Analysis
-
max time kernel
83s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2023, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe
Resource
win10v2004-20230220-en
General
-
Target
9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe
-
Size
522KB
-
MD5
77248a524cf9dd110b98d67355e31092
-
SHA1
ca334a3fef0e0620bad180f4a867d899fc419708
-
SHA256
9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90
-
SHA512
024c494fb59459fdfc38bef5d50fbc5d42b9ea44579dee908c1441f8c5ce9c8fe706fea1a80c80cd890bbb0c3e83d1b251501d1b7e92b720dd3feb8b40c66ef7
-
SSDEEP
12288:jMr1y90o3/VqRY/bOs4p4Zpv32Nsmu5HZLEnAUCF9I:CyjoaUp4Zpv32Ns7ZLE4rI
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr365683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr365683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr365683.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr365683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr365683.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr365683.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/4236-158-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-161-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-163-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-159-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-165-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-167-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-169-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-171-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-173-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-177-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-175-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-179-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-181-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-183-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-185-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-187-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-189-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-191-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-193-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-195-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-197-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-199-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-201-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-203-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-205-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-207-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-209-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-211-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-213-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-215-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-217-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-219-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline behavioral1/memory/4236-221-0x0000000005080000-0x00000000050BF000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3196 ziqP5343.exe 4164 jr365683.exe 4236 ku587873.exe 4212 lr005799.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr365683.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziqP5343.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziqP5343.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3764 4236 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4164 jr365683.exe 4164 jr365683.exe 4236 ku587873.exe 4236 ku587873.exe 4212 lr005799.exe 4212 lr005799.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4164 jr365683.exe Token: SeDebugPrivilege 4236 ku587873.exe Token: SeDebugPrivilege 4212 lr005799.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4484 wrote to memory of 3196 4484 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe 85 PID 4484 wrote to memory of 3196 4484 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe 85 PID 4484 wrote to memory of 3196 4484 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe 85 PID 3196 wrote to memory of 4164 3196 ziqP5343.exe 86 PID 3196 wrote to memory of 4164 3196 ziqP5343.exe 86 PID 3196 wrote to memory of 4236 3196 ziqP5343.exe 87 PID 3196 wrote to memory of 4236 3196 ziqP5343.exe 87 PID 3196 wrote to memory of 4236 3196 ziqP5343.exe 87 PID 4484 wrote to memory of 4212 4484 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe 91 PID 4484 wrote to memory of 4212 4484 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe 91 PID 4484 wrote to memory of 4212 4484 9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe"C:\Users\Admin\AppData\Local\Temp\9ab60b02c514d652b52fe7de5ce4e8840e9329cbfe7a664925e176281db7fd90.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqP5343.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqP5343.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365683.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365683.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku587873.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku587873.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 19244⤵
- Program crash
PID:3764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr005799.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr005799.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4236 -ip 42361⤵PID:2664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5be3bdd8b81ff7a56987a01439d3b273f
SHA10e848d19fc798009a2a71bed43264e731a891057
SHA256b052aec3cf7b944784d8818ed3ac3b252f3ddb00f03229808a82d3dc00c86b4a
SHA5127fed91cd5134161407403e6eb43c73468e34b93c1ecf03edbbab7a2dd39db11fde9ddf15b4a05b388fb5ad70581cced444d3b54d32df76125a64e8c86a74b84c
-
Filesize
177KB
MD5be3bdd8b81ff7a56987a01439d3b273f
SHA10e848d19fc798009a2a71bed43264e731a891057
SHA256b052aec3cf7b944784d8818ed3ac3b252f3ddb00f03229808a82d3dc00c86b4a
SHA5127fed91cd5134161407403e6eb43c73468e34b93c1ecf03edbbab7a2dd39db11fde9ddf15b4a05b388fb5ad70581cced444d3b54d32df76125a64e8c86a74b84c
-
Filesize
380KB
MD532d42ccb716e94e36b932e9ef596a7a2
SHA127dbaae89d2bb2b5d240f6ce8053f0b5aaa14384
SHA256084399034bb73b14056fe6c8accb7294a29a68f45b50aa43f22489aa12db4c52
SHA512c939d468e87cd8de4cbfdc6d67379b879869e861fc1d0f4ebe95970e96b99fd63162a60cba4917f651346dbbd250181075265ba5f59e4d44a38faaee9bb6e63c
-
Filesize
380KB
MD532d42ccb716e94e36b932e9ef596a7a2
SHA127dbaae89d2bb2b5d240f6ce8053f0b5aaa14384
SHA256084399034bb73b14056fe6c8accb7294a29a68f45b50aa43f22489aa12db4c52
SHA512c939d468e87cd8de4cbfdc6d67379b879869e861fc1d0f4ebe95970e96b99fd63162a60cba4917f651346dbbd250181075265ba5f59e4d44a38faaee9bb6e63c
-
Filesize
15KB
MD5cb75544663c3ac8913d16ee778a6cd7a
SHA10285d21a42f7740adbb136676074c5413b8cd49b
SHA256fb6fe21a4251be2676faf814152f2a068ba7cc7e1833827fe173dea18c96e415
SHA512a22a8410d176964f017516f77b36319ca80bfc76dd8f5eaab0f207e6f836cf03b06bfa71a429e55d2fefcaa4d59d82555a71880974646a2d90ece2025416844e
-
Filesize
15KB
MD5cb75544663c3ac8913d16ee778a6cd7a
SHA10285d21a42f7740adbb136676074c5413b8cd49b
SHA256fb6fe21a4251be2676faf814152f2a068ba7cc7e1833827fe173dea18c96e415
SHA512a22a8410d176964f017516f77b36319ca80bfc76dd8f5eaab0f207e6f836cf03b06bfa71a429e55d2fefcaa4d59d82555a71880974646a2d90ece2025416844e
-
Filesize
295KB
MD51efac1df6f23cd70bcccc53bd8afcae3
SHA1eb1c31d3e18d179f970a1e761437158411a880c2
SHA256c61648fc200d7bf3f4daccdf9a4dd325a3583def217c6ba9dba3ff8d6687132e
SHA5124d4d1752210467fbfeca34310ac5706d294e356e0ec56a1e66bfe4fbfeda4f492d099eff8519f053977e8a02e6fc61bce9e1cd60d035e13333c33a99100f389c
-
Filesize
295KB
MD51efac1df6f23cd70bcccc53bd8afcae3
SHA1eb1c31d3e18d179f970a1e761437158411a880c2
SHA256c61648fc200d7bf3f4daccdf9a4dd325a3583def217c6ba9dba3ff8d6687132e
SHA5124d4d1752210467fbfeca34310ac5706d294e356e0ec56a1e66bfe4fbfeda4f492d099eff8519f053977e8a02e6fc61bce9e1cd60d035e13333c33a99100f389c