Analysis
-
max time kernel
50s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
16/03/2023, 05:20
Static task
static1
Behavioral task
behavioral1
Sample
13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe
Resource
win10-20230220-en
General
-
Target
13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe
-
Size
864KB
-
MD5
465235ad4e77d07cad4377287fdf8002
-
SHA1
28e0f668919d2974d31e48ef94b5e054a93e534d
-
SHA256
13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8
-
SHA512
31be199d4221c9bd17e3adc0a2ae2766ba53d19430c8cfd3b88db00793902c7221c0e8b8803f0b5baacab3d35faa6d85298d5d782dbe54eb59bc1726d0c8feca
-
SSDEEP
24576:Sy8YMFNuPYusVMp1tUCBrR4s0pN8gbZx:59HPYu/95BFe
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
sito
193.233.20.28:4125
-
auth_value
030f94d8e396dbe51ce339b815cdad17
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" b5593hB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" b5593hB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c75zN89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c75zN89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c75zN89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c75zN89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" b5593hB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" b5593hB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" b5593hB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c75zN89.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3692-190-0x0000000004900000-0x0000000004946000-memory.dmp family_redline behavioral1/memory/3692-191-0x0000000004C60000-0x0000000004CA4000-memory.dmp family_redline behavioral1/memory/3692-192-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-193-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-197-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-195-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-201-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-199-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-207-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-205-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-203-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-211-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-213-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-215-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-209-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-221-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-219-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-217-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-223-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/3692-225-0x0000000004C60000-0x0000000004C9E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2144 tice7573.exe 3200 tice5580.exe 5020 b5593hB.exe 4396 c75zN89.exe 3692 dnDko86.exe 4700 e04qZ63.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" b5593hB.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c75zN89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c75zN89.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice7573.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tice7573.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tice5580.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tice5580.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5020 b5593hB.exe 5020 b5593hB.exe 4396 c75zN89.exe 4396 c75zN89.exe 3692 dnDko86.exe 3692 dnDko86.exe 4700 e04qZ63.exe 4700 e04qZ63.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5020 b5593hB.exe Token: SeDebugPrivilege 4396 c75zN89.exe Token: SeDebugPrivilege 3692 dnDko86.exe Token: SeDebugPrivilege 4700 e04qZ63.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2144 2484 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe 66 PID 2484 wrote to memory of 2144 2484 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe 66 PID 2484 wrote to memory of 2144 2484 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe 66 PID 2144 wrote to memory of 3200 2144 tice7573.exe 67 PID 2144 wrote to memory of 3200 2144 tice7573.exe 67 PID 2144 wrote to memory of 3200 2144 tice7573.exe 67 PID 3200 wrote to memory of 5020 3200 tice5580.exe 68 PID 3200 wrote to memory of 5020 3200 tice5580.exe 68 PID 3200 wrote to memory of 4396 3200 tice5580.exe 69 PID 3200 wrote to memory of 