Analysis
-
max time kernel
57s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
24-03-2023 08:01
Static task
static1
Behavioral task
behavioral1
Sample
6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe
Resource
win10-20230220-en
General
-
Target
6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe
-
Size
687KB
-
MD5
4e08caab5e33ec01f0f4d34f5ab49de6
-
SHA1
00dbb00fda77e1f64389ed7bbffb23cb13f0d21b
-
SHA256
6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a
-
SHA512
6f699f2fcc290c41a085db26b7c83d558b5f9a28976a0a3dc65f800241c2c6eb7b657ef240d6387438580004068f80f841156dc060fe16976388b7251af7cf55
-
SSDEEP
12288:C3KZUuB2nyy4KS3el7XLT5a2uZdAeZ0lgt1Pf53IejQGR7:CrE2nyy4DQLLEJZdP06RYejZV
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
hero
193.233.20.31:4125
-
auth_value
11f3c75a88ca461bcc8d6bf60a1193e3
Signatures
-
Processes:
jr194876.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr194876.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr194876.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr194876.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr194876.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr194876.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
Processes:
resource yara_rule behavioral1/memory/4480-142-0x0000000002350000-0x0000000002396000-memory.dmp family_redline behavioral1/memory/4480-146-0x00000000029D0000-0x0000000002A14000-memory.dmp family_redline behavioral1/memory/4480-147-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-148-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-150-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-152-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-154-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-156-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-158-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-160-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-162-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-164-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-166-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-168-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-170-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-172-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-174-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-176-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-178-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-181-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-184-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-186-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-188-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-190-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-192-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-194-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-196-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-198-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-200-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-202-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-204-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-206-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-208-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline behavioral1/memory/4480-210-0x00000000029D0000-0x0000000002A0E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
zilH1185.exejr194876.exeku843123.exelr790315.exepid process 4048 zilH1185.exe 1684 jr194876.exe 4480 ku843123.exe 2044 lr790315.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
jr194876.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr194876.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exezilH1185.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zilH1185.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zilH1185.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
jr194876.exeku843123.exelr790315.exepid process 1684 jr194876.exe 1684 jr194876.exe 4480 ku843123.exe 4480 ku843123.exe 2044 lr790315.exe 2044 lr790315.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
jr194876.exeku843123.exelr790315.exedescription pid process Token: SeDebugPrivilege 1684 jr194876.exe Token: SeDebugPrivilege 4480 ku843123.exe Token: SeDebugPrivilege 2044 lr790315.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exezilH1185.exedescription pid process target process PID 3232 wrote to memory of 4048 3232 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe zilH1185.exe PID 3232 wrote to memory of 4048 3232 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe zilH1185.exe PID 3232 wrote to memory of 4048 3232 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe zilH1185.exe PID 4048 wrote to memory of 1684 4048 zilH1185.exe jr194876.exe PID 4048 wrote to memory of 1684 4048 zilH1185.exe jr194876.exe PID 4048 wrote to memory of 4480 4048 zilH1185.exe ku843123.exe PID 4048 wrote to memory of 4480 4048 zilH1185.exe ku843123.exe PID 4048 wrote to memory of 4480 4048 zilH1185.exe ku843123.exe PID 3232 wrote to memory of 2044 3232 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe lr790315.exe PID 3232 wrote to memory of 2044 3232 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe lr790315.exe PID 3232 wrote to memory of 2044 3232 6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe lr790315.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe"C:\Users\Admin\AppData\Local\Temp\6a4be25653fe60b2717d2949569a22e8c34f32fb504844421822add18010879a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilH1185.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilH1185.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194876.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194876.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku843123.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku843123.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr790315.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr790315.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD57c11dfe7837f2079d50113de0e973682
SHA1fae072addd4d56ab67d08ab82da4aac5d7223960
SHA256442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b
SHA51206085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7
-
Filesize
175KB
MD57c11dfe7837f2079d50113de0e973682
SHA1fae072addd4d56ab67d08ab82da4aac5d7223960
SHA256442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b
SHA51206085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7
-
Filesize
404KB
MD5fc26679ca223c30d775882fc2fd4ced4
SHA1e26c8a65b3a6c0b52a88876f6cae0bf3bf806f6b
SHA2566c34804ae1fb2383ce034c8a68be5bb16984c3aa5638f25ba50ab9111eea1b32
SHA512dd8f3e2840220662794bdd3342c2e6d1cb63b08bfc36fd4066ff0a6e13a0ee8dd633271891ec36805d4d4f9f4fc31a3829fe5e8eddb5d7ebdabd557179202c90
-
Filesize
404KB
MD5fc26679ca223c30d775882fc2fd4ced4
SHA1e26c8a65b3a6c0b52a88876f6cae0bf3bf806f6b
SHA2566c34804ae1fb2383ce034c8a68be5bb16984c3aa5638f25ba50ab9111eea1b32
SHA512dd8f3e2840220662794bdd3342c2e6d1cb63b08bfc36fd4066ff0a6e13a0ee8dd633271891ec36805d4d4f9f4fc31a3829fe5e8eddb5d7ebdabd557179202c90
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
358KB
MD5ccef72544333fb6d240d7834c6529657
SHA14598184479cc118f51717408313b47d146c66443
SHA2565e0cdfa2cd6aeb1b3d3e6f41296227ea63449dea84439f42db0ff32383c05782
SHA512d889137ab8d1f242dbac3815c33b7509681327aa93b381cbdd894d722ae1b625c7c4e6adb0c13c4f099d85ca95f5c5f82c06a3b72f954f969fb2c88370307564
-
Filesize
358KB
MD5ccef72544333fb6d240d7834c6529657
SHA14598184479cc118f51717408313b47d146c66443
SHA2565e0cdfa2cd6aeb1b3d3e6f41296227ea63449dea84439f42db0ff32383c05782
SHA512d889137ab8d1f242dbac3815c33b7509681327aa93b381cbdd894d722ae1b625c7c4e6adb0c13c4f099d85ca95f5c5f82c06a3b72f954f969fb2c88370307564