Analysis
-
max time kernel
82s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 21:41
Static task
static1
Behavioral task
behavioral1
Sample
e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe
Resource
win10v2004-20230220-en
General
-
Target
e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe
-
Size
521KB
-
MD5
f8d8599f4771dd76d044b3903a447637
-
SHA1
dfd7e9655f05ab38d1ff423664fb596d4691cda4
-
SHA256
e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912
-
SHA512
e97e13ec25508e987efa050a697657c46405696d7ecbfcc4a4421399c6975380738991faf4afa2cd0afab34127cba9d7da633f4a3302af9921a3e0615105cf5f
-
SSDEEP
12288:QMruy90ISCJzqj5XFIq/nfTrJVP8K7449zW3R9Oe7mAV:uybadqq70Kk4A3R9OeH
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr785904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr785904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr785904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr785904.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr785904.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr785904.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/112-157-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-158-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-160-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-162-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-164-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-166-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-168-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-170-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-172-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-174-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-176-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-179-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-182-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-184-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-186-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-188-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-190-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-192-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-194-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-196-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-198-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-200-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-202-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-204-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-206-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-208-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-212-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-210-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-214-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-218-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-216-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-220-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/112-222-0x0000000005020000-0x000000000505F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3060 zixH8476.exe 5080 jr785904.exe 112 ku476756.exe 4396 lr000164.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr785904.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zixH8476.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zixH8476.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5100 112 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5080 jr785904.exe 5080 jr785904.exe 112 ku476756.exe 112 ku476756.exe 4396 lr000164.exe 4396 lr000164.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5080 jr785904.exe Token: SeDebugPrivilege 112 ku476756.exe Token: SeDebugPrivilege 4396 lr000164.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3920 wrote to memory of 3060 3920 e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe 84 PID 3920 wrote to memory of 3060 3920 e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe 84 PID 3920 wrote to memory of 3060 3920 e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe 84 PID 3060 wrote to memory of 5080 3060 zixH8476.exe 85 PID 3060 wrote to memory of 5080 3060 zixH8476.exe 85 PID 3060 wrote to memory of 112 3060 zixH8476.exe 86 PID 3060 wrote to memory of 112 3060 zixH8476.exe 86 PID 3060 wrote to memory of 112 3060 zixH8476.exe 86 PID 3920 wrote to memory of 4396 3920 e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe 90 PID 3920 wrote to memory of 4396 3920 e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe 90 PID 3920 wrote to memory of 4396 3920 e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe"C:\Users\Admin\AppData\Local\Temp\e4fe88f514322177a2910b2772267b199d8c1db1839465e596c6565f4ceee912.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixH8476.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixH8476.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr785904.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr785904.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku476756.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku476756.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 16724⤵
- Program crash
PID:5100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr000164.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr000164.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 112 -ip 1121⤵PID:4300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5e6433dce4b18da2cc90faada22cb1d50
SHA1cca62e812ca5b8e650b3a88a1b3ecc9007400d7c
SHA25624637c4d1bde940d0b28a70d738172bae9e37c51dd8608bc13f9413c12242de3
SHA51213cdd2a00b4e895d99e9f10c8095cab2682096915af528804dc0cccb36c40b5973899bdde6e8a3c22ef2e25d7f4d898fa93a329d1c08c36db2a7f94425505ea1
-
Filesize
175KB
MD5e6433dce4b18da2cc90faada22cb1d50
SHA1cca62e812ca5b8e650b3a88a1b3ecc9007400d7c
SHA25624637c4d1bde940d0b28a70d738172bae9e37c51dd8608bc13f9413c12242de3
SHA51213cdd2a00b4e895d99e9f10c8095cab2682096915af528804dc0cccb36c40b5973899bdde6e8a3c22ef2e25d7f4d898fa93a329d1c08c36db2a7f94425505ea1
-
Filesize
379KB
MD5f4029cf68018709a48529fcf0343987b
SHA19921a3d11c8379dedda9c81098aac45e2accce21
SHA256cf7a413c67e4e0640a62151ad563436a58ec8599515a537f39b5bc3f6f0e52af
SHA51214e1a441384d5457609bbdf8a47d31c40f2e455dbd484965e807d6c4a0cdba84d090c91bd4b39e0ea9bf7a87bf093453ae8df701eb2720b951244878aaf5d8de
-
Filesize
379KB
MD5f4029cf68018709a48529fcf0343987b
SHA19921a3d11c8379dedda9c81098aac45e2accce21
SHA256cf7a413c67e4e0640a62151ad563436a58ec8599515a537f39b5bc3f6f0e52af
SHA51214e1a441384d5457609bbdf8a47d31c40f2e455dbd484965e807d6c4a0cdba84d090c91bd4b39e0ea9bf7a87bf093453ae8df701eb2720b951244878aaf5d8de
-
Filesize
15KB
MD527e4a495b2168b2964127f58501fe3b9
SHA11f1c8861dfdc021455975c5d20b3c081548b5c7b
SHA256092acbb0e785cb3e61448150e2cd0986a165ddb6f40497b095134957513a491f
SHA5120e60a80b6d9b95b88dcefb3110836b12b81b5192ee626904e30453f4b3a5812d295b88ebdaed41564fe4eac01edd4fad33d89c54d20da8248e0209fcddb4ef53
-
Filesize
15KB
MD527e4a495b2168b2964127f58501fe3b9
SHA11f1c8861dfdc021455975c5d20b3c081548b5c7b
SHA256092acbb0e785cb3e61448150e2cd0986a165ddb6f40497b095134957513a491f
SHA5120e60a80b6d9b95b88dcefb3110836b12b81b5192ee626904e30453f4b3a5812d295b88ebdaed41564fe4eac01edd4fad33d89c54d20da8248e0209fcddb4ef53
-
Filesize
294KB
MD51321c634e7eeee5734bed3850cef99a9
SHA1e9a665a99a6816a928675a95339d8017ee78eb33
SHA2562dbd1a21be1100b2846df51948a229c9a7cd1dccabd8af20194e774d1df95bfd
SHA51241171b663b8a7f87f7bcb6a350e0da07f1db2de7f0a233d30d308eff7037fa47e5df26662aab066f6358e104abfbb26ae3c3ab2ff31b331cc2afa38b9ddca281
-
Filesize
294KB
MD51321c634e7eeee5734bed3850cef99a9
SHA1e9a665a99a6816a928675a95339d8017ee78eb33
SHA2562dbd1a21be1100b2846df51948a229c9a7cd1dccabd8af20194e774d1df95bfd
SHA51241171b663b8a7f87f7bcb6a350e0da07f1db2de7f0a233d30d308eff7037fa47e5df26662aab066f6358e104abfbb26ae3c3ab2ff31b331cc2afa38b9ddca281