Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
27-03-2023 22:17
General
-
Target
0aecf11fb98a5045f666edc9e6e68faf0bd14b12ced0a6428f537ee0cc8a8d92.exe
-
Size
696KB
-
MD5
bee9dc99215683e165d22a7db4fd2056
-
SHA1
5df6371475f7f0ccd792546fdc69789e8a776aba
-
SHA256
0aecf11fb98a5045f666edc9e6e68faf0bd14b12ced0a6428f537ee0cc8a8d92
-
SHA512
739c1d0488108faebfbecf8242fd52f78f360f0235906e45ce5dbd4f70e3bc8c09141ace9db5c4a85469a991819e0025292bef8e7f9b0749f8823fdd2ef9510d
-
SSDEEP
12288:DMruy901YOD1IGtQxfAVrSYv3pxov7OyP1KYuzqb5JJ1K1BfhGQo:5ySDIGtQxg3Mv7OyP1x6q1FAZA
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aecf11fb98a5045f666edc9e6e68faf0bd14b12ced0a6428f537ee0cc8a8d92.exe"C:\Users\Admin\AppData\Local\Temp\0aecf11fb98a5045f666edc9e6e68faf0bd14b12ced0a6428f537ee0cc8a8d92.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un270818.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un270818.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2440.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2440.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8401.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8401.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si919824.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si919824.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5b0aa0d4ab5e87d34c1c274818726bef3
SHA1d0807f84d2790bcaecac670d4b65dad67e421244
SHA2562823bab5b1522fbb332133fb4ea6da2ec5e2af8d039d190af123fad73f702aa5
SHA512cad890de094f7faa2171954689706140fb2cd0721f0ab173deb44655d8e9a68d43075c526e623c5f166d3ae1e8bc8510899481cd496057606345008a957469f9
-
Filesize
175KB
MD5b0aa0d4ab5e87d34c1c274818726bef3
SHA1d0807f84d2790bcaecac670d4b65dad67e421244
SHA2562823bab5b1522fbb332133fb4ea6da2ec5e2af8d039d190af123fad73f702aa5
SHA512cad890de094f7faa2171954689706140fb2cd0721f0ab173deb44655d8e9a68d43075c526e623c5f166d3ae1e8bc8510899481cd496057606345008a957469f9
-
Filesize
554KB
MD5c400b703688b53db9de1d9d9fad421d2
SHA1b2ec48a21fa09c5b7af98728dc3fdd1849f7213b
SHA25615a0527410f1ed7967374a12ce96ae481cc4cefb60d53223c04b0dac12ba1de4
SHA5121e46b0b38c4e68983d69cba9ec5bdc1f06d1628584c2df70cd268e8d21df0f38564f72111082fe07abafccc558786ba590058260f27b4cab5e96cca35fc6de3e
-
Filesize
554KB
MD5c400b703688b53db9de1d9d9fad421d2
SHA1b2ec48a21fa09c5b7af98728dc3fdd1849f7213b
SHA25615a0527410f1ed7967374a12ce96ae481cc4cefb60d53223c04b0dac12ba1de4
SHA5121e46b0b38c4e68983d69cba9ec5bdc1f06d1628584c2df70cd268e8d21df0f38564f72111082fe07abafccc558786ba590058260f27b4cab5e96cca35fc6de3e
-
Filesize
308KB
MD5f8b92159c49c12355886085d2e345a5d
SHA1c590bd7699bb584be49f8063def3eb186eb7c66a
SHA2568205bb6dae1a705fe936462892a1a7d4bf2d23e3f095cc054a8b5afeeb9ad974
SHA512e8e78c593d050d6a8de1c0d82687eb3ecdb87c9e9114736625e9cd11c4b48136112f0565f281bc30ae918afc71aadfceabc7c292171bc302999e14d11a40770f
-
Filesize
308KB
MD5f8b92159c49c12355886085d2e345a5d
SHA1c590bd7699bb584be49f8063def3eb186eb7c66a
SHA2568205bb6dae1a705fe936462892a1a7d4bf2d23e3f095cc054a8b5afeeb9ad974
SHA512e8e78c593d050d6a8de1c0d82687eb3ecdb87c9e9114736625e9cd11c4b48136112f0565f281bc30ae918afc71aadfceabc7c292171bc302999e14d11a40770f
-
Filesize
308KB
MD5f8b92159c49c12355886085d2e345a5d
SHA1c590bd7699bb584be49f8063def3eb186eb7c66a
SHA2568205bb6dae1a705fe936462892a1a7d4bf2d23e3f095cc054a8b5afeeb9ad974
SHA512e8e78c593d050d6a8de1c0d82687eb3ecdb87c9e9114736625e9cd11c4b48136112f0565f281bc30ae918afc71aadfceabc7c292171bc302999e14d11a40770f
-
Filesize
366KB
MD5b949a30018b5cd5a9162a52e32ce008e
SHA124b630854436711740f5f0db82aea3f116f47ab9
SHA256800642d5c4732fab640635f3e0220f6bc61854dab394f31f347f85b065155c8d
SHA5129188796e10c346a06ad046fee805c7c2bc981f5d2b1b2358c8ec4cdb048d1e6fe9bc370a4e84a3129fbfcc6d1bfbf130801b9884b8fe242f107d9137591794ac
-
Filesize
366KB
MD5b949a30018b5cd5a9162a52e32ce008e
SHA124b630854436711740f5f0db82aea3f116f47ab9
SHA256800642d5c4732fab640635f3e0220f6bc61854dab394f31f347f85b065155c8d
