Analysis
-
max time kernel
231s -
max time network
251s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe
Resource
win10v2004-20230221-en
General
-
Target
fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe
-
Size
691KB
-
MD5
29b40358b0c7266e8c11d8487e972eea
-
SHA1
0a2fcffdb0aa792a45ef05004f810940fef292dc
-
SHA256
fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1
-
SHA512
449f09645a2566010f4d005adf34b0be041fd05a32beca3915d157c313e031f5aa62a646b1f555248a6ad1cf3f07580e869731c7af0987e7bef7b339a40cfcf0
-
SSDEEP
12288:ay900bUUcekt7K07hmDkX/SETqQgeiCYMvQz7trDe207ShcANBg+lePIG7SZKAND:ayzbtCKyYoXKETbghCYMqtrq2UANu8KO
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/2624-211-0x0000000007A30000-0x0000000008048000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 51593139.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 51593139.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 51593139.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 51593139.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 51593139.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 51593139.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 3960 un255172.exe 1480 51593139.exe 1960 rk575995.exe 4824 rk575995.exe 2624 si157445.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 51593139.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 51593139.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un255172.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un255172.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1960 set thread context of 4824 1960 rk575995.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 724 1480 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1480 51593139.exe 1480 51593139.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1480 51593139.exe Token: SeDebugPrivilege 4824 rk575995.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 732 wrote to memory of 3960 732 fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe 79 PID 732 wrote to memory of 3960 732 fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe 79 PID 732 wrote to memory of 3960 732 fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe 79 PID 3960 wrote to memory of 1480 3960 un255172.exe 80 PID 3960 wrote to memory of 1480 3960 un255172.exe 80 PID 3960 wrote to memory of 1480 3960 un255172.exe 80 PID 3960 wrote to memory of 1960 3960 un255172.exe 84 PID 3960 wrote to memory of 1960 3960 un255172.exe 84 PID 3960 wrote to memory of 1960 3960 un255172.exe 84 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 1960 wrote to memory of 4824 1960 rk575995.exe 85 PID 732 wrote to memory of 2624 732 fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe 86 PID 732 wrote to memory of 2624 732 fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe 86 PID 732 wrote to memory of 2624 732 fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe"C:\Users\Admin\AppData\Local\Temp\fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255172.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255172.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51593139.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51593139.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 10804⤵
- Program crash
PID:724
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si157445.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si157445.exe2⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1480 -ip 14801⤵PID:4700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
537KB
MD58703ae699b6b7025467d0c2a8a223102
SHA16f5544d6e718de33257be2f4b3c45afe187742d2
SHA2562b1f87a53d65c18cee0f4682f3078e2ba092d651932c0a34d780e5ab9d6395df
SHA512584191cca4cba1cb0b35ead701a363723d039c1340517e5a5f1c9ceecfad7097f837d120426baa1422280a600fc8357457f7d1e0cf3f2ee27b401532bbe69e6e
-
Filesize
537KB
MD58703ae699b6b7025467d0c2a8a223102
SHA16f5544d6e718de33257be2f4b3c45afe187742d2
SHA2562b1f87a53d65c18cee0f4682f3078e2ba092d651932c0a34d780e5ab9d6395df
SHA512584191cca4cba1cb0b35ead701a363723d039c1340517e5a5f1c9ceecfad7097f837d120426baa1422280a600fc8357457f7d1e0cf3f2ee27b401532bbe69e6e
-
Filesize
259KB
MD58094a3586d9c45eca9f38499312b2d38
SHA1919032480ff35763613e87cb4619d7d72c4d996d
SHA25645e5a15b23f6c09721e5efc2d651ca922af5cde864e99e65edcf4dbae1f5dc3b
SHA512ceea89a25afb59562e77a55554ecce66fe3a536302f3ecb40a779f98039a7c2fc39cb2aaee5cc9aa1772fe6548d6e2417bd69c23c7fab4f23c7304f109b217ad
-
Filesize
259KB
MD58094a3586d9c45eca9f38499312b2d38
SHA1919032480ff35763613e87cb4619d7d72c4d996d
SHA25645e5a15b23f6c09721e5efc2d651ca922af5cde864e99e65edcf4dbae1f5dc3b
SHA512ceea89a25afb59562e77a55554ecce66fe3a536302f3ecb40a779f98039a7c2fc39cb2aaee5cc9aa1772fe6548d6e2417bd69c23c7fab4f23c7304f109b217ad
-
Filesize
342KB
MD54917f0ea51212be79d676877a568eced
SHA10f71e179d494dfb71d0a5aeb7c6c0fab9cfa76fb
SHA2565d0ce5748792cb7c1b56cb3a9b899aed9c513dc31a6eff8c1a76999c0de15cce
SHA512c81cc1ca501290130d2dbe78981feae0ca896b51f774722940b47e7c2d3455f05236f85d197593feea502973aee267caa509e0dc9173e1ff834d275bb84975c5
-
Filesize
342KB
MD54917f0ea51212be79d676877a568eced
SHA10f71e179d494dfb71d0a5aeb7c6c0fab9cfa76fb
SHA2565d0ce5748792cb7c1b56cb3a9b899aed9c513dc31a6eff8c1a76999c0de15cce
SHA512c81cc1ca501290130d2dbe78981feae0ca896b51f774722940b47e7c2d3455f05236f85d197593feea502973aee267caa509e0dc9173e1ff834d275bb84975c5
-
Filesize
342KB
MD54917f0ea51212be79d676877a568eced
SHA10f71e179d494dfb71d0a5aeb7c6c0fab9cfa76fb
SHA2565d0ce5748792cb7c1b56cb3a9b899aed9c513dc31a6eff8c1a76999c0de15cce
SHA512c81cc1ca501290130d2dbe78981feae0ca896b51f774722940b47e7c2d3455f05236f85d197593feea502973aee267caa509e0dc9173e1ff834d275bb84975c5