Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27-03-2023 21:16
Static task
static1
Behavioral task
behavioral1
Sample
77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe
Resource
win10-20230220-en
General
-
Target
77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe
-
Size
696KB
-
MD5
956ba4c93e218c1194c87d8c6a818bd8
-
SHA1
7b2c6dbb7ee964e539499d5f1c2e47223a134cd0
-
SHA256
77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8
-
SHA512
d292afeabdf98d1778ad6b7b8c8b38a8b7d25beb2eb05fbe285374b856421e783668e14eb205d7e1ed5677f7e9570fe42e7220b0132d3d97192e4d2a9637f4d3
-
SSDEEP
12288:9MrXy90XRF1GGD659aSUBULBoEf5R0fcBT1vdfxjzNX1JTtE3q2r6+y6t:WyCTImUTf5R0fcrPNFTESV6t
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro7969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro7969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro7969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro7969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro7969.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/3912-177-0x0000000004C50000-0x0000000004C96000-memory.dmp family_redline behavioral1/memory/3912-178-0x00000000051D0000-0x0000000005214000-memory.dmp family_redline behavioral1/memory/3912-179-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-180-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-182-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-184-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-186-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-188-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-190-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-192-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-194-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-196-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-198-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-200-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-202-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-204-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-206-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-208-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-211-0x00000000021A0000-0x00000000021B0000-memory.dmp family_redline behavioral1/memory/3912-213-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline behavioral1/memory/3912-215-0x00000000051D0000-0x000000000520F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2316 un118457.exe 2412 pro7969.exe 3912 qu1438.exe 2692 si061947.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro7969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro7969.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un118457.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un118457.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2412 pro7969.exe 2412 pro7969.exe 3912 qu1438.exe 3912 qu1438.exe 2692 si061947.exe 2692 si061947.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2412 pro7969.exe Token: SeDebugPrivilege 3912 qu1438.exe Token: SeDebugPrivilege 2692 si061947.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2316 2076 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe 66 PID 2076 wrote to memory of 2316 2076 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe 66 PID 2076 wrote to memory of 2316 2076 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe 66 PID 2316 wrote to memory of 2412 2316 un118457.exe 67 PID 2316 wrote to memory of 2412 2316 un118457.exe 67 PID 2316 wrote to memory of 2412 2316 un118457.exe 67 PID 2316 wrote to memory of 3912 2316 un118457.exe 68 PID 2316 wrote to memory of 3912 2316 un118457.exe 68 PID 2316 wrote to memory of 3912 2316 un118457.exe 68 PID 2076 wrote to memory of 2692 2076 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe 70 PID 2076 wrote to memory of 2692 2076 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe 70 PID 2076 wrote to memory of 2692 2076 77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe"C:\Users\Admin\AppData\Local\Temp\77246a61f33ca4a9ddbeca0456c48aa57035f870df55e5c160f56bda1e7ba2f8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un118457.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un118457.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7969.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7969.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1438.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1438.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si061947.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si061947.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD531105263fedecde0a59f328433c88d30
SHA18dcf807df5eea7a16a770cb3c0a353739ebf5059
SHA256c1f5a155b6adfd8aa39f4aeec33382474ddba2654980dc628389462445f45e18
SHA5126022b90d004ea224f6bd92b159d91677db41197e8a4f452f0adb438bca45060ae9d3b3ca00f99e5e636b822cd9310cec42e977428a29c1e8e068d9251d86396d
-
Filesize
175KB
MD531105263fedecde0a59f328433c88d30
SHA18dcf807df5eea7a16a770cb3c0a353739ebf5059
SHA256c1f5a155b6adfd8aa39f4aeec33382474ddba2654980dc628389462445f45e18
SHA5126022b90d004ea224f6bd92b159d91677db41197e8a4f452f0adb438bca45060ae9d3b3ca00f99e5e636b822cd9310cec42e977428a29c1e8e068d9251d86396d
-
Filesize
553KB
MD59657a9f0ac0a9c3438d7e74cc497a209
SHA126d7e2d400001c522d38d72ce14ac8ef39169299
SHA2567019fbc12b995f0bf206b8edb8a0a066386dffd249a296b2865546a8f43eb3a3
SHA51206d875885f6c975fd3517cea99d49e7c39c39f661045ce21377b59362d1f96b0bc6a51a5f15245f1aeb88f0b56acd6620406e4c895d5b6e2e11c571aaed58176
-
Filesize
553KB
MD59657a9f0ac0a9c3438d7e74cc497a209
SHA126d7e2d400001c522d38d72ce14ac8ef39169299
SHA2567019fbc12b995f0bf206b8edb8a0a066386dffd249a296b2865546a8f43eb3a3
SHA51206d875885f6c975fd3517cea99d49e7c39c39f661045ce21377b59362d1f96b0bc6a51a5f15245f1aeb88f0b56acd6620406e4c895d5b6e2e11c571aaed58176
-
Filesize
308KB
MD57619322e5b7fb7dc968106aa3a2a926e
SHA1a94117438c7fd1988068c8b6ea48a8501d8f9ddb
SHA25671bbc27f1c7e1f1784f141cd3b92169b8b4ea548ee0f0479ba28522d65849247
SHA512317807a91a8a771105b37c7126ffa011482624f43597df84f21f42ff6f566250d36148ac889133b1b19efd4eb80383c5f2e8cc474eac32a66b553715a29b66a8
-
Filesize
308KB
MD57619322e5b7fb7dc968106aa3a2a926e
SHA1a94117438c7fd1988068c8b6ea48a8501d8f9ddb
SHA25671bbc27f1c7e1f1784f141cd3b92169b8b4ea548ee0f0479ba28522d65849247
SHA512317807a91a8a771105b37c7126ffa011482624f43597df84f21f42ff6f566250d36148ac889133b1b19efd4eb80383c5f2e8cc474eac32a66b553715a29b66a8
-
Filesize
366KB
MD59ef14ba15159a1350a483f9571b683be
SHA188bb359dc8215d9622af31af79d81d06d7b70191
SHA256e6f0db800b42d85f17c187065e00510929ba7c4a79f29ccbdc819a23444ffb98
SHA512bc1efb26fe878d3a502572f2c8f8197cffaee64b45efd207a25f828f31154566725338f909defcd6600515bde071fdef832929dd8d2f60eb62fd9082919e38c7
-
Filesize
366KB
MD59ef14ba15159a1350a483f9571b683be
SHA188bb359dc8215d9622af31af79d81d06d7b70191
SHA256e6f0db800b42d85f17c187065e00510929ba7c4a79f29ccbdc819a23444ffb98
SHA512bc1efb26fe878d3a502572f2c8f8197cffaee64b45efd207a25f828f31154566725338f909defcd6600515bde071fdef832929dd8d2f60eb62fd9082919e38c7