b00f9fff47b3051b9e9b61db6eb9fa8b99
-
SHA512
e30db3f76cd65b0e129ae9d010ece323a77445e4ed4966b15848a8d98fe56726fc36d5cf5e4ceecffbd7b4aea1a359ed04480d5367f4bd03149ece5f97197943
-
SSDEEP
12288:kMrwy90Kahimz7AuxqVLxFYn54YgCiA6QBoNrSf8:cy7sVAuxYLIXgK6QBopSf8
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f23a6139ec60560c50b0ab8988cb14b00f9fff47b3051b9e9b61db6eb9fa8b99.exe"C:\Users\Admin\AppData\Local\Temp\f23a6139ec60560c50b0ab8988cb14b00f9fff47b3051b9e9b61db6eb9fa8b99.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7319eH.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7319eH.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 10843⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w46WW61.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w46WW61.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 19963⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3116 -ip 31161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3300 -ip 33001⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322KB
MD58141937b23cd1895e561d8e90fdeeff3
SHA16f810e9e480564f5837461f8ccdd07c951a1bece
SHA256ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6
SHA51240957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec
-
Filesize
322KB
MD58141937b23cd1895e561d8e90fdeeff3
SHA16f810e9e480564f5837461f8ccdd07c951a1bece
SHA256ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6
SHA51240957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec
-
Filesize
323KB
MD513693461251149817425e66f1206913a
SHA1998dbccbd83323f62a3b2b578a9605c0d933630f
SHA2568e9c17eef3b9aea25037691c41032485a6bc4b768861ac8da022ae30c76a494a
SHA512674b8043f203e5ec1e149775fc5ce7caf78e7a614be365e4dd719093a29ce4c37b7b3683262ce3e15f9df4f3854b63fec0176183766d9baa495b1fe7e4555b62
-
Filesize
323KB
MD513693461251149817425e66f1206913a
SHA1998dbccbd83323f62a3b2b578a9605c0d933630f
SHA2568e9c17eef3b9aea25037691c41032485a6bc4b768861ac8da022ae30c76a494a
SHA512674b8043f203e5ec1e149775fc5ce7caf78e7a614be365e4dd719093a29ce4c37b7b3683262ce3e15f9df4f3854b63fec0176183766d9baa495b1fe7e4555b62
-
Filesize
5.6MB
-
Filesize
180KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
848KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
848KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
472KB
-
Filesize
320KB