Analysis
-
max time kernel
99s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 20:06
Static task
static1
Behavioral task
behavioral1
Sample
5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe
Resource
win10v2004-20230220-en
General
-
Target
5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe
-
Size
673KB
-
MD5
dbb2319a463d7e164aaa66e4c4b05734
-
SHA1
38a823c7c2461d3a2049cbeb74b5b099942d66d9
-
SHA256
5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3
-
SHA512
0aa246ec5ddcf3f27064d27b0a225fc2fb8bfd9eea034055b94f219e581143d93944e0e0c79a3bbb948972d4104f9e6fafc1f7f13f617d0571f499de961834b7
-
SSDEEP
12288:FMrwy90cQAXDL+sjKXmPyOilw0wo2r1wEx89/POb9rjmNLs8iHZRps6:xyWATLhjKXQydnS7jbdcLj29
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3668.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3668.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/4080-191-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-192-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-194-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-196-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-202-0x0000000004C00000-0x0000000004C10000-memory.dmp family_redline behavioral1/memory/4080-198-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-205-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-207-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-203-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-209-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-211-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-213-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-215-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-217-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-219-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-221-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-223-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-225-0x0000000002610000-0x000000000264F000-memory.dmp family_redline behavioral1/memory/4080-227-0x0000000002610000-0x000000000264F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4272 un818558.exe 652 pro3668.exe 4080 qu8955.exe 1016 si222448.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3668.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3668.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un818558.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un818558.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4124 652 WerFault.exe 85 3820 4080 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 652 pro3668.exe 652 pro3668.exe 4080 qu8955.exe 4080 qu8955.exe 1016 si222448.exe 1016 si222448.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 652 pro3668.exe Token: SeDebugPrivilege 4080 qu8955.exe Token: SeDebugPrivilege 1016 si222448.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1448 wrote to memory of 4272 1448 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe 84 PID 1448 wrote to memory of 4272 1448 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe 84 PID 1448 wrote to memory of 4272 1448 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe 84 PID 4272 wrote to memory of 652 4272 un818558.exe 85 PID 4272 wrote to memory of 652 4272 un818558.exe 85 PID 4272 wrote to memory of 652 4272 un818558.exe 85 PID 4272 wrote to memory of 4080 4272 un818558.exe 94 PID 4272 wrote to memory of 4080 4272 un818558.exe 94 PID 4272 wrote to memory of 4080 4272 un818558.exe 94 PID 1448 wrote to memory of 1016 1448 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe 99 PID 1448 wrote to memory of 1016 1448 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe 99 PID 1448 wrote to memory of 1016 1448 5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe"C:\Users\Admin\AppData\Local\Temp\5b3073deb9b1815b8cc7f1575daeaed85b619fccea9931bd8cf8613ddedcf6d3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un818558.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un818558.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3668.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3668.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 10844⤵
- Program crash
PID:4124
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8955.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8955.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 13284⤵
- Program crash
PID:3820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si222448.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si222448.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 652 -ip 6521⤵PID:3636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4080 -ip 40801⤵PID:2776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD567af42ad00d250816cc5d83d0fa1c258
SHA120e7eaf91db8a63cf7764fbd5a36d28920b99f94
SHA25607e59946241e43dacd0cb4188efcf2bd769377e1cc43d2a30a5b32b21fcee627
SHA5124ed333443ac434f603c2e027300b1536b47f8000d2e5da89e22c1fc96fa75e6086a5edbffa60e4577f4800076cfa7b49a12978a18899990e420d7cf95e3e8da2
-
Filesize
175KB
MD567af42ad00d250816cc5d83d0fa1c258
SHA120e7eaf91db8a63cf7764fbd5a36d28920b99f94
SHA25607e59946241e43dacd0cb4188efcf2bd769377e1cc43d2a30a5b32b21fcee627
SHA5124ed333443ac434f603c2e027300b1536b47f8000d2e5da89e22c1fc96fa75e6086a5edbffa60e4577f4800076cfa7b49a12978a18899990e420d7cf95e3e8da2
-
Filesize
531KB
MD5bd88634124256a498f549f5646d217cc
SHA1defb92698f66471b2e9703949203e846412c4cf7
SHA256c1b2cfcdaf7488c7277e4757ca47320436eec1bca67e5e14e8d1f0a78fb9d81b
SHA512c16b202cfe462e8a96639ee5a33cf0b6092b559cb86e8f4a93150e537093250fe9b12f4a92d20a76228bbddbc91d31aa9e0be225248ca98c17c2b59f100c5ef4
-
Filesize
531KB
MD5bd88634124256a498f549f5646d217cc
SHA1defb92698f66471b2e9703949203e846412c4cf7
SHA256c1b2cfcdaf7488c7277e4757ca47320436eec1bca67e5e14e8d1f0a78fb9d81b
SHA512c16b202cfe462e8a96639ee5a33cf0b6092b559cb86e8f4a93150e537093250fe9b12f4a92d20a76228bbddbc91d31aa9e0be225248ca98c17c2b59f100c5ef4
-
Filesize
260KB
MD5b2dc87e6c5c6343e3fa9e039d20184eb
SHA18eb3ea18dcbc06738625b00e1bdd5c860612f036
SHA2564ec95fe5e4888e23ccbc75d8f3f98992bdd5a4f58555c701224f859a900dafd6
SHA512f3adfb45bf36f7e82ddece40276e4f3bca6dae6bf01e2d03a77462bc494c0e75feb3abd8fb12d03abdcd107e1fc7db1cdb98c23bbf12d2f0b50c81597621bd83
-
Filesize
260KB
MD5b2dc87e6c5c6343e3fa9e039d20184eb
SHA18eb3ea18dcbc06738625b00e1bdd5c860612f036
SHA2564ec95fe5e4888e23ccbc75d8f3f98992bdd5a4f58555c701224f859a900dafd6
SHA512f3adfb45bf36f7e82ddece40276e4f3bca6dae6bf01e2d03a77462bc494c0e75feb3abd8fb12d03abdcd107e1fc7db1cdb98c23bbf12d2f0b50c81597621bd83
-
Filesize
318KB
MD531fb0402082e54ab611f2ebcb7b24827
SHA1f2e3f6ba83bd978496110e9edd5643d6913acaa6
SHA256e8f7f9420c1446d35ea1ecce4855e650177ed7ecbfb9514471d914b6274f70ee
SHA5128db1cbed9720140902927ad707bb091afdb7f67d1225e517e6ead5f452fec573cabf138f79106387e3fec341dbbec270c1af8586f1db0e5f8a5da7127f560ecb
-
Filesize
318KB
MD531fb0402082e54ab611f2ebcb7b24827
SHA1f2e3f6ba83bd978496110e9edd5643d6913acaa6
SHA256e8f7f9420c1446d35ea1ecce4855e650177ed7ecbfb9514471d914b6274f70ee
SHA5128db1cbed9720140902927ad707bb091afdb7f67d1225e517e6ead5f452fec573cabf138f79106387e3fec341dbbec270c1af8586f1db0e5f8a5da7127f560ecb