Analysis
-
max time kernel
87s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2023, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe
Resource
win10v2004-20230220-en
General
-
Target
4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe
-
Size
776KB
-
MD5
5099d07dda26068d93c68b8601ed42cd
-
SHA1
28f00407de4cb9c60eae3d482b831b3c436769f2
-
SHA256
4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30
-
SHA512
475606f7f19225047e7150f897f78591a41a2c80454ac961dbbf5361ffba8eb395c132748cd3a3577e9ac91032b99b7bed07f02d7b9832192e5c5d3234ce5ea5
-
SSDEEP
12288:XMrhy90EJvi+2tEQLsE/tHlcCqRLNtoY0WoEXXIyifnYNuWX31kZDZIvdFxwksML:6y+EWs4OxDocCfnYNuxS1kcxR0Ij
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
ruka
193.233.20.28:4125
-
auth_value
5d1d0e51ebe1e3f16cca573ff651c43c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f7197UW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f7197UW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f7197UW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f7197UW.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h13kt61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h13kt61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h13kt61.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f7197UW.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h13kt61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h13kt61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h13kt61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f7197UW.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/3044-202-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-201-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-204-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-206-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-208-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-210-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-212-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-214-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-216-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-218-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-220-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-222-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-224-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-226-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-228-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-230-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-232-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-234-0x0000000005030000-0x000000000506E000-memory.dmp family_redline behavioral1/memory/3044-439-0x0000000002080000-0x0000000002090000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 2656 niba2571.exe 4032 niba7827.exe 636 f7197UW.exe 1976 h13kt61.exe 3044 iVIqW40.exe 1240 l24iG53.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" f7197UW.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h13kt61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h13kt61.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" niba7827.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba2571.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" niba2571.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce niba7827.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4472 1976 WerFault.exe 88 3776 3044 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 636 f7197UW.exe 636 f7197UW.exe 1976 h13kt61.exe 1976 h13kt61.exe 3044 iVIqW40.exe 3044 iVIqW40.exe 1240 l24iG53.exe 1240 l24iG53.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 636 f7197UW.exe Token: SeDebugPrivilege 1976 h13kt61.exe Token: SeDebugPrivilege 3044 iVIqW40.exe Token: SeDebugPrivilege 1240 l24iG53.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2656 1196 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe 83 PID 1196 wrote to memory of 2656 1196 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe 83 PID 1196 wrote to memory of 2656 1196 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe 83 PID 2656 wrote to memory of 4032 2656 niba2571.exe 84 PID 2656 wrote to memory of 4032 2656 niba2571.exe 84 PID 2656 wrote to memory of 4032 2656 niba2571.exe 84 PID 4032 wrote to memory of 636 4032 niba7827.exe 85 PID 4032 wrote to memory of 636 4032 niba7827.exe 85 PID 4032 wrote to memory of 1976 4032 niba7827.exe 88 PID 4032 wrote to memory of 1976 4032 niba7827.exe 88 PID 4032 wrote to memory of 1976 4032 niba7827.exe 88 PID 2656 wrote to memory of 3044 2656 niba2571.exe 91 PID 2656 wrote to memory of 3044 2656 niba2571.exe 91 PID 2656 wrote to memory of 3044 2656 niba2571.exe 91 PID 1196 wrote to memory of 1240 1196 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe 97 PID 1196 wrote to memory of 1240 1196 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe 97 PID 1196 wrote to memory of 1240 1196 4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe"C:\Users\Admin\AppData\Local\Temp\4d12024410e958df9364ef3d9fc4d1258e19007a2b70d89367fab34780652b30.