SHA5129188796e10c346a06ad046fee805c7c2bc981f5d2b1b2358c8ec4cdb048d1e6fe9bc370a4e84a3129fbfcc6d1bfbf130801b9884b8fe242f107d9137591794ac
-
Filesize
366KB
MD5b949a30018b5cd5a9162a52e32ce008e
SHA124b630854436711740f5f0db82aea3f116f47ab9
SHA256800642d5c4732fab640635f3e0220f6bc61854dab394f31f347f85b065155c8d
SHA5129188796e10c346a06ad046fee805c7c2bc981f5d2b1b2358c8ec4cdb048d1e6fe9bc370a4e84a3129fbfcc6d1bfbf130801b9884b8fe242f107d9137591794ac
-
Filesize
175KB
MD5b0aa0d4ab5e87d34c1c274818726bef3
SHA1d0807f84d2790bcaecac670d4b65dad67e421244
SHA2562823bab5b1522fbb332133fb4ea6da2ec5e2af8d039d190af123fad73f702aa5
SHA512cad890de094f7faa2171954689706140fb2cd0721f0ab173deb44655d8e9a68d43075c526e623c5f166d3ae1e8bc8510899481cd496057606345008a957469f9
-
Filesize
175KB
MD5b0aa0d4ab5e87d34c1c274818726bef3
SHA1d0807f84d2790bcaecac670d4b65dad67e421244
SHA2562823bab5b1522fbb332133fb4ea6da2ec5e2af8d039d190af123fad73f702aa5
SHA512cad890de094f7faa2171954689706140fb2cd0721f0ab173deb44655d8e9a68d43075c526e623c5f166d3ae1e8bc8510899481cd496057606345008a957469f9
-
Filesize
554KB
MD5c400b703688b53db9de1d9d9fad421d2
SHA1b2ec48a21fa09c5b7af98728dc3fdd1849f7213b
SHA25615a0527410f1ed7967374a12ce96ae481cc4cefb60d53223c04b0dac12ba1de4
SHA5121e46b0b38c4e68983d69cba9ec5bdc1f06d1628584c2df70cd268e8d21df0f38564f72111082fe07abafccc558786ba590058260f27b4cab5e96cca35fc6de3e
-
Filesize
554KB
MD5c400b703688b53db9de1d9d9fad421d2
SHA1b2ec48a21fa09c5b7af98728dc3fdd1849f7213b
SHA25615a0527410f1ed7967374a12ce96ae481cc4cefb60d53223c04b0dac12ba1de4
SHA5121e46b0b38c4e68983d69cba9ec5bdc1f06d1628584c2df70cd268e8d21df0f38564f72111082fe07abafccc558786ba590058260f27b4cab5e96cca35fc6de3e
-
Filesize
308KB
MD5f8b92159c49c12355886085d2e345a5d
SHA1c590bd7699bb584be49f8063def3eb186eb7c66a
SHA2568205bb6dae1a705fe936462892a1a7d4bf2d23e3f095cc054a8b5afeeb9ad974
SHA512e8e78c593d050d6a8de1c0d82687eb3ecdb87c9e9114736625e9cd11c4b48136112f0565f281bc30ae918afc71aadfceabc7c292171bc302999e14d11a40770f
-
Filesize
308KB
MD5f8b92159c49c12355886085d2e345a5d
SHA1c590bd7699bb584be49f8063def3eb186eb7c66a
SHA2568205bb6dae1a705fe936462892a1a7d4bf2d23e3f095cc054a8b5afeeb9ad974
SHA512e8e78c593d050d6a8de1c0d82687eb3ecdb87c9e9114736625e9cd11c4b48136112f0565f281bc30ae918afc71aadfceabc7c292171bc302999e14d11a40770f
-
Filesize
308KB
MD5f8b92159c49c12355886085d2e345a5d
SHA1c590bd7699bb584be49f8063def3eb186eb7c66a
SHA2568205bb6dae1a705fe936462892a1a7d4bf2d23e3f095cc054a8b5afeeb9ad974
SHA512e8e78c593d050d6a8de1c0d82687eb3ecdb87c9e9114736625e9cd11c4b48136112f0565f281bc30ae918afc71aadfceabc7c292171bc302999e14d11a40770f
-
Filesize
366KB
MD5b949a30018b5cd5a9162a52e32ce008e
SHA124b630854436711740f5f0db82aea3f116f47ab9
SHA256800642d5c4732fab640635f3e0220f6bc61854dab394f31f347f85b065155c8d
SHA5129188796e10c346a06ad046fee805c7c2bc981f5d2b1b2358c8ec4cdb048d1e6fe9bc370a4e84a3129fbfcc6d1bfbf130801b9884b8fe242f107d9137591794ac
-
Filesize
366KB
MD5b949a30018b5cd5a9162a52e32ce008e
SHA124b630854436711740f5f0db82aea3f116f47ab9
SHA256800642d5c4732fab640635f3e0220f6bc61854dab394f31f347f85b065155c8d
SHA5129188796e10c346a06ad046fee805c7c2bc981f5d2b1b2358c8ec4cdb048d1e6fe9bc370a4e84a3129fbfcc6d1bfbf130801b9884b8fe242f107d9137591794ac
-
Filesize
366KB
MD5b949a30018b5cd5a9162a52e32ce008e
SHA124b630854436711740f5f0db82aea3f116f47ab9
SHA256800642d5c4732fab640635f3e0220f6bc61854dab394f31f347f85b065155c8d
SHA5129188796e10c346a06ad046fee805c7c2bc981f5d2b1b2358c8ec4cdb048d1e6fe9bc370a4e84a3129fbfcc6d1bfbf130801b9884b8fe242f107d9137591794ac
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
256KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
252KB
-
Filesize
300KB
-
Filesize
252KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
3.1MB
-
Filesize
96KB
-
Filesize
3.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
256KB
-
Filesize
180KB
-
Filesize
256KB
-
Filesize
72KB
-
Filesize
200KB
-
Filesize
256KB