Analysis
-
max time kernel
52s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03-04-2023 15:47
Static task
static1
Behavioral task
behavioral1
Sample
36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe
Resource
win10-20230220-en
General
-
Target
36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe
-
Size
660KB
-
MD5
0695e435e43e3b02ab56495b631c3aec
-
SHA1
d843d413781b86837ffe4100620c7e2d2d904001
-
SHA256
36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45
-
SHA512
540d61c22c5a7f5b0da5965ee091c3781cc1e4b3664b589d4d822b7fac3889075670d54a58f96207e12863c2604c5d77415548c2efabbb401052f1cd0121baf1
-
SSDEEP
12288:lMrPy90iwmPnevaDtBIjshfvLZ0kZwVd0PsZrLiRiVaWPkNa22:mypwkneu2jshrHZCd2sZ6RiV5kNr2
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro6534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro6534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro6534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro6534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro6534.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/2300-177-0x0000000002250000-0x0000000002296000-memory.dmp family_redline behavioral1/memory/2300-178-0x0000000002540000-0x0000000002584000-memory.dmp family_redline behavioral1/memory/2300-179-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-180-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-182-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-184-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-186-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-188-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-190-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-192-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-194-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-196-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-198-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-200-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-202-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-204-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-206-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-208-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-210-0x0000000002540000-0x000000000257F000-memory.dmp family_redline behavioral1/memory/2300-212-0x0000000002540000-0x000000000257F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1804 un575395.exe 3836 pro6534.exe 2300 qu0027.exe 4372 si405411.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro6534.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro6534.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un575395.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un575395.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3836 pro6534.exe 3836 pro6534.exe 2300 qu0027.exe 2300 qu0027.exe 4372 si405411.exe 4372 si405411.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3836 pro6534.exe Token: SeDebugPrivilege 2300 qu0027.exe Token: SeDebugPrivilege 4372 si405411.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4148 wrote to memory of 1804 4148 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe 66 PID 4148 wrote to memory of 1804 4148 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe 66 PID 4148 wrote to memory of 1804 4148 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe 66 PID 1804 wrote to memory of 3836 1804 un575395.exe 67 PID 1804 wrote to memory of 3836 1804 un575395.exe 67 PID 1804 wrote to memory of 3836 1804 un575395.exe 67 PID 1804 wrote to memory of 2300 1804 un575395.exe 68 PID 1804 wrote to memory of 2300 1804 un575395.exe 68 PID 1804 wrote to memory of 2300 1804 un575395.exe 68 PID 4148 wrote to memory of 4372 4148 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe 70 PID 4148 wrote to memory of 4372 4148 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe 70 PID 4148 wrote to memory of 4372 4148 36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe"C:\Users\Admin\AppData\Local\Temp\36eefd2a31f154e255c0c25d1d66178855cecd0d54794d61803904e5de161d45.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575395.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un575395.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6534.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6534.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0027.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0027.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si405411.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si405411.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
Filesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
Filesize
518KB
MD5237035c91490cca1b814e50f08b28552
SHA18a559530cca375f599abf7ba6cc02a22928432ee
SHA256894f34a85fb07dd38fa7e60c7f47ccfe39215c81a3cefac0db8dd42f21a58f48
SHA512d5ee2dc99edfb6df395d39697967e90cf8748c8a0099389bac367e8afac55405f66182076ce6301fa3257ef73a066c9fa454acc563a7a464936a17b7f44f11f9
-
Filesize
518KB
MD5237035c91490cca1b814e50f08b28552
SHA18a559530cca375f599abf7ba6cc02a22928432ee
SHA256894f34a85fb07dd38fa7e60c7f47ccfe39215c81a3cefac0db8dd42f21a58f48
SHA512d5ee2dc99edfb6df395d39697967e90cf8748c8a0099389bac367e8afac55405f66182076ce6301fa3257ef73a066c9fa454acc563a7a464936a17b7f44f11f9
-
Filesize
236KB
MD5905f651eb46926e4553e9b3e3d6bb009
SHA1c2aac8bdc978e43cd2c428e6cffee038f7eb0f1f
SHA256bcc34128ae232dc45d7c40fe37a4fe95c17cd4e0af20eca2df14a971d91921b8
SHA512348fb40a55e7b0546f8b48088e11ed4450bc9400f5e462bd50639d46c888b11f1dad33713484a48bac01c9b0409cbb70c7e10bf40994e337629e7da7efb526b4
-
Filesize
236KB
MD5905f651eb46926e4553e9b3e3d6bb009
SHA1c2aac8bdc978e43cd2c428e6cffee038f7eb0f1f
SHA256bcc34128ae232dc45d7c40fe37a4fe95c17cd4e0af20eca2df14a971d91921b8
SHA512348fb40a55e7b0546f8b48088e11ed4450bc9400f5e462bd50639d46c888b11f1dad33713484a48bac01c9b0409cbb70c7e10bf40994e337629e7da7efb526b4
-
Filesize
295KB
MD57776568ac84af8ae6dc0948ea0562b28
SHA1be07fba6202499dc798b76d7a0f4359117292da1
SHA256bcf88d01bf330680f06c3780da0407370155cdf7a589d2e4ee13ae90a260bd51
SHA512eb67e81f444f6f9c9760f97dc61a00f4747850165dcc0518c3b993395b9f7c94db7d55a4fc25772e41ab6eb19ed77622b77cf8d7c5d2d2a47cca0988ad69546c
-
Filesize
295KB
MD57776568ac84af8ae6dc0948ea0562b28
SHA1be07fba6202499dc798b76d7a0f4359117292da1
SHA256bcf88d01bf330680f06c3780da0407370155cdf7a589d2e4ee13ae90a260bd51
SHA512eb67e81f444f6f9c9760f97dc61a00f4747850165dcc0518c3b993395b9f7c94db7d55a4fc25772e41ab6eb19ed77622b77cf8d7c5d2d2a47cca0988ad69546c