Analysis
-
max time kernel
54s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28-03-2023 01:03
Static task
static1
Behavioral task
behavioral1
Sample
cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe
Resource
win10-20230220-en
General
-
Target
cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe
-
Size
690KB
-
MD5
8acf03f38d704a8cf2e42c28ab83afb6
-
SHA1
99d082c10b5a343482665401ec7692ce8cac6ed7
-
SHA256
cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19
-
SHA512
75fa1b30594fde22efbbbb10f7bdc9f176f5f6805ba59cccd8f98aa9540d83f0abe8ddc4c3062e033a088ce00c19ba6359275f5cf917027926d3d3671cc28da8
-
SSDEEP
12288:ZMroy90zXyG6HurKKuBVyI65hLu6fA2dnYxvmFdifigVm/zRKAeJYE:FymXypHurjnfa6YtydiagVwKD9
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro2819.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro2819.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro2819.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro2819.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro2819.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/4084-176-0x0000000005FE0000-0x0000000006026000-memory.dmp family_redline behavioral1/memory/4084-177-0x0000000006060000-0x00000000060A4000-memory.dmp family_redline behavioral1/memory/4084-178-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-179-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-181-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-183-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-185-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-187-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-189-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-191-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-194-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-195-0x0000000006150000-0x0000000006160000-memory.dmp family_redline behavioral1/memory/4084-198-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-201-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-203-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-205-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-207-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-209-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-211-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-215-0x0000000006060000-0x000000000609F000-memory.dmp family_redline behavioral1/memory/4084-213-0x0000000006060000-0x000000000609F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3548 un955972.exe 2348 pro2819.exe 4084 qu2300.exe 1300 si587497.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro2819.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro2819.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un955972.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un955972.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2348 pro2819.exe 2348 pro2819.exe 4084 qu2300.exe 4084 qu2300.exe 1300 si587497.exe 1300 si587497.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2348 pro2819.exe Token: SeDebugPrivilege 4084 qu2300.exe Token: SeDebugPrivilege 1300 si587497.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4124 wrote to memory of 3548 4124 cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe 66 PID 4124 wrote to memory of 3548 4124 cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe 66 PID 4124 wrote to memory of 3548 4124 cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe 66 PID 3548 wrote to memory of 2348 3548 un955972.exe 67 PID 3548 wrote to memory of 2348 3548 un955972.exe 67 PID 3548 wrote to memory of 2348 3548 un955972.exe 67 PID 3548 wrote to memory of 4084 3548 un955972.exe 68 PID 3548 wrote to memory of 4084 3548 un955972.exe 68 PID 3548 wrote to memory of 4084 3548 un955972.exe 68 PID 4124 wrote to memory of 1300 4124 cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe 70 PID 4124 wrote to memory of 1300 4124 cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe 70 PID 4124 wrote to memory of 1300 4124 cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe"C:\Users\Admin\AppData\Local\Temp\cab77224e12e531e6de82f22614259988ab80064bda66e2e480dc95d7a5d9e19.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un955972.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un955972.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2819.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2819.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2300.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2300.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si587497.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si587497.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD50b36a7244e8dfe58846a9495b74d9b84
SHA18a2f142117cfc81b7c24f7c62801084d5fa5fc0c
SHA256453b206e5294bddc72b60a20d77e022a07638da3af2be55ff65e366bb5e9f13a
SHA512dcdce6e2ee845005055f45b879471218bcc3dbb1131f53c0b71229af6f0d8370d9faea8d8b34ab7b4695b0bf6dd2f22ccbb43e91b071755bf3ca9201a902a61a
-
Filesize
175KB
MD50b36a7244e8dfe58846a9495b74d9b84
SHA18a2f142117cfc81b7c24f7c62801084d5fa5fc0c
SHA256453b206e5294bddc72b60a20d77e022a07638da3af2be55ff65e366bb5e9f13a
SHA512dcdce6e2ee845005055f45b879471218bcc3dbb1131f53c0b71229af6f0d8370d9faea8d8b34ab7b4695b0bf6dd2f22ccbb43e91b071755bf3ca9201a902a61a
-
Filesize
548KB
MD5eee881688eab6b73d5860eef042f455f
SHA1c3a51c0e8a5eb0a05f743ae248916c734ed2c2e7
SHA2568af388c60458ac5d38d39901439304e05af0c423cbfd305b69d363232ae35840
SHA512e8e035953006815b67d0ed2776206a731c6d5813cf003b4e3671854309f659a4e51ccf00f9186a86dd049e0056d646b35c58dfa976a1cb966bec7c076e51765b
-
Filesize
548KB
MD5eee881688eab6b73d5860eef042f455f
SHA1c3a51c0e8a5eb0a05f743ae248916c734ed2c2e7
SHA2568af388c60458ac5d38d39901439304e05af0c423cbfd305b69d363232ae35840
SHA512e8e035953006815b67d0ed2776206a731c6d5813cf003b4e3671854309f659a4e51ccf00f9186a86dd049e0056d646b35c58dfa976a1cb966bec7c076e51765b
-
Filesize
291KB
MD596422b7800dad82843101aecd363d027
SHA1347e9b6901f5c0eb6059b2c4cb9cc06cb3b7ca8d
SHA2564268384fda62d830f74f47df68d43c78f85cc26f3c3845b32a1af011d679460e
SHA5124d946167c9c6ac4cd54ea018cd94c94bf9530ab8b7dd5aafb3e88b05f1c55e26351d32ff53127662f031629203f40a84ba9d56d3912df1c965dc2362947b0218
-
Filesize
291KB
MD596422b7800dad82843101aecd363d027
SHA1347e9b6901f5c0eb6059b2c4cb9cc06cb3b7ca8d
SHA2564268384fda62d830f74f47df68d43c78f85cc26f3c3845b32a1af011d679460e
SHA5124d946167c9c6ac4cd54ea018cd94c94bf9530ab8b7dd5aafb3e88b05f1c55e26351d32ff53127662f031629203f40a84ba9d56d3912df1c965dc2362947b0218
-
Filesize
345KB
MD5d7f0f08ea1186898e3636165a83a0a20
SHA106dbbedc50d08100a9a1155c9a196da0c881fd29
SHA2560c1e3d951ed0507eb9f10ac01991f68b8b0c9f72db6aa2509688cac4ef3f6655
SHA512dededddccd58f8f606e0f469ee6cbd65920029fda89ac02defe6815a5735940fa16071aa191b5bb012a03fc547c8ef91dfa057b5e191a4d29c7313961999aba5
-
Filesize
345KB
MD5d7f0f08ea1186898e3636165a83a0a20
SHA106dbbedc50d08100a9a1155c9a196da0c881fd29
SHA2560c1e3d951ed0507eb9f10ac01991f68b8b0c9f72db6aa2509688cac4ef3f6655
SHA512dededddccd58f8f606e0f469ee6cbd65920029fda89ac02defe6815a5735940fa16071aa191b5bb012a03fc547c8ef91dfa057b5e191a4d29c7313961999aba5