Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02-04-2023 21:20
Static task
static1
Behavioral task
behavioral1
Sample
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe
Resource
win10-20230220-en
General
-
Target
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe
-
Size
536KB
-
MD5
8c5bc31110f153369d841d8c1db415d6
-
SHA1
0042afb33eaad26f927c726c40176934183d44ee
-
SHA256
9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752
-
SHA512
3d51deec1debd3e6422117612eab27060b44a9f04e7160af724d90813a652464fb0858a4060c2f27535a23e473432ea749175f857d9d975ff47d23f24036716a
-
SSDEEP
12288:sMrpy90aOFcgvzSJh5c7aXikNCzM3GAAe/Qq:Ny3g6O7aJNCyAe/Qq
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr831530.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr831530.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 36 IoCs
resource yara_rule behavioral1/memory/3996-141-0x0000000002770000-0x00000000027B6000-memory.dmp family_redline behavioral1/memory/3996-145-0x0000000002820000-0x0000000002864000-memory.dmp family_redline behavioral1/memory/3996-148-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-149-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-151-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-153-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-155-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-157-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-159-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-161-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-163-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-165-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-167-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-169-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-171-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-173-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-175-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-179-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-177-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-181-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-183-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-185-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-187-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-189-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-191-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-193-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-195-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-197-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-199-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-201-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-203-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-205-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-207-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-209-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-211-0x0000000002820000-0x000000000285F000-memory.dmp family_redline behavioral1/memory/3996-1062-0x0000000004EF0000-0x0000000004F00000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2596 zirU4155.exe 2948 jr831530.exe 3996 ku144836.exe 3504 lr524015.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr831530.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zirU4155.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zirU4155.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2948 jr831530.exe 2948 jr831530.exe 3996 ku144836.exe 3996 ku144836.exe 3504 lr524015.exe 3504 lr524015.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2948 jr831530.exe Token: SeDebugPrivilege 3996 ku144836.exe Token: SeDebugPrivilege 3504 lr524015.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2596 2364 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe 66 PID 2364 wrote to memory of 2596 2364 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe 66 PID 2364 wrote to memory of 2596 2364 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe 66 PID 2596 wrote to memory of 2948 2596 zirU4155.exe 67 PID 2596 wrote to memory of 2948 2596 zirU4155.exe 67 PID 2596 wrote to memory of 3996 2596 zirU4155.exe 68 PID 2596 wrote to memory of 3996 2596 zirU4155.exe 68 PID 2596 wrote to memory of 3996 2596 zirU4155.exe 68 PID 2364 wrote to memory of 3504 2364 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe 70 PID 2364 wrote to memory of 3504 2364 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe 70 PID 2364 wrote to memory of 3504 2364 9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe"C:\Users\Admin\AppData\Local\Temp\9cd492ab2f7af0cf98698b110d87fab6d6dca72a4fe1e9e7c7ec8cd5dfdb3752.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirU4155.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirU4155.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr831530.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr831530.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku144836.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku144836.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr524015.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr524015.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5ed963f7d3e0d30e109c27dc834f0909f
SHA19f065af386a3902af513395af6a40f71e55a9954
SHA256ff8f5813b1d6ed0fa14b0372ee9c83c067f3c911a75a52c121afd23cf8cfd17c
SHA512089809f5be0cab35f44f9a149168538725b3e3f2b5156955dd1aed80f49c41cc2f5e35dd2649d508c75c4dbfefc2c2ba5cde8f7c8c24b8642f5f5c5e1d7e040f
-
Filesize
176KB
MD5ed963f7d3e0d30e109c27dc834f0909f
SHA19f065af386a3902af513395af6a40f71e55a9954
SHA256ff8f5813b1d6ed0fa14b0372ee9c83c067f3c911a75a52c121afd23cf8cfd17c
SHA512089809f5be0cab35f44f9a149168538725b3e3f2b5156955dd1aed80f49c41cc2f5e35dd2649d508c75c4dbfefc2c2ba5cde8f7c8c24b8642f5f5c5e1d7e040f
-
Filesize
394KB
MD52201f315f2196b7b2c32c75e1f252e02
SHA19a05f9426d2c37410369c1baf79980a00122981d
SHA25608889995bdb39b5920e9ca2df77c2638bff585753b53a8fda1a7ec02132b1eec
SHA512ed20cdfd5f6b153a17da8bc9676811edb6186d71746105e1baf0a76419c020fc149d86d2d059cb69ee0c323353a42fe1529d119c74d48a6e611b812835940a71
-
Filesize
394KB
MD52201f315f2196b7b2c32c75e1f252e02
SHA19a05f9426d2c37410369c1baf79980a00122981d
SHA25608889995bdb39b5920e9ca2df77c2638bff585753b53a8fda1a7ec02132b1eec
SHA512ed20cdfd5f6b153a17da8bc9676811edb6186d71746105e1baf0a76419c020fc149d86d2d059cb69ee0c323353a42fe1529d119c74d48a6e611b812835940a71
-
Filesize
13KB
MD5bfc4914c1d154d714a51126951cded5a
SHA121a3062f146c02130b09a9291f4e55504ded7d4f
SHA2569cef3d78a925f48fecc2b2b427fd3c5784452eb3a9b340f7c8a1085fd9730917
SHA512bedf770131c479316f1934e95201fe9b1e8b756f6210877f2dda0a80ded705a3f18c103bfa572f35eec9cd11a41d1487fdc15d6c11e9460a2cc6c141fcc1ee43
-
Filesize
13KB
MD5bfc4914c1d154d714a51126951cded5a
SHA121a3062f146c02130b09a9291f4e55504ded7d4f
SHA2569cef3d78a925f48fecc2b2b427fd3c5784452eb3a9b340f7c8a1085fd9730917
SHA512bedf770131c479316f1934e95201fe9b1e8b756f6210877f2dda0a80ded705a3f18c103bfa572f35eec9cd11a41d1487fdc15d6c11e9460a2cc6c141fcc1ee43
-
Filesize
353KB
MD549a25beddfd767b6833cf7433d352636
SHA1e0be941d92078d72691e97016fd602863860581a
SHA256e9ed5f96acf16293f0c69ca9f21d690db73f318036ddab7a032c6a30664c12f3
SHA51260b5dd4717a8acc43a36154d24bc135f9fc70b26cd4ed090e9a78e83c6d948161b7cc0198b421a0befefec73ec1ef192641d7c153ec179795d7896693d41f227
-
Filesize
353KB
MD549a25beddfd767b6833cf7433d352636
SHA1e0be941d92078d72691e97016fd602863860581a
SHA256e9ed5f96acf16293f0c69ca9f21d690db73f318036ddab7a032c6a30664c12f3
SHA51260b5dd4717a8acc43a36154d24bc135f9fc70b26cd4ed090e9a78e83c6d948161b7cc0198b421a0befefec73ec1ef192641d7c153ec179795d7896693d41f227