Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 20:30
Static task
static1
Behavioral task
behavioral1
Sample
f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe
Resource
win10v2004-20230220-en
General
-
Target
f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe
-
Size
695KB
-
MD5
a7113779acd35c2fd2c69082c89482e5
-
SHA1
583b0c792780f08eccc509d0569c6c098b6c1036
-
SHA256
f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7
-
SHA512
15630253ac62eeb1097bcaf4cac8a3ecc54aff2678621c32dd5852b5370e7ace5d3f504229e0f7496b6eed1494b69bb41d8f3ef00cd97037307c0d704967df8e
-
SSDEEP
12288:kMrFy90VTNiV3jSFvJZkYBe6f7fsr5wMylUk/KKUWMTrvPSlzQHWJkwQTmkjL:xy5VTXYBvdMylUk/BUWMTrylQ2sTmkjL
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro1777.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro1777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro1777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro1777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro1777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro1777.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/2520-188-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-189-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-191-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-193-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-195-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-197-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-199-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-201-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-203-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-205-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-207-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-209-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-211-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-213-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-215-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-217-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-219-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline behavioral1/memory/2520-221-0x00000000052B0000-0x00000000052EF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3016 un752609.exe 592 pro1777.exe 2520 qu6651.exe 4780 si500351.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro1777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro1777.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un752609.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un752609.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 592 pro1777.exe 592 pro1777.exe 2520 qu6651.exe 2520 qu6651.exe 4780 si500351.exe 4780 si500351.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 592 pro1777.exe Token: SeDebugPrivilege 2520 qu6651.exe Token: SeDebugPrivilege 4780 si500351.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4524 wrote to memory of 3016 4524 f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe 84 PID 4524 wrote to memory of 3016 4524 f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe 84 PID 4524 wrote to memory of 3016 4524 f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe 84 PID 3016 wrote to memory of 592 3016 un752609.exe 85 PID 3016 wrote to memory of 592 3016 un752609.exe 85 PID 3016 wrote to memory of 592 3016 un752609.exe 85 PID 3016 wrote to memory of 2520 3016 un752609.exe 92 PID 3016 wrote to memory of 2520 3016 un752609.exe 92 PID 3016 wrote to memory of 2520 3016 un752609.exe 92 PID 4524 wrote to memory of 4780 4524 f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe 94 PID 4524 wrote to memory of 4780 4524 f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe 94 PID 4524 wrote to memory of 4780 4524 f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe"C:\Users\Admin\AppData\Local\Temp\f68ad49780257599c5a663d70ad14b8b8814465b681fd14fce247ebe1e40bef7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un752609.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un752609.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1777.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1777.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6651.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6651.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500351.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si500351.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request42.220.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request145.115.113.176.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request44.8.109.52.in-addr.arpaIN PTRResponse
-
71.6kB 7.9kB 81 42
-
69.1kB 7.6kB 77 37
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
42.220.44.20.in-addr.arpa
-
74 B 134 B 1 1
DNS Request
145.115.113.176.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
44.8.109.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5ebc9b541738fa45408885d9446a6ed55
SHA1a4d298183b4ee5fced6ba2d9cc1b6f7c4fa00d81
SHA256e79da3bdb9abdca71a6af6f226814a785f7c111dee4de4e6964d23329ca1d7e9
SHA51246a5d73d9f9b360a5d7b21e36d55f35b02a7060d5ac7210af9559f9e1a557c65edf6a68a3e628782f27aa34e718f1623f94baf358dd8258ed14ad3871dee992a
-
Filesize
175KB
MD5ebc9b541738fa45408885d9446a6ed55
SHA1a4d298183b4ee5fced6ba2d9cc1b6f7c4fa00d81
SHA256e79da3bdb9abdca71a6af6f226814a785f7c111dee4de4e6964d23329ca1d7e9
SHA51246a5d73d9f9b360a5d7b21e36d55f35b02a7060d5ac7210af9559f9e1a557c65edf6a68a3e628782f27aa34e718f1623f94baf358dd8258ed14ad3871dee992a
-
Filesize
553KB
MD54d4f9be560d9774506c803a62f7f05a7
SHA16142561ee5bc3cb445153eaabb29b18cd9eaf52f
SHA256825d0f7afb55766f4fa8f8b1ba5000e27bf54547bb7a10b631614ebac70dd251
SHA512aa9932c01ee3305966befcbd763a4e181285133ded13d5a3d46b3629198143cc2336b93810b8dac342d642ad22839b9388ea7637e829bbc6365b96e684d0492c
-
Filesize
553KB
MD54d4f9be560d9774506c803a62f7f05a7
SHA16142561ee5bc3cb445153eaabb29b18cd9eaf52f
SHA256825d0f7afb55766f4fa8f8b1ba5000e27bf54547bb7a10b631614ebac70dd251
SHA512aa9932c01ee3305966befcbd763a4e181285133ded13d5a3d46b3629198143cc2336b93810b8dac342d642ad22839b9388ea7637e829bbc6365b96e684d0492c
-
Filesize
308KB
MD5ff2cd23ea95ec473d92e687ec352e81d
SHA13f1aa8346d95c90c0f091bbf7cd8b79e0d1258cb
SHA256df3ad4549c16aa9247a3218951df919509fc1a1996426c6cd31ea798263dc7c2
SHA51241a11de00c7454084cd63d2b969abed1db34a3a6cd1b22688ae142164bf039c806811efa18601e2e48c5908699c1d6e64cb4400dc52ac9b5ce9a955e90d5a704
-
Filesize
308KB
MD5ff2cd23ea95ec473d92e687ec352e81d
SHA13f1aa8346d95c90c0f091bbf7cd8b79e0d1258cb
SHA256df3ad4549c16aa9247a3218951df919509fc1a1996426c6cd31ea798263dc7c2
SHA51241a11de00c7454084cd63d2b969abed1db34a3a6cd1b22688ae142164bf039c806811efa18601e2e48c5908699c1d6e64cb4400dc52ac9b5ce9a955e90d5a704
-
Filesize
366KB
MD5dea80da79f7ea5fa5955318a64f098ec
SHA18504b356b034c35673008f2e5df431b2876df413
SHA2560a805ba190ce47e14a161db2ed243fcead2c1d0bba7f3f755ecfaa890e414c00
SHA512a133fdae8e4a1d362997b4e4b04793e2ea7e379628350ba56de327966af0274f17d1ee80976a6c0a154039eee9c674af31850ce6143b62ce7864162dd89ebd7d
-
Filesize
366KB
MD5dea80da79f7ea5fa5955318a64f098ec
SHA18504b356b034c35673008f2e5df431b2876df413
SHA2560a805ba190ce47e14a161db2ed243fcead2c1d0bba7f3f755ecfaa890e414c00
SHA512a133fdae8e4a1d362997b4e4b04793e2ea7e379628350ba56de327966af0274f17d1ee80976a6c0a154039eee9c674af31850ce6143b62ce7864162dd89ebd7d