Analysis
-
max time kernel
100s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 20:12
Static task
static1
Behavioral task
behavioral1
Sample
fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe
Resource
win10v2004-20230220-en
General
-
Target
fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe
-
Size
658KB
-
MD5
bc8e2db8eed3705d26acdf89df13c40a
-
SHA1
4e4c1a9728625d5ca1130d436781ea202ca4875b
-
SHA256
fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090
-
SHA512
136b89beaa912e41882ecb8e38be6e00316841417bf31d05256cd89c25b3b9c37378c6c1ca8feb1eec51f6b1e6839c01506a73dab14206d8e5eec6f93c09c4d7
-
SSDEEP
12288:XMrQy90ZPka9q5TfLD8WkF/nqUA4skTeO72Lt8OxxGH144fzWKb88vAF9/SN:vyZ5TfQFSUonh7IHm4qK4Fe
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro3724.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro3724.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro3724.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro3724.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro3724.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro3724.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
resource yara_rule behavioral1/memory/5044-191-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-194-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-196-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-192-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-198-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-200-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-202-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-204-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-206-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-208-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-210-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-212-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-214-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-216-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-218-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-220-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-222-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-224-0x0000000005020000-0x000000000505F000-memory.dmp family_redline behavioral1/memory/5044-263-0x0000000002240000-0x0000000002250000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 5032 un235301.exe 4516 pro3724.exe 5044 qu7593.exe 1312 si440136.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro3724.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro3724.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un235301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un235301.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 380 4516 WerFault.exe 85 4288 5044 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4516 pro3724.exe 4516 pro3724.exe 5044 qu7593.exe 5044 qu7593.exe 1312 si440136.exe 1312 si440136.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4516 pro3724.exe Token: SeDebugPrivilege 5044 qu7593.exe Token: SeDebugPrivilege 1312 si440136.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4480 wrote to memory of 5032 4480 fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe 84 PID 4480 wrote to memory of 5032 4480 fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe 84 PID 4480 wrote to memory of 5032 4480 fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe 84 PID 5032 wrote to memory of 4516 5032 un235301.exe 85 PID 5032 wrote to memory of 4516 5032 un235301.exe 85 PID 5032 wrote to memory of 4516 5032 un235301.exe 85 PID 5032 wrote to memory of 5044 5032 un235301.exe 91 PID 5032 wrote to memory of 5044 5032 un235301.exe 91 PID 5032 wrote to memory of 5044 5032 un235301.exe 91 PID 4480 wrote to memory of 1312 4480 fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe 95 PID 4480 wrote to memory of 1312 4480 fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe 95 PID 4480 wrote to memory of 1312 4480 fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe"C:\Users\Admin\AppData\Local\Temp\fab55e61eff116d7e11d6a4b15199af0d7bead3bc3c8d20651d46220bf3c0090.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un235301.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un235301.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3724.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3724.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 10804⤵
- Program crash
PID:380
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7593.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7593.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 13244⤵
- Program crash
PID:4288
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si440136.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si440136.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4516 -ip 45161⤵PID:4236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5044 -ip 50441⤵PID:3056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD589c60c92681267b6145a4985e37a43b3
SHA162b085a6a6afe0cd2d293822ee47288a64e3d5e3
SHA25653fb748f4a68beb8ed8fbd8d0f80626e92ed7cf259d64c61cf85fd83180bcc5b
SHA512272dd69bb76c11f3f41ddb370384f58b678e54c2b043fe3c3d0d33dac21d9b447d11b6573ef58ce209109f2360fd1c5d3fe36ff8148e8a05348cce6f9005f54c
-
Filesize
175KB
MD589c60c92681267b6145a4985e37a43b3
SHA162b085a6a6afe0cd2d293822ee47288a64e3d5e3
SHA25653fb748f4a68beb8ed8fbd8d0f80626e92ed7cf259d64c61cf85fd83180bcc5b
SHA512272dd69bb76c11f3f41ddb370384f58b678e54c2b043fe3c3d0d33dac21d9b447d11b6573ef58ce209109f2360fd1c5d3fe36ff8148e8a05348cce6f9005f54c
-
Filesize
516KB
MD56aeb2c8553feb8957cf1967fb5daea64
SHA16d0c215c9616430f11d8ceabe41e8fefb38233c3
SHA25659516c02f6030eafa3389da7c284e084aa20b50e94dbb7f9fe2d612f91edbf56
SHA512b378694a6b7fd74c9fc45b451d9096cdf20a522cfe88bcf599052b2373bc12943c11f76ad16a64c3244f59ac29a6ef1479b0ec383c281aabba320d0f64dd5535
-
Filesize
516KB
MD56aeb2c8553feb8957cf1967fb5daea64
SHA16d0c215c9616430f11d8ceabe41e8fefb38233c3
SHA25659516c02f6030eafa3389da7c284e084aa20b50e94dbb7f9fe2d612f91edbf56
SHA512b378694a6b7fd74c9fc45b451d9096cdf20a522cfe88bcf599052b2373bc12943c11f76ad16a64c3244f59ac29a6ef1479b0ec383c281aabba320d0f64dd5535
-
Filesize
235KB
MD561c1d5fd96ac36e5df8a5a9482d01b5c
SHA17d5f644f38b26316e8905ec4c5fbdcc038fc7973
SHA25661cc3dad28430081e4d8e23b821b66d3e03ab08738e7e857f760bcae94e854d7
SHA512d582bf50f57fd2f882702ca4451b5c0b3de2426c4fb553a12dfad16f8e905f79eb721a3264146f19efd4eaec193050157d2626f3172eb87e9e7852d6535b634b
-
Filesize
235KB
MD561c1d5fd96ac36e5df8a5a9482d01b5c
SHA17d5f644f38b26316e8905ec4c5fbdcc038fc7973
SHA25661cc3dad28430081e4d8e23b821b66d3e03ab08738e7e857f760bcae94e854d7
SHA512d582bf50f57fd2f882702ca4451b5c0b3de2426c4fb553a12dfad16f8e905f79eb721a3264146f19efd4eaec193050157d2626f3172eb87e9e7852d6535b634b
-
Filesize
294KB
MD55e33ef7f994cd7364df359b693290783
SHA1398a1457a28fa4c1f438c949f472d162e5293e65
SHA256452cedbcd6d9065274a15f7ac136d9687434c2ff8052e6308de9e4d7a39e0006
SHA512035ad1ff4b0d56e0e1909d41e0c01aa494bd4aaca8832c8cd9619dde0cd1bc2ec339e96a1be609b736a570adfe3cacdc4801d188db3af1746c472f6bfb58e7c5
-
Filesize
294KB
MD55e33ef7f994cd7364df359b693290783
SHA1398a1457a28fa4c1f438c949f472d162e5293e65
SHA256452cedbcd6d9065274a15f7ac136d9687434c2ff8052e6308de9e4d7a39e0006
SHA512035ad1ff4b0d56e0e1909d41e0c01aa494bd4aaca8832c8cd9619dde0cd1bc2ec339e96a1be609b736a570adfe3cacdc4801d188db3af1746c472f6bfb58e7c5