Analysis
-
max time kernel
55s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28-03-2023 02:57
Static task
static1
Behavioral task
behavioral1
Sample
333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe
Resource
win10-20230220-en
General
-
Target
333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe
-
Size
690KB
-
MD5
c560088e93c75fa01ff0ab74ff98c40a
-
SHA1
935f7a8c4a1ee562cf8af634dd19e37266e5aaf9
-
SHA256
333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688
-
SHA512
966c73b20647c71ead3426c66267c5efc3df76df68d1d10bc132498334bcb84ab218ecc882058ea3b73e0e74656e5d864294707fac5cce7d435ee2b90c67996c
-
SSDEEP
12288:rMr0y90RtLjEnOQkPyo65hLu6fgL8B8vBF5jfig+/3AL0af:Xy8t0nVHfa6fcS8z5jagKALbf
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9694.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
resource yara_rule behavioral1/memory/1920-179-0x00000000038A0000-0x00000000038E6000-memory.dmp family_redline behavioral1/memory/1920-180-0x00000000064D0000-0x0000000006514000-memory.dmp family_redline behavioral1/memory/1920-181-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-182-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-184-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-186-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-188-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-190-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-192-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-194-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-196-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-198-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-200-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-202-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-204-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-206-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-208-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-210-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-212-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-217-0x00000000064D0000-0x000000000650F000-memory.dmp family_redline behavioral1/memory/1920-1100-0x00000000038F0000-0x0000000003900000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 5116 un543154.exe 2140 pro9694.exe 1920 qu2667.exe 4004 si558650.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9694.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9694.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un543154.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un543154.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2140 pro9694.exe 2140 pro9694.exe 1920 qu2667.exe 1920 qu2667.exe 4004 si558650.exe 4004 si558650.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2140 pro9694.exe Token: SeDebugPrivilege 1920 qu2667.exe Token: SeDebugPrivilege 4004 si558650.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4604 wrote to memory of 5116 4604 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe 66 PID 4604 wrote to memory of 5116 4604 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe 66 PID 4604 wrote to memory of 5116 4604 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe 66 PID 5116 wrote to memory of 2140 5116 un543154.exe 67 PID 5116 wrote to memory of 2140 5116 un543154.exe 67 PID 5116 wrote to memory of 2140 5116 un543154.exe 67 PID 5116 wrote to memory of 1920 5116 un543154.exe 68 PID 5116 wrote to memory of 1920 5116 un543154.exe 68 PID 5116 wrote to memory of 1920 5116 un543154.exe 68 PID 4604 wrote to memory of 4004 4604 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe 70 PID 4604 wrote to memory of 4004 4604 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe 70 PID 4604 wrote to memory of 4004 4604 333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe"C:\Users\Admin\AppData\Local\Temp\333242a4e8cd7272200932b37fc74b83c0b96e9d6e095311998919c4d3662688.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un543154.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un543154.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9694.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9694.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558650.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si558650.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD54c4566f448e4bd74d0ad665643ac729a
SHA1293894686efc30af84440ced577e3c3fc8658cbd
SHA2562f9286c4e7eafa083969dc8fa448bb5f7e98e516903db63f7e82fa7efae91614
SHA512d7b60265d002e1f716dbad42c7590e7ad62ccad2afb25cadd6ceb6fc79840ef0b4a2ec903ff7faa1bb7c880b3185a0e9414246d0d5c2e484e1449425277ed995
-
Filesize
175KB
MD54c4566f448e4bd74d0ad665643ac729a
SHA1293894686efc30af84440ced577e3c3fc8658cbd
SHA2562f9286c4e7eafa083969dc8fa448bb5f7e98e516903db63f7e82fa7efae91614
SHA512d7b60265d002e1f716dbad42c7590e7ad62ccad2afb25cadd6ceb6fc79840ef0b4a2ec903ff7faa1bb7c880b3185a0e9414246d0d5c2e484e1449425277ed995
-
Filesize
548KB
MD5899b82e380668f57b8c1e766d1209d0d
SHA1a04966b1b3e1c8357c4a515dc119b6340b29c233
SHA2567a1ae925437ed15b607d3ae8ca602655d8ec3b3c13421c42dd68ca1f77d1237f
SHA5129f0bd2e0b53e7f598d1d5a205b0346fd69a976193cfaf71b1f82cbaef5ec9e358263b7938e77ae64551ff5c12c5a474fcc15e42d5d7c192833748ac2b6151e4a
-
Filesize
548KB
MD5899b82e380668f57b8c1e766d1209d0d
SHA1a04966b1b3e1c8357c4a515dc119b6340b29c233
SHA2567a1ae925437ed15b607d3ae8ca602655d8ec3b3c13421c42dd68ca1f77d1237f
SHA5129f0bd2e0b53e7f598d1d5a205b0346fd69a976193cfaf71b1f82cbaef5ec9e358263b7938e77ae64551ff5c12c5a474fcc15e42d5d7c192833748ac2b6151e4a
-
Filesize
291KB
MD5663f0a44e1d13ddb0f49cbd89656f276
SHA1b60e56fb74865c8f7961b3cb190c44edb6cafced
SHA256bbe589ef4cda76a4e4f6f51abae23568b30111188cf016b875071c6c917bb50d
SHA512949e2f1c2e95061a0df961bc7a03e0b627f6c4338e70fafba09faf0f47997f96d801de5992ee53c82740f45a7054042b81a6c460d6fee20dbf7e92e6571e32ec
-
Filesize
291KB
MD5663f0a44e1d13ddb0f49cbd89656f276
SHA1b60e56fb74865c8f7961b3cb190c44edb6cafced
SHA256bbe589ef4cda76a4e4f6f51abae23568b30111188cf016b875071c6c917bb50d
SHA512949e2f1c2e95061a0df961bc7a03e0b627f6c4338e70fafba09faf0f47997f96d801de5992ee53c82740f45a7054042b81a6c460d6fee20dbf7e92e6571e32ec
-
Filesize
345KB
MD5f0b488c62ece40f9e222df6b197430ab
SHA186c7357b9b8d718ff9919884436cd676033d405e
SHA256b6bfd77ee2a1199874ebf81ff0aed2c262e51c45521403e42c117c106ad4b622
SHA512855bc7125909732f83ba9e067250e0741f3502675f638cfa97e27c9f18087310dadf892fbc0cb5a3697376fac6a831c05a2e3ccbe6bf1778f0089b0f4011524c
-
Filesize
345KB
MD5f0b488c62ece40f9e222df6b197430ab
SHA186c7357b9b8d718ff9919884436cd676033d405e
SHA256b6bfd77ee2a1199874ebf81ff0aed2c262e51c45521403e42c117c106ad4b622
SHA512855bc7125909732f83ba9e067250e0741f3502675f638cfa97e27c9f18087310dadf892fbc0cb5a3697376fac6a831c05a2e3ccbe6bf1778f0089b0f4011524c