Analysis
-
max time kernel
94s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe
Resource
win10v2004-20230220-en
General
-
Target
48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe
-
Size
695KB
-
MD5
6c0e1220214801694bc8447d9dd07aeb
-
SHA1
952fa017bf9b15cb62ea275c71a34457baf383fe
-
SHA256
48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3
-
SHA512
8c667d35e9b5474f43065157b5c895c5742d77ff2429b182a595d1f234fb910f640b8ec48bfe9e9bd528499964f2883351f6c83a110267db1ed4dad2c58d6b4d
-
SSDEEP
12288:xMr/y90WGHAxS8sH1OlNX1Af7DvvPSxze0mJPzJUwVtNv6tA:6ytj5mu1AXyxen16wnotA
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6937.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6937.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6937.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6937.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6937.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro6937.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/3244-191-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-192-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-194-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-196-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-198-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-200-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-202-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-204-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-206-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-208-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-210-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-212-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-214-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-216-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-218-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-220-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-222-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-224-0x0000000004D20000-0x0000000004D5F000-memory.dmp family_redline behavioral1/memory/3244-470-0x0000000004DC0000-0x0000000004DD0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1084 un401953.exe 4732 pro6937.exe 3244 qu7809.exe 828 si325780.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6937.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6937.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un401953.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un401953.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4732 pro6937.exe 4732 pro6937.exe 3244 qu7809.exe 3244 qu7809.exe 828 si325780.exe 828 si325780.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4732 pro6937.exe Token: SeDebugPrivilege 3244 qu7809.exe Token: SeDebugPrivilege 828 si325780.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4960 wrote to memory of 1084 4960 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe 82 PID 4960 wrote to memory of 1084 4960 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe 82 PID 4960 wrote to memory of 1084 4960 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe 82 PID 1084 wrote to memory of 4732 1084 un401953.exe 83 PID 1084 wrote to memory of 4732 1084 un401953.exe 83 PID 1084 wrote to memory of 4732 1084 un401953.exe 83 PID 1084 wrote to memory of 3244 1084 un401953.exe 86 PID 1084 wrote to memory of 3244 1084 un401953.exe 86 PID 1084 wrote to memory of 3244 1084 un401953.exe 86 PID 4960 wrote to memory of 828 4960 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe 87 PID 4960 wrote to memory of 828 4960 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe 87 PID 4960 wrote to memory of 828 4960 48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe"C:\Users\Admin\AppData\Local\Temp\48339abee5415a99ac9715fa54a9c3e9a1fe14b9d764d74607243b636b3a89d3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401953.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401953.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6937.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6937.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7809.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7809.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si325780.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si325780.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD581af3725719a8498d2140d526a6990b7
SHA1304290031c8d5ea3992f3f584b39f87876a9d13c
SHA2569e084a47c909fc6546216c7d58d34e50d541122958db5a02967db993462e9f4f
SHA5127f85b64ed7fc735c788ccc30deaa31fdcffb1da03f88ebdbf928719df727398e85c4ff4e842d76ad38e3cd7b1bc46a29c3f8933686734fc4de2372d9defb14e3
-
Filesize
175KB
MD581af3725719a8498d2140d526a6990b7
SHA1304290031c8d5ea3992f3f584b39f87876a9d13c
SHA2569e084a47c909fc6546216c7d58d34e50d541122958db5a02967db993462e9f4f
SHA5127f85b64ed7fc735c788ccc30deaa31fdcffb1da03f88ebdbf928719df727398e85c4ff4e842d76ad38e3cd7b1bc46a29c3f8933686734fc4de2372d9defb14e3
-
Filesize
553KB
MD56eece9b7f6c9fc90cd48622b1d62f3fb
SHA17c0086a9f76cbc639a4ffe42b5dd17661e3d2235
SHA2565a3f9773c93e06d70930d748b5e4c4ebf55e9b528e9c07290362c7d8de681e66
SHA5125d0cfe1716317086d63259b82833f07812012ac4d31bb5e25b3d51e7fe04ef091b29564f90bb40f7f82d2368371e6d9b146dd0de4be3a256ee46588a2976c68a
-
Filesize
553KB
MD56eece9b7f6c9fc90cd48622b1d62f3fb
SHA17c0086a9f76cbc639a4ffe42b5dd17661e3d2235
SHA2565a3f9773c93e06d70930d748b5e4c4ebf55e9b528e9c07290362c7d8de681e66
SHA5125d0cfe1716317086d63259b82833f07812012ac4d31bb5e25b3d51e7fe04ef091b29564f90bb40f7f82d2368371e6d9b146dd0de4be3a256ee46588a2976c68a
-
Filesize
308KB
MD51cb87dc827a3370224d17b37daff80a5
SHA18ae0341de97febcaf57e9667e62774f47ff6f90c
SHA2569a125c2fcfc60f00b57e02cb10747c01a4fb4ceb1d98195a5cf188f52eb1179e
SHA51250d6515565ae26866ddf1f4d6ababe2c547d90093676deb71151772b61b6bc2e2cb01e6e6106324a89897e654241002a59fdd223d3fcd7f1da042624113268a0
-
Filesize
308KB
MD51cb87dc827a3370224d17b37daff80a5
SHA18ae0341de97febcaf57e9667e62774f47ff6f90c
SHA2569a125c2fcfc60f00b57e02cb10747c01a4fb4ceb1d98195a5cf188f52eb1179e
SHA51250d6515565ae26866ddf1f4d6ababe2c547d90093676deb71151772b61b6bc2e2cb01e6e6106324a89897e654241002a59fdd223d3fcd7f1da042624113268a0
-
Filesize
366KB
MD5990aea06ea19b51a04e8ef4f6030575f
SHA1a72723b02344f6a6aed26e382fb4be1b439e9a53
SHA256e8ea6810af3002e50370f15d881e6af17365e9b79621f32d0d19bf0d55281397
SHA512ad408f008809a2510654c94102979843dd27cc7436330daa95cb4a54f8c94c656f890a254e661f9040f07dd07a462190f33b27d3d8174809164eab3b16bffdb0
-
Filesize
366KB
MD5990aea06ea19b51a04e8ef4f6030575f
SHA1a72723b02344f6a6aed26e382fb4be1b439e9a53
SHA256e8ea6810af3002e50370f15d881e6af17365e9b79621f32d0d19bf0d55281397
SHA512ad408f008809a2510654c94102979843dd27cc7436330daa95cb4a54f8c94c656f890a254e661f9040f07dd07a462190f33b27d3d8174809164eab3b16bffdb0