Analysis
-
max time kernel
67s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27/03/2023, 22:28
Static task
static1
Behavioral task
behavioral1
Sample
9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe
Resource
win10-20230220-en
General
-
Target
9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe
-
Size
700KB
-
MD5
5b7fc61bda5baaf66159826c3f514963
-
SHA1
aeeb7a426b395c531e1daa633bddfd31963849d6
-
SHA256
9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905
-
SHA512
78de8d7c057b636163ff04568a2864a1060b3a9830c551c5377fef63683c0911d54557914c0000d499850d42527e3f2c7f9a2788d0839c39ff39424674ea68e3
-
SSDEEP
12288:YMrny90qaH6jCir/c7kkndaqc5SuMyXuoxw2GJiiWueucFWbYI0Tb:vyXaHQ/c7kOa15SuMyXVUiiWue20Tb
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6580.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/4416-176-0x0000000004C10000-0x0000000004C56000-memory.dmp family_redline behavioral1/memory/4416-177-0x0000000004C90000-0x0000000004CD4000-memory.dmp family_redline behavioral1/memory/4416-178-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-179-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-181-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-183-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-185-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-187-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-189-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-191-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-193-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-195-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-197-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-199-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-201-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-203-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-205-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-207-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-209-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-211-0x0000000004C90000-0x0000000004CCF000-memory.dmp family_redline behavioral1/memory/4416-1099-0x0000000004D10000-0x0000000004D20000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2268 un101318.exe 2624 pro6580.exe 4416 qu3435.exe 3772 si302044.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6580.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un101318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un101318.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2624 pro6580.exe 2624 pro6580.exe 4416 qu3435.exe 4416 qu3435.exe 3772 si302044.exe 3772 si302044.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2624 pro6580.exe Token: SeDebugPrivilege 4416 qu3435.exe Token: SeDebugPrivilege 3772 si302044.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2268 1600 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe 66 PID 1600 wrote to memory of 2268 1600 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe 66 PID 1600 wrote to memory of 2268 1600 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe 66 PID 2268 wrote to memory of 2624 2268 un101318.exe 67 PID 2268 wrote to memory of 2624 2268 un101318.exe 67 PID 2268 wrote to memory of 2624 2268 un101318.exe 67 PID 2268 wrote to memory of 4416 2268 un101318.exe 68 PID 2268 wrote to memory of 4416 2268 un101318.exe 68 PID 2268 wrote to memory of 4416 2268 un101318.exe 68 PID 1600 wrote to memory of 3772 1600 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe 70 PID 1600 wrote to memory of 3772 1600 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe 70 PID 1600 wrote to memory of 3772 1600 9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe"C:\Users\Admin\AppData\Local\Temp\9a56b2d456b304646af4ddaeb2352b44fbf0b58b479accdac63b414a9774c905.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un101318.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un101318.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6580.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6580.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3435.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3435.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si302044.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si302044.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5a1cbe4f381ef5fa47cc6c7db78063b8c
SHA1dac3f265e8147f4bc29ca199ae9ddd18daeaaab9
SHA2566a4203a083cd81f5bf95cadeebe4fa1f2d21321546c39f485dfbc9cfbe1a2aa7
SHA51252846f391ed315844fe8c73fc3ae9ac962202f9e56c9ace18448067483545e0d6c059a8638541574195c526ed169db2391cd953349e1a0fe8ea659ad8d5164b3
-
Filesize
175KB
MD5a1cbe4f381ef5fa47cc6c7db78063b8c
SHA1dac3f265e8147f4bc29ca199ae9ddd18daeaaab9
SHA2566a4203a083cd81f5bf95cadeebe4fa1f2d21321546c39f485dfbc9cfbe1a2aa7
SHA51252846f391ed315844fe8c73fc3ae9ac962202f9e56c9ace18448067483545e0d6c059a8638541574195c526ed169db2391cd953349e1a0fe8ea659ad8d5164b3
-
Filesize
558KB
MD54ead3acff771562d53cbf8c6760ff7f7
SHA1458b1dc14e7ac5a3feffc4a20dc2e28419f24306
SHA256bf5dae5dc42a00c01b8db1fa3ca1c91e66d8be55e8e3c5764a4e228165743d7f
SHA512a1f3af08f48c5aa7a3157023e09953f7de071030d9a10785cdafa3beaacc12091875252640102cad17f1309576e6ad2d00ce29b3390a6af979c793b53443c59e
-
Filesize
558KB
MD54ead3acff771562d53cbf8c6760ff7f7
SHA1458b1dc14e7ac5a3feffc4a20dc2e28419f24306
SHA256bf5dae5dc42a00c01b8db1fa3ca1c91e66d8be55e8e3c5764a4e228165743d7f
SHA512a1f3af08f48c5aa7a3157023e09953f7de071030d9a10785cdafa3beaacc12091875252640102cad17f1309576e6ad2d00ce29b3390a6af979c793b53443c59e
-
Filesize
307KB
MD57d2a6747753708c8eaabd5439c25d72f
SHA101382c22add0a566e11cc8d9ff3fee1e488167ed
SHA256688c6c9e84db6f06d781a49464aafbc31dc2a679390b87c4ea3cee1e9ee920c3
SHA512beaed3b4ffa672b91164aebc5466e215ed344b39ec01bd152cc57f2a1d3df37d8df182f62464e95028ac8702a3ba763553c841b41b98dd06fc7625e25e2e7b76
-
Filesize
307KB
MD57d2a6747753708c8eaabd5439c25d72f
SHA101382c22add0a566e11cc8d9ff3fee1e488167ed
SHA256688c6c9e84db6f06d781a49464aafbc31dc2a679390b87c4ea3cee1e9ee920c3
SHA512beaed3b4ffa672b91164aebc5466e215ed344b39ec01bd152cc57f2a1d3df37d8df182f62464e95028ac8702a3ba763553c841b41b98dd06fc7625e25e2e7b76
-
Filesize
365KB
MD5ffbe7292ec8b792a8c61f37592906eb9
SHA100cbd1186cfc1b17738bb38fecc34d573820a26d
SHA2560758a2fa1aa828f13e6330cc9c7110d516bc4527920527873064a9f303ff3de4
SHA512d6705c0c95bfd443ef4cfa1457374df2bea0aef07ac05fce0e2c02d5a65c3cc845d2cf3ada3ee74b60f75fdc9d31a71fb8f305caaa17fac8c6c889bf022df47d
-
Filesize
365KB
MD5ffbe7292ec8b792a8c61f37592906eb9
SHA100cbd1186cfc1b17738bb38fecc34d573820a26d
SHA2560758a2fa1aa828f13e6330cc9c7110d516bc4527920527873064a9f303ff3de4
SHA512d6705c0c95bfd443ef4cfa1457374df2bea0aef07ac05fce0e2c02d5a65c3cc845d2cf3ada3ee74b60f75fdc9d31a71fb8f305caaa17fac8c6c889bf022df47d