Analysis
-
max time kernel
80s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe
Resource
win10v2004-20230220-en
General
-
Target
060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe
-
Size
534KB
-
MD5
59b71b9b42ca900c2256b8e763c8ed3f
-
SHA1
8088e2eccb4b1e8a17f0a5c9946669ede8d34a04
-
SHA256
060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7
-
SHA512
f4b787a0df63a82e96434679450a3e329558c9a2b6472921fedc92b80a205f4ff312a9758610852a4e1dbf4d766b16f21aefae76a3882133a7c3ea2d74983615
-
SSDEEP
12288:mMrjy90j5gHg9yfPi8bwCCyaGikbsUNP+5WG/4oPzYCzn:5yO5xYHwgaGsEP6WGgKzbzn
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr506263.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr506263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr506263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr506263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr506263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr506263.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/752-158-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-159-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-161-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-163-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-165-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-167-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-169-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-171-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-175-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-173-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-177-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-179-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-181-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-183-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-185-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-187-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-189-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-191-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-193-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-195-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-197-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-199-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-201-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-203-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-205-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-207-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-209-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-211-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-213-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-215-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-217-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-219-0x0000000002450000-0x000000000248F000-memory.dmp family_redline behavioral1/memory/752-221-0x0000000002450000-0x000000000248F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3932 ziyA1643.exe 4020 jr506263.exe 752 ku341497.exe 4020 lr642148.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr506263.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziyA1643.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziyA1643.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2484 752 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4020 jr506263.exe 4020 jr506263.exe 752 ku341497.exe 752 ku341497.exe 4020 lr642148.exe 4020 lr642148.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4020 jr506263.exe Token: SeDebugPrivilege 752 ku341497.exe Token: SeDebugPrivilege 4020 lr642148.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1268 wrote to memory of 3932 1268 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe 82 PID 1268 wrote to memory of 3932 1268 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe 82 PID 1268 wrote to memory of 3932 1268 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe 82 PID 3932 wrote to memory of 4020 3932 ziyA1643.exe 83 PID 3932 wrote to memory of 4020 3932 ziyA1643.exe 83 PID 3932 wrote to memory of 752 3932 ziyA1643.exe 88 PID 3932 wrote to memory of 752 3932 ziyA1643.exe 88 PID 3932 wrote to memory of 752 3932 ziyA1643.exe 88 PID 1268 wrote to memory of 4020 1268 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe 96 PID 1268 wrote to memory of 4020 1268 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe 96 PID 1268 wrote to memory of 4020 1268 060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe"C:\Users\Admin\AppData\Local\Temp\060873b8d24017fa6740cbdcb7d0e44e97a42406b582daf75ab581b57e64bab7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyA1643.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyA1643.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr506263.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr506263.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku341497.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku341497.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 11964⤵
- Program crash
PID:2484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr642148.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr642148.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 752 -ip 7521⤵PID:2660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD58bc2f1100468984bc509ca571d029033
SHA1e84fd18969f30b68fbcd44edc231ae7cb728cfdc
SHA2569b00eb085d3fa0f33ebb54c62a1724bfb395513fba4b9a1967c12c86efacea76
SHA51290b95b7c2cd5a663c91a1a1394bb3c7fce68a68b6934757105df47cbf771c9f4b899ffc072bdd8d5ffa045ae7e3ffa275ef373a543e4eff59b416430f4aed0e1
-
Filesize
175KB
MD58bc2f1100468984bc509ca571d029033
SHA1e84fd18969f30b68fbcd44edc231ae7cb728cfdc
SHA2569b00eb085d3fa0f33ebb54c62a1724bfb395513fba4b9a1967c12c86efacea76
SHA51290b95b7c2cd5a663c91a1a1394bb3c7fce68a68b6934757105df47cbf771c9f4b899ffc072bdd8d5ffa045ae7e3ffa275ef373a543e4eff59b416430f4aed0e1
-
Filesize
392KB
MD574e8ac1fa082d7870b3efdbfda246401
SHA15e0e59768cc9ee21404ed87ac3a3920409faae28
SHA2564e27683f9416c897b04e179d516f24a52d6491d01091b16340a9ce64d1f3a11d
SHA5121ea2fac6b1698881e6ec4ded6ca59b21f54e4b21150a771f708f8b9415f7956836334141d6914d2d40a8a5b010160c82ee41ad5fefb883298fa0bd750df3fe4f
-
Filesize
392KB
MD574e8ac1fa082d7870b3efdbfda246401
SHA15e0e59768cc9ee21404ed87ac3a3920409faae28
SHA2564e27683f9416c897b04e179d516f24a52d6491d01091b16340a9ce64d1f3a11d
SHA5121ea2fac6b1698881e6ec4ded6ca59b21f54e4b21150a771f708f8b9415f7956836334141d6914d2d40a8a5b010160c82ee41ad5fefb883298fa0bd750df3fe4f
-
Filesize
12KB
MD56ff9356dea0541273cdfacff27b3a8de
SHA1d5cfacc328b1e1f128da29476e944a4c92b51ad2
SHA256c3556a015fc998ec0d4fd05c8e9be2a7dd4f129783277d467324d5eb5c397844
SHA5120bbe7fe01f0af0c05507d45277c3b1a085756d3ab8578b21e393e27a300b5c23015a7dacbcb4f79c31f3e157048a98731b622a863953ead1781045a9de92431e
-
Filesize
12KB
MD56ff9356dea0541273cdfacff27b3a8de
SHA1d5cfacc328b1e1f128da29476e944a4c92b51ad2
SHA256c3556a015fc998ec0d4fd05c8e9be2a7dd4f129783277d467324d5eb5c397844
SHA5120bbe7fe01f0af0c05507d45277c3b1a085756d3ab8578b21e393e27a300b5c23015a7dacbcb4f79c31f3e157048a98731b622a863953ead1781045a9de92431e
-
Filesize
319KB
MD502b2650da8aeb144723040241f56cb2d
SHA1aa0cf030a1dc7c489c5048699f5b6acc613ffb38
SHA256db662808922da826cd717eb3dfc566c90e7a10f0a7dbb2630b82800646659ff8
SHA512f69ec49d1ae3d21a6a969d3678dbf1765b450973bd62a47a9699bda5acdf95fd325fc6f33708aaf70cbfe2938d694db78651a2232d432486be0a3b326851038f
-
Filesize
319KB
MD502b2650da8aeb144723040241f56cb2d
SHA1aa0cf030a1dc7c489c5048699f5b6acc613ffb38
SHA256db662808922da826cd717eb3dfc566c90e7a10f0a7dbb2630b82800646659ff8
SHA512f69ec49d1ae3d21a6a969d3678dbf1765b450973bd62a47a9699bda5acdf95fd325fc6f33708aaf70cbfe2938d694db78651a2232d432486be0a3b326851038f