Overview

overview

10

Static

static

1

0170c72226...7b.exe

windows7-x64

10

0170c72226...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2023 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0170c722261c494ccf2b871ca1011680ad11759db14936ba3bd0941a9233997b.exe

  • Size

    557KB

  • MD5

    0209582fbd5345aff1b97ac70407b97f

  • SHA1

    dfab2ca620ed3261c2877a8ffe69b0ef590f7eb8

  • SHA256

    0170c722261c494ccf2b871ca1011680ad11759db14936ba3bd0941a9233997b

  • SHA512

    cba788e2e9d822ffaa96cd88d9ff68695913b3594a18855b160800dcd667e8a57e4ed7aada1dfa82e0573a85e5af9ac7e4be51a4364f463de2f32fd14f6810df

  • SSDEEP

    12288:pMrFy902JZic3F6gBcLP/6+hjT5zW7foehM2hqs5p7Afvi1:Ay3Zn3F6gGC+5FWbdMeD5Ug

Score
10/10
redlinefudevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0170c722261c494ccf2b871ca1011680ad11759db14936ba3bd0941a9233997b.exe
    "C:\Users\Admin\AppData\Local\Temp\0170c722261c494ccf2b871ca1011680ad11759db14936ba3bd0941a9233997b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPi1819mH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPi1819mH.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf04PH90rH53.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf04PH90rH53.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf70Sd96zg42.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf70Sd96zg42.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPi1819mH.exe
    Filesize

    412KB

    MD5

    0bb3a91e84a7eafefe55dafab4a53554

    SHA1

    6754e4b511267a582fa38edc40c636fb81556004

    SHA256

    585425ecf7fb784a52ddf361e8b4a3ae8fef8d5f82682070ef09632391c7a26b

    SHA512

    4cab71a1f7d5b1b10645e02d1946c3b22f5468863f40a9427f5f960406e2bf158fd485dc7cb1ae3d53ac2c1ad2ba81127502ab903fe47a610ca183cdccacc3fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhPi1819mH.exe
    Filesize

    412KB

    MD5

    0bb3a91e84a7eafefe55dafab4a53554

    SHA1

    6754e4b511267a582fa38edc40c636fb81556004

    SHA256

    585425ecf7fb784a52ddf361e8b4a3ae8fef8d5f82682070ef09632391c7a26b

    SHA512

    4cab71a1f7d5b1b10645e02d1946c3b22f5468863f40a9427f5f960406e2bf158fd485dc7cb1ae3d53ac2c1ad2ba81127502ab903fe47a610ca183cdccacc3fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf04PH90rH53.exe
    Filesize

    11KB

    MD5

    857e6b9680004607d4a8466fe38fee52

    SHA1

    09d52e2aad34051300c436abe882625483b74462

    SHA256

    e557bdc852841736a14bf139d34bd3170f3aafdf22ec886533a7d20505ffc851

    SHA512

    e6d1d91df90cbff233f179bbfe1233b28beaa8f26f98e490bc2dd22036a1fd314adce8203968ba37b7bfb6fd6edf2accde9c239ddcbe42802a8bba03deeaf767

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf04PH90rH53.exe
    Filesize

    11KB

    MD5

    857e6b9680004607d4a8466fe38fee52

    SHA1

    09d52e2aad34051300c436abe882625483b74462

    SHA256

    e557bdc852841736a14bf139d34bd3170f3aafdf22ec886533a7d20505ffc851

    SHA512

    e6d1d91df90cbff233f179bbfe1233b28beaa8f26f98e490bc2dd22036a1fd314adce8203968ba37b7bfb6fd6edf2accde9c239ddcbe42802a8bba03deeaf767

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf70Sd96zg42.exe
    Filesize

    409KB

    MD5

    d918db9077504212d04e97bc5857b710

    SHA1

    cbac3bfca65f8dfe4efd408bcf480f3d603f1d06

    SHA256

    ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3

    SHA512

    f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf70Sd96zg42.exe
    Filesize

    409KB

    MD5

    d918db9077504212d04e97bc5857b710

    SHA1

    cbac3bfca65f8dfe4efd408bcf480f3d603f1d06

    SHA256

    ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3

    SHA512

    f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187

    Download Submit
  • memory/2492-153-0x0000000007180000-0x0000000007724000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2492-154-0x0000000002DC0000-0x0000000002E0B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2492-155-0x0000000007170000-0x0000000007180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2492-156-0x0000000007170000-0x0000000007180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2492-157-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-164-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-162-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-160-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-158-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-166-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-168-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-170-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-172-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-174-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-176-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-178-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-180-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-182-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-184-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-186-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-188-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-190-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-192-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-194-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-196-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-198-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-200-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-202-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-204-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-206-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-208-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-210-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-212-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-214-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-216-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-218-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-220-0x0000000007740000-0x000000000777E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2492-1063-0x0000000007920000-0x0000000007F38000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2492-1064-0x0000000007FC0000-0x00000000080CA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2492-1065-0x0000000008100000-0x0000000008112000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2492-1066-0x0000000008120000-0x000000000815C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2492-1067-0x0000000007170000-0x0000000007180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2492-1069-0x0000000007170000-0x0000000007180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2492-1070-0x0000000007170000-0x0000000007180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2492-1071-0x0000000007170000-0x0000000007180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4944-147-0x0000000000570000-0x000000000057A000-memory.dmp
    Filesize

    40KB

    Download