4396 3200 tice5580.exe 69 PID 3200 wrote to memory of 4396 3200 tice5580.exe 69 PID 2144 wrote to memory of 3692 2144 tice7573.exe 70 PID 2144 wrote to memory of 3692 2144 tice7573.exe 70 PID 2144 wrote to memory of 3692 2144 tice7573.exe 70 PID 2484 wrote to memory of 4700 2484 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe 72 PID 2484 wrote to memory of 4700 2484 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe 72 PID 2484 wrote to memory of 4700 2484 13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe"C:\Users\Admin\AppData\Local\Temp\13282d3149bba8cea62b34ad7d8c3de131cf37fec713091c9306a0ce6cad08b8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7573.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7573.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5580.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice5580.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5593hB.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5593hB.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c75zN89.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c75zN89.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dnDko86.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dnDko86.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e04qZ63.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e04qZ63.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5795f3fe5687db9b19853eaf6acdc389a
SHA1cd1ba862909c58a01d3a8e44c29cb71bb6b50630
SHA256448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56
SHA512d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130
-
Filesize
175KB
MD5795f3fe5687db9b19853eaf6acdc389a
SHA1cd1ba862909c58a01d3a8e44c29cb71bb6b50630
SHA256448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56
SHA512d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130
-
Filesize
719KB
MD52dcfb46f9d8abd37b640dba3367e11b8
SHA16da93a880908370daa18e4a5e6e7500f68434700
SHA256ddc699075f0f0b269a70636ddcd22957609e9c76ff80dae6bd24811f9967eced
SHA5126afc3b8f8657c383a6f37f2a1cfa97a178e169b6c4e9e2ee52cf6904c3993b6eddd629fae9e0fa3ad847c53d1ebe24ca3e8aabcd225df31724fae357f00f9acd
-
Filesize
719KB
MD52dcfb46f9d8abd37b640dba3367e11b8
SHA16da93a880908370daa18e4a5e6e7500f68434700
SHA256ddc699075f0f0b269a70636ddcd22957609e9c76ff80dae6bd24811f9967eced
SHA5126afc3b8f8657c383a6f37f2a1cfa97a178e169b6c4e9e2ee52cf6904c3993b6eddd629fae9e0fa3ad847c53d1ebe24ca3e8aabcd225df31724fae357f00f9acd
-
Filesize
408KB
MD58ffdea8c0227a5c9a986f88ff79aec28
SHA1928faf2b6350a0791d2b89e2cda8a080c0ecfeee
SHA2567fa1ab5ce7888320d5052a7b645c889d759b1548f508c6e49d6aabadb7f066a4
SHA51258e9f2af3711a96c13b166db42478c1d74253b298df9c00a2ebe42b8e713f10b9e72e4d863dc6db2d6d8a1d2ea8ef05d5778e0410e714d84c389035a56fb1d32
-
Filesize
408KB
MD58ffdea8c0227a5c9a986f88ff79aec28
SHA1928faf2b6350a0791d2b89e2cda8a080c0ecfeee
SHA2567fa1ab5ce7888320d5052a7b645c889d759b1548f508c6e49d6aabadb7f066a4
SHA51258e9f2af3711a96c13b166db42478c1d74253b298df9c00a2ebe42b8e713f10b9e72e4d863dc6db2d6d8a1d2ea8ef05d5778e0410e714d84c389035a56fb1d32
-
Filesize
360KB
MD5af5da9e670408fe47a545c2fbad6c0bf
SHA12965353bae466c128ce4e26a31b9c29e797d3d88
SHA2560a105c01a5ab55a9ccf675182129030c78948732a01ca0efae16936b288e31e2
SHA51242ec721dade69887f0a1df97fc9d27c9962abb4bdba9934d58630c05fc772476d84b3ee256ac531e90fdbd25d8d20ba5a20736cb060bdb44dfc5f0592dfa7066
-
Filesize
360KB
MD5af5da9e670408fe47a545c2fbad6c0bf
SHA12965353bae466c128ce4e26a31b9c29e797d3d88
SHA2560a105c01a5ab55a9ccf675182129030c78948732a01ca0efae16936b288e31e2
SHA51242ec721dade69887f0a1df97fc9d27c9962abb4bdba9934d58630c05fc772476d84b3ee256ac531e90fdbd25d8d20ba5a20736cb060bdb44dfc5f0592dfa7066
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
350KB
MD5cdf4274f5253474ffee50855148e2f59
SHA1605a482c95f9adc478830674a01982478dda4713
SHA2563dbdb5f9678e8ed43e738e55f24f65a731261073c3ae684ebc06cda88ea2f6a5
SHA5122f23d4921426501c974ccf134b52d1eca05a8c9ea77f391d7eab240fcfacbd22c2cf3437567c35e3c449365fd474f07bcdda4b7b50654ce514d8e6a32e5889a7
-
Filesize
350KB
MD5cdf4274f5253474ffee50855148e2f59
SHA1605a482c95f9adc478830674a01982478dda4713
SHA2563dbdb5f9678e8ed43e738e55f24f65a731261073c3ae684ebc06cda88ea2f6a5
SHA5122f23d4921426501c974ccf134b52d1eca05a8c9ea77f391d7eab240fcfacbd22c2cf3437567c35e3c449365fd474f07bcdda4b7b50654ce514d8e6a32e5889a7