Analysis
-
max time kernel
90s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02-04-2023 00:44
Static task
static1
Behavioral task
behavioral1
Sample
9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe
Resource
win10-20230220-en
General
-
Target
9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe
-
Size
530KB
-
MD5
67000ccdd64b20e5dcb49772c6ad0836
-
SHA1
c7d54b94caed1cd3aef1724a0bace590d716d638
-
SHA256
9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050
-
SHA512
e1b2ee7d4f9da3e4b3217ee390540597860961bd95d5b5f06c6290a4bd2ffaa47cdc71b949b7c0df95dabe63e428c68a9c7316acc2af800ac6e93157334bbd7c
-
SSDEEP
12288:lMrUy90jRUSLJTQir8ajl68LwPkLYnf5KXa/HUUZxGvOpRjzShk:tyyR/PjlpqkLcA0UFvw2hk
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr820794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr820794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr820794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr820794.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr820794.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2740-141-0x0000000002150000-0x0000000002196000-memory.dmp family_redline behavioral1/memory/2740-143-0x0000000004B20000-0x0000000004B64000-memory.dmp family_redline behavioral1/memory/2740-146-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-147-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-149-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-151-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-153-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-155-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-157-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-159-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-161-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-163-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-165-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-167-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-169-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-171-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-173-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-175-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-177-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-181-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-185-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-187-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-183-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-189-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-179-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-191-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-193-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-203-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-205-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-201-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-209-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-207-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-199-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-197-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline behavioral1/memory/2740-195-0x0000000004B20000-0x0000000004B5F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2112 ziDL3140.exe 4292 jr820794.exe 2740 ku774816.exe 2848 lr289117.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr820794.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziDL3140.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziDL3140.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4292 jr820794.exe 4292 jr820794.exe 2740 ku774816.exe 2740 ku774816.exe 2848 lr289117.exe 2848 lr289117.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4292 jr820794.exe Token: SeDebugPrivilege 2740 ku774816.exe Token: SeDebugPrivilege 2848 lr289117.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2112 3012 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe 66 PID 3012 wrote to memory of 2112 3012 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe 66 PID 3012 wrote to memory of 2112 3012 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe 66 PID 2112 wrote to memory of 4292 2112 ziDL3140.exe 67 PID 2112 wrote to memory of 4292 2112 ziDL3140.exe 67 PID 2112 wrote to memory of 2740 2112 ziDL3140.exe 68 PID 2112 wrote to memory of 2740 2112 ziDL3140.exe 68 PID 2112 wrote to memory of 2740 2112 ziDL3140.exe 68 PID 3012 wrote to memory of 2848 3012 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe 70 PID 3012 wrote to memory of 2848 3012 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe 70 PID 3012 wrote to memory of 2848 3012 9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe"C:\Users\Admin\AppData\Local\Temp\9c9a2e1acb59af5f947fd1595c130e950534cae05c0ac410d2eb4db6c0839050.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDL3140.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDL3140.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr820794.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr820794.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku774816.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku774816.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr289117.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr289117.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD50b27be5db24f36a7e3b86e9981ded76b
SHA16b66f5611078b3134e942e6bee9d7a80fa07ff3c
SHA25641a7cc0f692b51d1bbb7717501a8d47f7bdf3a1ab1317a8bb4a0ca3b373b92ef
SHA5126db4741cbdf496f146ff0d230d6100344d39e7be4b69265c8f0a647731f312aaed70174428b59053c6b09e5c4a7ccbfad753e98815119bfd811995e7dd4b818c
-
Filesize
176KB
MD50b27be5db24f36a7e3b86e9981ded76b
SHA16b66f5611078b3134e942e6bee9d7a80fa07ff3c
SHA25641a7cc0f692b51d1bbb7717501a8d47f7bdf3a1ab1317a8bb4a0ca3b373b92ef
SHA5126db4741cbdf496f146ff0d230d6100344d39e7be4b69265c8f0a647731f312aaed70174428b59053c6b09e5c4a7ccbfad753e98815119bfd811995e7dd4b818c
-
Filesize
388KB
MD5aa9fb2d7f2a6594849b863991303f474
SHA1e314b1165fa0f8b2903971fb765d5662e19da72c
SHA25608c691ef0b73fcc686c51f5777580454c012ba3a41f035a883ee7d592788c70d
SHA51208553a67818854ba3af253625b9f68e6cb0fcb2834de8f5ef9ff68c18a2652d9e6a0552a5d7c27c647c135d8de11452ac85c72c4600af39bd0fc09a7af7e07f4
-
Filesize
388KB
MD5aa9fb2d7f2a6594849b863991303f474
SHA1e314b1165fa0f8b2903971fb765d5662e19da72c
SHA25608c691ef0b73fcc686c51f5777580454c012ba3a41f035a883ee7d592788c70d
SHA51208553a67818854ba3af253625b9f68e6cb0fcb2834de8f5ef9ff68c18a2652d9e6a0552a5d7c27c647c135d8de11452ac85c72c4600af39bd0fc09a7af7e07f4
-
Filesize
12KB
MD5926a5a77b780c5122d64cee852c91cc2
SHA19087741e65a12d3e81ae186ec8f00a6dc419221e
SHA256b2e860a8eddacc582e7fb0497659c1844db72c161a39c65b18bc15174ebff16f
SHA512adcb48150273bdeaec08ea37ddc132cc16388356eccec0ba23cab9914ff030e580333dfc424bb40e99c666f32ecbed6d32182424043b091dffc102ca664f61e8
-
Filesize
12KB
MD5926a5a77b780c5122d64cee852c91cc2
SHA19087741e65a12d3e81ae186ec8f00a6dc419221e
SHA256b2e860a8eddacc582e7fb0497659c1844db72c161a39c65b18bc15174ebff16f
SHA512adcb48150273bdeaec08ea37ddc132cc16388356eccec0ba23cab9914ff030e580333dfc424bb40e99c666f32ecbed6d32182424043b091dffc102ca664f61e8
-
Filesize
434KB
MD52f5d18b66bb06498158a5220dd294e30
SHA1149ada9a6c755d1273733ae16aa082cd4c5abd4a
SHA256d3514c12aa8fc82bd6c61fc3dc11d8493a8254afb78567e3eedcefd07b8e51d9
SHA512ecd66d2f9e9ce844a8717028450b86f3d1518885a6c8f53c572f2cdb7284c0997774cb492b3cc65c09742a32009523b2fdaab989c078140fc99ab45161e179d2
-
Filesize
434KB
MD52f5d18b66bb06498158a5220dd294e30
SHA1149ada9a6c755d1273733ae16aa082cd4c5abd4a
SHA256d3514c12aa8fc82bd6c61fc3dc11d8493a8254afb78567e3eedcefd07b8e51d9
SHA512ecd66d2f9e9ce844a8717028450b86f3d1518885a6c8f53c572f2cdb7284c0997774cb492b3cc65c09742a32009523b2fdaab989c078140fc99ab45161e179d2