Analysis
-
max time kernel
78s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2023, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe
Resource
win10v2004-20230220-en
General
-
Target
b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe
-
Size
818KB
-
MD5
3a3fdb9411fa808e0d822388231f8a07
-
SHA1
a1095bce34ee56eab22b65d19798ab60d986a2a5
-
SHA256
b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8
-
SHA512
ed584da52157d995a3a8b291775bcfc86636af0e8673468380743946c996c29ec5a9abc73d1dbb1d1d70b6713b7457c4445c98b88f240f2cf77f7a9761a75c4e
-
SSDEEP
24576:/y5YgRsAzSZGnkkyWBarYSn8UfakzItk:K5HBGZGt2kIBI
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f3363GY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f3363GY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f3363GY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f3363GY.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h74Da40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h74Da40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h74Da40.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f3363GY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f3363GY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h74Da40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h74Da40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h74Da40.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/768-204-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-203-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-206-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-208-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-210-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-212-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-214-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-216-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-218-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-220-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-222-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-224-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-226-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-228-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-230-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-232-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-234-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline behavioral1/memory/768-236-0x0000000002AC0000-0x0000000002AFE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4348 niba6032.exe 632 niba9048.exe 748 f3363GY.exe 3548 h74Da40.exe 768 iZzet41.exe 3312 l89jM94.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f3363GY.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h74Da40.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h74Da40.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba6032.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba6032.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba9048.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" niba9048.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1032 3548 WerFault.exe 92 1824 768 WerFault.exe 97 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 748 f3363GY.exe 748 f3363GY.exe 3548 h74Da40.exe 3548 h74Da40.exe 768 iZzet41.exe 768 iZzet41.exe 3312 l89jM94.exe 3312 l89jM94.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 748 f3363GY.exe Token: SeDebugPrivilege 3548 h74Da40.exe Token: SeDebugPrivilege 768 iZzet41.exe Token: SeDebugPrivilege 3312 l89jM94.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3728 wrote to memory of 4348 3728 b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe 83 PID 3728 wrote to memory of 4348 3728 b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe 83 PID 3728 wrote to memory of 4348 3728 b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe 83 PID 4348 wrote to memory of 632 4348 niba6032.exe 84 PID 4348 wrote to memory of 632 4348 niba6032.exe 84 PID 4348 wrote to memory of 632 4348 niba6032.exe 84 PID 632 wrote to memory of 748 632 niba9048.exe 85 PID 632 wrote to memory of 748 632 niba9048.exe 85 PID 632 wrote to memory of 3548 632 niba9048.exe 92 PID 632 wrote to memory of 3548 632 niba9048.exe 92 PID 632 wrote to memory of 3548 632 niba9048.exe 92 PID 4348 wrote to memory of 768 4348 niba6032.exe 97 PID 4348 wrote to memory of 768 4348 niba6032.exe 97 PID 4348 wrote to memory of 768 4348 niba6032.exe 97 PID 3728 wrote to memory of 3312 3728 b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe 102 PID 3728 wrote to memory of 3312 3728 b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe 102 PID 3728 wrote to memory of 3312 3728 b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe"C:\Users\Admin\AppData\Local\Temp\b64fa8d5cb275e892c79b281c28b0e3a0f1fc7bffdbc898158c2faea26ce91d8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6032.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6032.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba9048.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba9048.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3363GY.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3363GY.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h74Da40.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h74Da40.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 10965⤵
- Program crash
PID:1032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iZzet41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iZzet41.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 13404⤵
- Program crash
PID:1824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l89jM94.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l89jM94.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3548 -ip 35481⤵PID:432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 768 -ip 7681⤵PID:2684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
677KB
MD5039a8cd851df912ec343765f917bc638
SHA10466b749def3fd4ce254a6e4e89c0f6be139a0e2
SHA256339a9e61265a65d980fb550623bf2bda14443d36dfa650165cdccee7cf15aabb
SHA512664ae9d772845654e6a9e84b26470317fa06c34859e72781334752417164cecfd94bc3939e36edcf3062de9fa383c0e5cd6be1c961589a3089db490d0bf39537
-
Filesize
677KB
MD5039a8cd851df912ec343765f917bc638
SHA10466b749def3fd4ce254a6e4e89c0f6be139a0e2
SHA256339a9e61265a65d980fb550623bf2bda14443d36dfa650165cdccee7cf15aabb
SHA512664ae9d772845654e6a9e84b26470317fa06c34859e72781334752417164cecfd94bc3939e36edcf3062de9fa383c0e5cd6be1c961589a3089db490d0bf39537
-
Filesize
349KB
MD55c7575acf35509541159fb92aee64ee2
SHA1071dbbb0c6c9fb1585ab946d684296f65c424a05
SHA25621660dda02442003a377e5f5230cb77dc5fd8e84cdc4f5d7974fb8316af22e23
SHA512cf42126b2e67efe743d9af58603577a21ca510824f2e7dd60bd22d2d7e94ed83070344a1c127cef1b31bb532c0287d7d2f1c04e31e5c1599aa11279d6c9caca9
-
Filesize
349KB
MD55c7575acf35509541159fb92aee64ee2
SHA1071dbbb0c6c9fb1585ab946d684296f65c424a05
SHA25621660dda02442003a377e5f5230cb77dc5fd8e84cdc4f5d7974fb8316af22e23
SHA512cf42126b2e67efe743d9af58603577a21ca510824f2e7dd60bd22d2d7e94ed83070344a1c127cef1b31bb532c0287d7d2f1c04e31e5c1599aa11279d6c9caca9
-
Filesize
334KB
MD5bdc7cbd4c0648166ece58a342002d019
SHA1042cf5c82f03ebf95267a599d83743d09ad3e5c3
SHA2561b3c3ddcbdc352edf26f22c6c633eda9621b78fc3890d72f20993a9010959f55
SHA5125373443e9ba7ccf2d860c208b7c675af89cc8b7d8d9fd856045654e09e4d07cd43e473d25122805f4a503bc89568aa9fc600e251ef2196fb1a78b7ca6051e26f
-
Filesize
334KB
MD5bdc7cbd4c0648166ece58a342002d019
SHA1042cf5c82f03ebf95267a599d83743d09ad3e5c3
SHA2561b3c3ddcbdc352edf26f22c6c633eda9621b78fc3890d72f20993a9010959f55
SHA5125373443e9ba7ccf2d860c208b7c675af89cc8b7d8d9fd856045654e09e4d07cd43e473d25122805f4a503bc89568aa9fc600e251ef2196fb1a78b7ca6051e26f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
290KB
MD5c8f3b34e35518ff59fc0b14294859854
SHA1a4e122853996cfb0e4b005f9dc296422013d0494
SHA25609633e4d0640b4c11ccaf6a017288e9158d54f3e6b13ef220d26c4af9dd0a92a
SHA5121b88a55db78990051d24036673e72bca003a76e727baae08bd4a4fb7df55d5ea8b0a0c2bc78a9877946b794102a04493937f64ceaf4a3be10aa479d59ed32fe6
-
Filesize
290KB
MD5c8f3b34e35518ff59fc0b14294859854
SHA1a4e122853996cfb0e4b005f9dc296422013d0494
SHA25609633e4d0640b4c11ccaf6a017288e9158d54f3e6b13ef220d26c4af9dd0a92a
SHA5121b88a55db78990051d24036673e72bca003a76e727baae08bd4a4fb7df55d5ea8b0a0c2bc78a9877946b794102a04493937f64ceaf4a3be10aa479d59ed32fe6