Analysis
-
max time kernel
56s -
max time network
60s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03/04/2023, 06:20
Static task
static1
Behavioral task
behavioral1
Sample
7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe
Resource
win10-20230220-en
General
-
Target
7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe
-
Size
659KB
-
MD5
4a57123379235a285862c40bb2510ad8
-
SHA1
c9d33ed48bc066c5d1c330d360bbae5ff5558e21
-
SHA256
7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd
-
SHA512
f9b690f929fbf96717a381f78fe6caee2397c154cfd31839eb78ddb573f2e1d3093ef2f7d21d50c5b24c544d4a0c0e9e7c9d9948e868eaba9a71239500aaa182
-
SSDEEP
12288:nMray90k8DruS8ge7WHHzysgq5Hc2bfYJxxjfthh+dT:Jyc8gkWTysr582zYZfthh+dT
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3881.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4176-174-0x00000000021F0000-0x0000000002236000-memory.dmp family_redline behavioral1/memory/4176-175-0x0000000002410000-0x0000000002454000-memory.dmp family_redline behavioral1/memory/4176-177-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-176-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-179-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-181-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-183-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-185-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-187-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-189-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-191-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-193-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-195-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-197-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-199-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-201-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-203-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-205-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-207-0x0000000002410000-0x000000000244F000-memory.dmp family_redline behavioral1/memory/4176-209-0x0000000002410000-0x000000000244F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3988 un820182.exe 4056 pro3881.exe 4176 qu1464.exe 1812 si294065.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3881.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un820182.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un820182.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4056 pro3881.exe 4056 pro3881.exe 4176 qu1464.exe 4176 qu1464.exe 1812 si294065.exe 1812 si294065.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4056 pro3881.exe Token: SeDebugPrivilege 4176 qu1464.exe Token: SeDebugPrivilege 1812 si294065.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3236 wrote to memory of 3988 3236 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe 66 PID 3236 wrote to memory of 3988 3236 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe 66 PID 3236 wrote to memory of 3988 3236 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe 66 PID 3988 wrote to memory of 4056 3988 un820182.exe 67 PID 3988 wrote to memory of 4056 3988 un820182.exe 67 PID 3988 wrote to memory of 4056 3988 un820182.exe 67 PID 3988 wrote to memory of 4176 3988 un820182.exe 68 PID 3988 wrote to memory of 4176 3988 un820182.exe 68 PID 3988 wrote to memory of 4176 3988 un820182.exe 68 PID 3236 wrote to memory of 1812 3236 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe 70 PID 3236 wrote to memory of 1812 3236 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe 70 PID 3236 wrote to memory of 1812 3236 7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe"C:\Users\Admin\AppData\Local\Temp\7263e24eab4e8ec377607e7fe74b1e32f5de11a090fa4ce15ff4c71693b7f1dd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un820182.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un820182.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3881.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3881.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1464.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1464.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si294065.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si294065.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5cd21a8c80d1b8997a67ee5b0a46f002a
SHA125afbf5390d8089c9dfea56c5dc73e1907852792
SHA256c1a2a86dc9f65b6ad928c81b16af66d3cc88827331ca8b205df27d52412bf884
SHA512470d6c6900a1b37f1c037cdcc38e058c057d21745fd9ba5a0eaa527cfb390295eb23400fa0769b5c9b7047f2cacb16b8786edfc7410f7d1c6ae9e73aa8564ec8
-
Filesize
176KB
MD5cd21a8c80d1b8997a67ee5b0a46f002a
SHA125afbf5390d8089c9dfea56c5dc73e1907852792
SHA256c1a2a86dc9f65b6ad928c81b16af66d3cc88827331ca8b205df27d52412bf884
SHA512470d6c6900a1b37f1c037cdcc38e058c057d21745fd9ba5a0eaa527cfb390295eb23400fa0769b5c9b7047f2cacb16b8786edfc7410f7d1c6ae9e73aa8564ec8
-
Filesize
518KB
MD5f948bf6ee1281ea8d9dddde6c4d45093
SHA11172389d7d831a13d559808d99a158044d1dedf5
SHA256e08b6ae24e825de6ca88da5b08045c37259142739e5855361aa1d5a97eb6196d
SHA5122c24cfe8bf00e29710d0aa90de1059f1ad29239341064b5e6afc5bd1362ce597578db1852c57a89199d86e63f1039f824d3b65302b3b96d81d3b25d6835b6fbe
-
Filesize
518KB
MD5f948bf6ee1281ea8d9dddde6c4d45093
SHA11172389d7d831a13d559808d99a158044d1dedf5
SHA256e08b6ae24e825de6ca88da5b08045c37259142739e5855361aa1d5a97eb6196d
SHA5122c24cfe8bf00e29710d0aa90de1059f1ad29239341064b5e6afc5bd1362ce597578db1852c57a89199d86e63f1039f824d3b65302b3b96d81d3b25d6835b6fbe
-
Filesize
237KB
MD5b55902ecec5b6fbe46cb98d920aefc59
SHA164c6d0aea24bf22b0982881e6ac65004dc631565
SHA256bb0cb27a3f96a728b31454b401d91905a06cbfa66d643085a714f2d4c1f7e24c
SHA512c9dec264d2ab69a63eee6fb9a114a6a4d655df74cd21f7e54cfb6bcbed05f41b557b092d9697586d0684ec3b2b46d46a5b54f76891c52d92434b57b1ff89245b
-
Filesize
237KB
MD5b55902ecec5b6fbe46cb98d920aefc59
SHA164c6d0aea24bf22b0982881e6ac65004dc631565
SHA256bb0cb27a3f96a728b31454b401d91905a06cbfa66d643085a714f2d4c1f7e24c
SHA512c9dec264d2ab69a63eee6fb9a114a6a4d655df74cd21f7e54cfb6bcbed05f41b557b092d9697586d0684ec3b2b46d46a5b54f76891c52d92434b57b1ff89245b
-
Filesize
295KB
MD5e70f9e20784f308a0e4d29b4726c35fe
SHA106cac0ece0e41694649f544e785f6dd75b69cfd4
SHA2563058ea366bc4cfedc4287f7d42cb4cbaf52555bcac03c2b44c9d5529a15c19e7
SHA512b563435aa73ab010a23ca0f0cae28df8837b7039952c8d79f1d59cef253bfbeb76cf0d8fa00f75893519936f5ddee4600e870096b6984225403a6667c1cbd3df
-
Filesize
295KB
MD5e70f9e20784f308a0e4d29b4726c35fe
SHA106cac0ece0e41694649f544e785f6dd75b69cfd4
SHA2563058ea366bc4cfedc4287f7d42cb4cbaf52555bcac03c2b44c9d5529a15c19e7
SHA512b563435aa73ab010a23ca0f0cae28df8837b7039952c8d79f1d59cef253bfbeb76cf0d8fa00f75893519936f5ddee4600e870096b6984225403a6667c1cbd3df