Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:37
Static task
static1
Behavioral task
behavioral1
Sample
d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Resource
win10v2004-20230220-en
General
-
Target
d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
-
Size
747KB
-
MD5
441f88bcf41639caed3a648d098442cf
-
SHA1
a589bdbb510d62a7083f84df582499274735d2cb
-
SHA256
d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e
-
SHA512
752b3ff61f2a8bd4af18c4f60b6f84f8c5be66f993d1dfcda9a24888c1a96d63f8f80810902a39b85ca32e5656454098210749fadf3de153513669fc24eeeeac
-
SSDEEP
12288:3y90LHeU5MUvfTisw5KEIjD6/BM92tmoB+8bIgWWv5RY5vGcILMbp:3y8h7isoPs6/OaZdbIgpMnILmp
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1088-988-0x0000000007920000-0x0000000007F38000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 62372485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 62372485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 62372485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 62372485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 62372485.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 62372485.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4252 un940277.exe 716 62372485.exe 1088 rk649223.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 62372485.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 62372485.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un940277.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un940277.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1816 716 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 716 62372485.exe 716 62372485.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 716 62372485.exe Token: SeDebugPrivilege 1088 rk649223.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4252 3080 d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe 83 PID 3080 wrote to memory of 4252 3080 d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe 83 PID 3080 wrote to memory of 4252 3080 d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe 83 PID 4252 wrote to memory of 716 4252 un940277.exe 84 PID 4252 wrote to memory of 716 4252 un940277.exe 84 PID 4252 wrote to memory of 716 4252 un940277.exe 84 PID 4252 wrote to memory of 1088 4252 un940277.exe 93 PID 4252 wrote to memory of 1088 4252 un940277.exe 93 PID 4252 wrote to memory of 1088 4252 un940277.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe"C:\Users\Admin\AppData\Local\Temp\d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 10084⤵
- Program crash
PID:1816
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 716 -ip 7161⤵PID:5004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD54c7a2a0b89157829e1e7718117963697
SHA1d339aac1286cb16e099829a3614ae5bacb0590fa
SHA256f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c
SHA5122fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0
-
Filesize
593KB
MD54c7a2a0b89157829e1e7718117963697
SHA1d339aac1286cb16e099829a3614ae5bacb0590fa
SHA256f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c
SHA5122fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0
-
Filesize
377KB
MD515b74b3251aaf9ea9f9c978c0ec29958
SHA10cf18286e9df7e851eb5ee85b983a7cd5440ab7a
SHA25616a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0
SHA5120bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38
-
Filesize
377KB
MD515b74b3251aaf9ea9f9c978c0ec29958
SHA10cf18286e9df7e851eb5ee85b983a7cd5440ab7a
SHA25616a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0
SHA5120bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38
-
Filesize
460KB
MD52a024d07dfcdfc911a8fa88fb299da8c
SHA1519b886a02163e6490239909e7a1b7039865a8f9
SHA256034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9
SHA512d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef
-
Filesize
460KB
MD52a024d07dfcdfc911a8fa88fb299da8c
SHA1519b886a02163e6490239909e7a1b7039865a8f9
SHA256034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9
SHA512d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef