Analysis
-
max time kernel
228s -
max time network
285s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 18:42
Static task
static1
Behavioral task
behavioral1
Sample
da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe
Resource
win10v2004-20230221-en
General
-
Target
da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe
-
Size
1.5MB
-
MD5
e151f1b1bcf6a54cce98e1ddc76a2bfe
-
SHA1
1975670e187659e6b145f5fd02271d6778131b8c
-
SHA256
da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb
-
SHA512
7b08d520483e6595c5a7a142e9d93f0736a50472c62dc766823f20dc8c83d30d3809f07587fe34df85dbadbaeb514e4edf6c8cc5eac75a40784f59662cf26d0d
-
SSDEEP
24576:xyUA3zBAhj3Z8cn5RvogpsAwVmJXG0sj0gmRz4CJTAIj0aP2uq5Y:kUADBAhN8c5lobAwVm5W9CJ340
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4708-169-0x0000000005340000-0x0000000005958000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 2040 i83059884.exe 3044 i04947957.exe 4748 i93713933.exe 3868 i71634808.exe 4708 a20582316.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i83059884.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i93713933.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i71634808.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i83059884.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i04947957.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i04947957.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i93713933.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i71634808.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2040 2092 da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe 80 PID 2092 wrote to memory of 2040 2092 da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe 80 PID 2092 wrote to memory of 2040 2092 da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe 80 PID 2040 wrote to memory of 3044 2040 i83059884.exe 81 PID 2040 wrote to memory of 3044 2040 i83059884.exe 81 PID 2040 wrote to memory of 3044 2040 i83059884.exe 81 PID 3044 wrote to memory of 4748 3044 i04947957.exe 82 PID 3044 wrote to memory of 4748 3044 i04947957.exe 82 PID 3044 wrote to memory of 4748 3044 i04947957.exe 82 PID 4748 wrote to memory of 3868 4748 i93713933.exe 83 PID 4748 wrote to memory of 3868 4748 i93713933.exe 83 PID 4748 wrote to memory of 3868 4748 i93713933.exe 83 PID 3868 wrote to memory of 4708 3868 i71634808.exe 84 PID 3868 wrote to memory of 4708 3868 i71634808.exe 84 PID 3868 wrote to memory of 4708 3868 i71634808.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe"C:\Users\Admin\AppData\Local\Temp\da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83059884.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83059884.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04947957.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04947957.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93713933.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93713933.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i71634808.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i71634808.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20582316.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20582316.exe6⤵
- Executes dropped EXE
PID:4708
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD575e2e8a68f3e169ca335ced472c76eb2
SHA113a26523dcb297127a80440db2f7fbef9ca28e96
SHA256099ff1a452fd989eeca271c8ff3f4a403dd873d799339f3bfd0a6e1f0dd0f22f
SHA512dca86ab91577a033cafbee40098a0ecabbbfd4cc3952525bcf3ca663beadb83a79ac414fda16f581f50bb63084e715d6f75ee350f240ae45bcaf6b95d401b397
-
Filesize
1.3MB
MD575e2e8a68f3e169ca335ced472c76eb2
SHA113a26523dcb297127a80440db2f7fbef9ca28e96
SHA256099ff1a452fd989eeca271c8ff3f4a403dd873d799339f3bfd0a6e1f0dd0f22f
SHA512dca86ab91577a033cafbee40098a0ecabbbfd4cc3952525bcf3ca663beadb83a79ac414fda16f581f50bb63084e715d6f75ee350f240ae45bcaf6b95d401b397
-
Filesize
1016KB
MD52888bcf1c957d110fce19b396aa4b7c1
SHA1378836ee5a12eeb76d8024c10a8bd592b80295ff
SHA256aeb2045004143e7d484345a685c6ef3f68ac8245da91017f946e408ce745d4dc
SHA51297efa9c030c6ea95ded5c58346112188f1e46657c0138ec056a4826999a8d7dd5e7ab1fb37c779c8ca1bf5236382147897f4ef1fe831afbf9e17d8ca5bfdb523
-
Filesize
1016KB
MD52888bcf1c957d110fce19b396aa4b7c1
SHA1378836ee5a12eeb76d8024c10a8bd592b80295ff
SHA256aeb2045004143e7d484345a685c6ef3f68ac8245da91017f946e408ce745d4dc
SHA51297efa9c030c6ea95ded5c58346112188f1e46657c0138ec056a4826999a8d7dd5e7ab1fb37c779c8ca1bf5236382147897f4ef1fe831afbf9e17d8ca5bfdb523
-
Filesize
844KB
MD580c5e9c28271e21d5a6b88fa6c819c00
SHA131fb791a8f63c7821bc475788b12e96dfbb933fe
SHA25652f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0
SHA51283862d521f563c7afd58429b2ce8e35308cc433608af84eb27a008c79d4b40454624321a1cd1b05c7c213160a39c22f3f3a21365f9543386d34ec3e80de4ab24
-
Filesize
844KB
MD580c5e9c28271e21d5a6b88fa6c819c00
SHA131fb791a8f63c7821bc475788b12e96dfbb933fe
SHA25652f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0
SHA51283862d521f563c7afd58429b2ce8e35308cc433608af84eb27a008c79d4b40454624321a1cd1b05c7c213160a39c22f3f3a21365f9543386d34ec3e80de4ab24
-
Filesize
371KB
MD5861b034b9d1fd6977a2cabb72044a6a8
SHA1810f628adbef8b54735883617f67a585ee7eb1bf
SHA256f43694e668258003a175a2f86c35fbf4b1724a99d0baba7474ad90c92692041b
SHA5125170e2f1f9b333b33575438b95fcd71ee83f7865f0f42a1532582df4eab4ca0828ca72354e2a5cc498465f64adc63485d65f9b2ab3e4c4e0cb4971f7b21cdd82
-
Filesize
371KB
MD5861b034b9d1fd6977a2cabb72044a6a8
SHA1810f628adbef8b54735883617f67a585ee7eb1bf
SHA256f43694e668258003a175a2f86c35fbf4b1724a99d0baba7474ad90c92692041b
SHA5125170e2f1f9b333b33575438b95fcd71ee83f7865f0f42a1532582df4eab4ca0828ca72354e2a5cc498465f64adc63485d65f9b2ab3e4c4e0cb4971f7b21cdd82
-
Filesize
169KB
MD5e3910c70876d2cf8e33d1949f9aa09f2
SHA1f338e8b564e8a8b4ac6b33ab8287e000e4f3ea19
SHA2562d715e490c801611472e9935c22561689f25957aafaa11d0e7ea6a61ddf060bb
SHA512c576861d4c9d52c974f1a8cdbad766e599970c0f27aa014abd83ccca0e347d9d005cf3f3d002653d9f2bcf3b77f5ad3475e332ce68f40975d71c9ba705bcadf8
-
Filesize
169KB
MD5e3910c70876d2cf8e33d1949f9aa09f2
SHA1f338e8b564e8a8b4ac6b33ab8287e000e4f3ea19
SHA2562d715e490c801611472e9935c22561689f25957aafaa11d0e7ea6a61ddf060bb
SHA512c576861d4c9d52c974f1a8cdbad766e599970c0f27aa014abd83ccca0e347d9d005cf3f3d002653d9f2bcf3b77f5ad3475e332ce68f40975d71c9ba705bcadf8