Analysis
-
max time kernel
59s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 20:16
Static task
static1
Behavioral task
behavioral1
Sample
4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe
Resource
win10v2004-20230220-en
General
-
Target
4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe
-
Size
695KB
-
MD5
7af23cf5fdb1719d672745444cb60665
-
SHA1
5cd72549348625529d99839933688a20e6434a50
-
SHA256
4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a
-
SHA512
84635b722d88c65a8cef5e2452e5082d238dacd14ce9008251c8380d4c446496296c3f31c9aaa2b422acdd59026f6b1aecdde752beae2ee127d765a626ffdc78
-
SSDEEP
12288:8Mrby90h6Zk5okfpVmakRK+6ZDt2YYcluPl/KA/f/hQQFzR3JJvpktHu4iC:Xyy6Zk5o6VmakRKJZxtYclel/pX/tFRm
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro2977.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2977.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2977.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2977.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2977.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2977.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/1244-188-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-189-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-191-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-193-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-195-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-197-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-199-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-201-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-205-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-203-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-207-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-209-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-211-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-213-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-215-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-217-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-219-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-221-0x00000000028E0000-0x000000000291F000-memory.dmp family_redline behavioral1/memory/1244-1108-0x0000000004F70000-0x0000000004F80000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 228 un465584.exe 3028 pro2977.exe 1244 qu0379.exe 3944 si463531.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2977.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2977.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un465584.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un465584.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3028 pro2977.exe 3028 pro2977.exe 1244 qu0379.exe 1244 qu0379.exe 3944 si463531.exe 3944 si463531.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3028 pro2977.exe Token: SeDebugPrivilege 1244 qu0379.exe Token: SeDebugPrivilege 3944 si463531.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2492 wrote to memory of 228 2492 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe 84 PID 2492 wrote to memory of 228 2492 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe 84 PID 2492 wrote to memory of 228 2492 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe 84 PID 228 wrote to memory of 3028 228 un465584.exe 85 PID 228 wrote to memory of 3028 228 un465584.exe 85 PID 228 wrote to memory of 3028 228 un465584.exe 85 PID 228 wrote to memory of 1244 228 un465584.exe 90 PID 228 wrote to memory of 1244 228 un465584.exe 90 PID 228 wrote to memory of 1244 228 un465584.exe 90 PID 2492 wrote to memory of 3944 2492 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe 94 PID 2492 wrote to memory of 3944 2492 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe 94 PID 2492 wrote to memory of 3944 2492 4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe"C:\Users\Admin\AppData\Local\Temp\4a6c509011d3ee93d696bbf9611ac02e80e4238e666d51083d782e67d0119e1a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un465584.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un465584.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2977.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2977.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0379.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0379.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si463531.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si463531.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request36.146.190.20.in-addr.arpaIN PTRResponse36.146.190.20.in-addr.arpaIN CNAME36.0-26.146.190.20.in-addr.arpa
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request145.115.113.176.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request44.8.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request226.101.242.52.in-addr.arpaIN PTRResponse
-
1.3MB 21.9kB 986 393
-
1.3MB 25.1kB 992 430
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 168 B 1 1
DNS Request
36.146.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
74 B 134 B 1 1
DNS Request
145.115.113.176.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
44.8.109.52.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
2.36.159.162.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
226.101.242.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD584772ccc983c5ce29df2dc94cbaa5c83
SHA13241cde2f727418ddbabb9badc0bb651a1e6ef9b
SHA25682e78d1eb5e64abab80c2d3393ee2bce79d90ce3e7f3fffce7b0df02b251f1e7
SHA51272df0ce39a546a910f200b97436d281b25278ec25e9b902441667fa24498d4acd069b210623a6bae0ca90b98dd9f67825355f6fc4b80dc97a9725b74924623c0
-
Filesize
175KB
MD584772ccc983c5ce29df2dc94cbaa5c83
SHA13241cde2f727418ddbabb9badc0bb651a1e6ef9b
SHA25682e78d1eb5e64abab80c2d3393ee2bce79d90ce3e7f3fffce7b0df02b251f1e7
SHA51272df0ce39a546a910f200b97436d281b25278ec25e9b902441667fa24498d4acd069b210623a6bae0ca90b98dd9f67825355f6fc4b80dc97a9725b74924623c0
-
Filesize
553KB
MD5b9ec853afeb979cc6bef1995837d4d38
SHA1e294a2c711dafbe25786f793d65682ffa2c4c255
SHA256c6c4696013853b05dddb9d0a4ac8b3ec497e504c5a128c4262b5af0ee6231d3f
SHA512b6f1e808f596b5f5c387d2ec7153a81f8dede9644066cf51e0cc884d4f3117340cc3b397bd91870b260270ca84a9b931d4f53ad4c7aade51f83d8d444165a9f7
-
Filesize
553KB
MD5b9ec853afeb979cc6bef1995837d4d38
SHA1e294a2c711dafbe25786f793d65682ffa2c4c255
SHA256c6c4696013853b05dddb9d0a4ac8b3ec497e504c5a128c4262b5af0ee6231d3f
SHA512b6f1e808f596b5f5c387d2ec7153a81f8dede9644066cf51e0cc884d4f3117340cc3b397bd91870b260270ca84a9b931d4f53ad4c7aade51f83d8d444165a9f7
-
Filesize
308KB
MD55ae343a6269dede83d3f4bb912363ca9
SHA14c378ac8f450d60f7039056d4de278f3af37368e
SHA256a1916e1ef75f55e36b3716b3f598cb4c3ebc9e3d4595074f518d18833e344788
SHA51284e6b161e29c887a996521368afb193ee371c20df56f79d88e4f64c96a3e165567cfbe194bb95046c61421e7f859b9bd1cd10413a69b4c0745df0bc9ac40deec
-
Filesize
308KB
MD55ae343a6269dede83d3f4bb912363ca9
SHA14c378ac8f450d60f7039056d4de278f3af37368e
SHA256a1916e1ef75f55e36b3716b3f598cb4c3ebc9e3d4595074f518d18833e344788
SHA51284e6b161e29c887a996521368afb193ee371c20df56f79d88e4f64c96a3e165567cfbe194bb95046c61421e7f859b9bd1cd10413a69b4c0745df0bc9ac40deec
-
Filesize
366KB
MD51199dc0f5ac7d72b7aaf6e2fcf405fa5
SHA1e602d94573c1e4b402ec99ff9a0a860bc3f7e94e
SHA256c87aef107ceac671d0dca372eb89caac79ff18ee6804eeee11692805c3136f8c
SHA51252a60b4f5e852613e4655f79e4a6eda27312b9da922c3f2a022612b1fb562d50d5ee43a74e8751d074179b6b9850b404d1fe7006f4fa3b9860c16a517a999d4e
-
Filesize
366KB
MD51199dc0f5ac7d72b7aaf6e2fcf405fa5
SHA1e602d94573c1e4b402ec99ff9a0a860bc3f7e94e
SHA256c87aef107ceac671d0dca372eb89caac79ff18ee6804eeee11692805c3136f8c
SHA51252a60b4f5e852613e4655f79e4a6eda27312b9da922c3f2a022612b1fb562d50d5ee43a74e8751d074179b6b9850b404d1fe7006f4fa3b9860c16a517a999d4e