Analysis
-
max time kernel
56s -
max time network
73s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28-03-2023 01:52
Static task
static1
Behavioral task
behavioral1
Sample
717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe
Resource
win10-20230220-en
General
-
Target
717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe
-
Size
689KB
-
MD5
5465949c610da7a6dffcb181a30108c7
-
SHA1
349e7e5f066439e47e532ae8cfa94c2d21c3c32a
-
SHA256
717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1
-
SHA512
cb9583c836e3ebdeb300099863a888f653294b19fda65c733e6d76589d915d60b78f50b5b62a7bc67d693733979bb51c3601a39f7679ffc657bae15fc8f52f89
-
SSDEEP
12288:AMr+y90G9Ju/IQox4fgZiyS65hLu4kDq0MSKI3Vq/d0K6LgquXvmFDyfig4A5/Ls:OyD9YQQou4ZvBfaY0LZ3Vq/uDLCXiDya
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro0584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro0584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro0584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro0584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro0584.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3536-175-0x0000000005F10000-0x0000000005F56000-memory.dmp family_redline behavioral1/memory/3536-176-0x0000000005F90000-0x0000000005FD4000-memory.dmp family_redline behavioral1/memory/3536-177-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-178-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-180-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-182-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-184-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-186-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-188-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-190-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-192-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-194-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-196-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-198-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-200-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-202-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-204-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-210-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-206-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline behavioral1/memory/3536-213-0x0000000005F90000-0x0000000005FCF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3968 un100294.exe 848 pro0584.exe 3536 qu1531.exe 5072 si858806.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro0584.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro0584.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un100294.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un100294.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 848 pro0584.exe 848 pro0584.exe 3536 qu1531.exe 3536 qu1531.exe 5072 si858806.exe 5072 si858806.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 848 pro0584.exe Token: SeDebugPrivilege 3536 qu1531.exe Token: SeDebugPrivilege 5072 si858806.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 8 wrote to memory of 3968 8 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe 66 PID 8 wrote to memory of 3968 8 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe 66 PID 8 wrote to memory of 3968 8 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe 66 PID 3968 wrote to memory of 848 3968 un100294.exe 67 PID 3968 wrote to memory of 848 3968 un100294.exe 67 PID 3968 wrote to memory of 848 3968 un100294.exe 67 PID 3968 wrote to memory of 3536 3968 un100294.exe 68 PID 3968 wrote to memory of 3536 3968 un100294.exe 68 PID 3968 wrote to memory of 3536 3968 un100294.exe 68 PID 8 wrote to memory of 5072 8 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe 70 PID 8 wrote to memory of 5072 8 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe 70 PID 8 wrote to memory of 5072 8 717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe"C:\Users\Admin\AppData\Local\Temp\717dea3c02191bcebe369f536886a5619237dcb4b204027e40c06a6d33c28dd1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un100294.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un100294.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0584.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0584.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1531.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1531.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si858806.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si858806.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5633d8990dfc54b10c09fe5e866df5e97
SHA195b1ad84710537dd3b31af8b8dca78ba1a3dd1df
SHA2560c033f85cc26c4e0dd031c8ed79a9d4d7f55306d966739d2829c500555961c63
SHA512ab136b0c4f23e96e4430854cd528b1c27590b98ffc8d593023b60f013c986f5f9a30febd915951233524d7d807141d6ff5706593ec055201ab48636d147e6ec1
-
Filesize
175KB
MD5633d8990dfc54b10c09fe5e866df5e97
SHA195b1ad84710537dd3b31af8b8dca78ba1a3dd1df
SHA2560c033f85cc26c4e0dd031c8ed79a9d4d7f55306d966739d2829c500555961c63
SHA512ab136b0c4f23e96e4430854cd528b1c27590b98ffc8d593023b60f013c986f5f9a30febd915951233524d7d807141d6ff5706593ec055201ab48636d147e6ec1
-
Filesize
547KB
MD58ee9b66ed43f33fe2118d7faf00b4b1e
SHA1551b21abe2bf90b7de7e411dd21b9a4f70000dc4
SHA2566f30d584697c8f7d0abe96dfd29b41ecf4dcc0b732e097e14a2aa80cf818feb9
SHA5126a481adee92589422278b4e06e2003ddc6861f67c22fb95af10dd04da843b99f232b5c02fd7a8f60d66125f28179472b369303b959ae4336e324c91bfda2fa05
-
Filesize
547KB
MD58ee9b66ed43f33fe2118d7faf00b4b1e
SHA1551b21abe2bf90b7de7e411dd21b9a4f70000dc4
SHA2566f30d584697c8f7d0abe96dfd29b41ecf4dcc0b732e097e14a2aa80cf818feb9
SHA5126a481adee92589422278b4e06e2003ddc6861f67c22fb95af10dd04da843b99f232b5c02fd7a8f60d66125f28179472b369303b959ae4336e324c91bfda2fa05
-
Filesize
291KB
MD5b9f71d999f724d74ed83fdd82f4b84e0
SHA1358e0588a41077d53708dc125077958e6c22337e
SHA256cab268b09f1e9c4086d3d784efbc548685c92412578b25f53c34d9281866ed27
SHA512c2da11a2b2824979b705a828c7a3a15ec1eeb6ab616fee82d3353ad65375f170282d6d8e1dfe3095a08d7d3820eb15d79d2ca0dbb20ac5a00a0a5651fb349948
-
Filesize
291KB
MD5b9f71d999f724d74ed83fdd82f4b84e0
SHA1358e0588a41077d53708dc125077958e6c22337e
SHA256cab268b09f1e9c4086d3d784efbc548685c92412578b25f53c34d9281866ed27
SHA512c2da11a2b2824979b705a828c7a3a15ec1eeb6ab616fee82d3353ad65375f170282d6d8e1dfe3095a08d7d3820eb15d79d2ca0dbb20ac5a00a0a5651fb349948
-
Filesize
345KB
MD512563c92849f145cf99a474b55c2cee9
SHA175894eecec0ecc39c127fc62268b85d304ce9266
SHA256f8a37190bae9556a6ef3afbe113e14ff09a5a030926cce048740126814a20c1e
SHA512a2a202cabc0da197a731c2c92bdda628bcb1de0f1a4bbc5bb7de7f70d1c4ac72e4f00773e9e5ed210be8e9e6502d632e52df237c270a75857ff6e4669a93c6b0
-
Filesize
345KB
MD512563c92849f145cf99a474b55c2cee9
SHA175894eecec0ecc39c127fc62268b85d304ce9266
SHA256f8a37190bae9556a6ef3afbe113e14ff09a5a030926cce048740126814a20c1e
SHA512a2a202cabc0da197a731c2c92bdda628bcb1de0f1a4bbc5bb7de7f70d1c4ac72e4f00773e9e5ed210be8e9e6502d632e52df237c270a75857ff6e4669a93c6b0