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2571.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2571.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7827.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba7827.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7197UW.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7197UW.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13kt61.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h13kt61.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 11045⤵
- Program crash
PID:4472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iVIqW40.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iVIqW40.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 14404⤵
- Program crash
PID:3776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l24iG53.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l24iG53.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1976 -ip 19761⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3044 -ip 30441⤵PID:4040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
175KB
MD56c4c2a56d5dd785adbe4fe60fa3cc1f2
SHA1f8bd4379310258f8e54c47b56f5eec7394adb9a2
SHA256b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2
SHA512f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830
-
Filesize
634KB
MD5128798cdb8a29b33f733936baa3f6be8
SHA1e5e40a897e9df871809daef85397057b691f9876
SHA256bd7dd97b1ab86408336f2d298fb453e8e207c9af1022ab9abe4c1d459861550e
SHA51208dd22a558d45ee03d3dbd7acf003bbcdf1be542b4b6ee0f988ddf13f317de12c174307d7b06ce21173fb4e34f0a4daa7fba1d90d8fb2e57f2dc0ead29893e4a
-
Filesize
634KB
MD5128798cdb8a29b33f733936baa3f6be8
SHA1e5e40a897e9df871809daef85397057b691f9876
SHA256bd7dd97b1ab86408336f2d298fb453e8e207c9af1022ab9abe4c1d459861550e
SHA51208dd22a558d45ee03d3dbd7acf003bbcdf1be542b4b6ee0f988ddf13f317de12c174307d7b06ce21173fb4e34f0a4daa7fba1d90d8fb2e57f2dc0ead29893e4a
-
Filesize
288KB
MD505821a068d6789b2a66b55ec0c630239
SHA14472efee94061b21327fde2b38bed0b1f34456b0
SHA256cd2498d187fc5020cacd060af782fec5554bd2070258a0eb9836438ce425157d
SHA5125ef8a92742ee4e98c3dde03df4e4d38f3c41b2630442f9398ef0a3b9c7727df952fdaa140b01695c7c98553be203584eef8f2f5ebbdece754e3ca42f8fdd1cf9
-
Filesize
288KB
MD505821a068d6789b2a66b55ec0c630239
SHA14472efee94061b21327fde2b38bed0b1f34456b0
SHA256cd2498d187fc5020cacd060af782fec5554bd2070258a0eb9836438ce425157d
SHA5125ef8a92742ee4e98c3dde03df4e4d38f3c41b2630442f9398ef0a3b9c7727df952fdaa140b01695c7c98553be203584eef8f2f5ebbdece754e3ca42f8fdd1cf9
-
Filesize
314KB
MD5348cb243fe1f29d747b320cab7752417
SHA1fb8ff854cb0e9ae58f8694eb2c8c0f0f52f1c4be
SHA2567d555aaae4f32b2d747bdb03fe6a0f0fafaa3914254ee0889fcfa8d53a9e3885
SHA51216db694d873c4d42ad0044def5847528780b8acb1b7f317e66c95e1c4129497c5370e052085421e2bc8e7df969ea918f57c7beed7ca985143840326f06ce1acd
-
Filesize
314KB
MD5348cb243fe1f29d747b320cab7752417
SHA1fb8ff854cb0e9ae58f8694eb2c8c0f0f52f1c4be
SHA2567d555aaae4f32b2d747bdb03fe6a0f0fafaa3914254ee0889fcfa8d53a9e3885
SHA51216db694d873c4d42ad0044def5847528780b8acb1b7f317e66c95e1c4129497c5370e052085421e2bc8e7df969ea918f57c7beed7ca985143840326f06ce1acd
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
230KB
MD5abb1bcfd988ce47a26fb3ff73bf6ca8c
SHA17728a60c631f26f708fddde45ea0ef278f693ce5
SHA25672bfeb4e4ce4d313eeedb8fac54dccd63409aef6157657f17962aa88921ceb9e
SHA5120fff16838d41b9ce4957cb12cbe558f8e9c36ff8e05e5e3b6a334dfa87caad989b0b5e89628e94f6465e38faff85c06e6d2451510e4470e8444e9f933713fd47
-
Filesize
230KB
MD5abb1bcfd988ce47a26fb3ff73bf6ca8c
SHA17728a60c631f26f708fddde45ea0ef278f693ce5
SHA25672bfeb4e4ce4d313eeedb8fac54dccd63409aef6157657f17962aa88921ceb9e
SHA5120fff16838d41b9ce4957cb12cbe558f8e9c36ff8e05e5e3b6a334dfa87caad989b0b5e89628e94f6465e38faff85c06e6d2451510e4470e8444e9f933713fd47