Analysis
-
max time kernel
238s -
max time network
275s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe
Resource
win10v2004-20230221-en
General
-
Target
fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe
-
Size
644KB
-
MD5
add745b6e38654a1d0ee8566fc29d363
-
SHA1
7719eae533b94ad44c26cb84daecad37b0a65f5d
-
SHA256
fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940
-
SHA512
dfe898d59ed0284c665f056fab6aa289de82bdb2cf975a2b716abe20f2628662ff78ddc696ee8fe5f5cc15cca643dee49d6269847d10b51cf3d64f65fbaa71be
-
SSDEEP
12288:2y9078xzKp3xtWSKGNZqWt6QuV7lrqQPZRlu8qx0iSPe7XfyXZND:2y1xzKmikK2pWwj0uve7XqND
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4592-982-0x0000000009DC0000-0x000000000A3D8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 18326323.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 18326323.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 18326323.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 18326323.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 18326323.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 18326323.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 336 st618533.exe 1400 18326323.exe 4592 kp433506.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 18326323.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 18326323.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st618533.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st618533.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1400 18326323.exe 1400 18326323.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1400 18326323.exe Token: SeDebugPrivilege 4592 kp433506.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4220 wrote to memory of 336 4220 fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe 78 PID 4220 wrote to memory of 336 4220 fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe 78 PID 4220 wrote to memory of 336 4220 fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe 78 PID 336 wrote to memory of 1400 336 st618533.exe 79 PID 336 wrote to memory of 1400 336 st618533.exe 79 PID 336 wrote to memory of 1400 336 st618533.exe 79 PID 336 wrote to memory of 4592 336 st618533.exe 82 PID 336 wrote to memory of 4592 336 st618533.exe 82 PID 336 wrote to memory of 4592 336 st618533.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe"C:\Users\Admin\AppData\Local\Temp\fe3b1ed46f48fedf189d82841757339f75d4b9ed69eb18ddd2ffc2e57928f940.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st618533.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st618533.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18326323.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18326323.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp433506.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp433506.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
489KB
MD579cff599fcc2b79dd55645595fd36963
SHA1993f5ba1be7d12150246ed191093687c5d8c6eee
SHA2562a95c9b1701b5549eddddc93c93e7f113dabffb6f762c271c0a8075001243e62
SHA512b2f4ef976eece8b6dee53f5c4236c2c18623b43a5f87f1a3fe4e894b52cf5b2dd865edc37c822f9100f6ccc383dbc92a68e6202cf5ce679524a7bb2aa0ea5005
-
Filesize
489KB
MD579cff599fcc2b79dd55645595fd36963
SHA1993f5ba1be7d12150246ed191093687c5d8c6eee
SHA2562a95c9b1701b5549eddddc93c93e7f113dabffb6f762c271c0a8075001243e62
SHA512b2f4ef976eece8b6dee53f5c4236c2c18623b43a5f87f1a3fe4e894b52cf5b2dd865edc37c822f9100f6ccc383dbc92a68e6202cf5ce679524a7bb2aa0ea5005
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
348KB
MD51b6b914aec47b0255742b156456229f0
SHA10fb2ad395dfda1227922af244c2323dced6f25fc
SHA2562bbc822303bd5a1f6a4b00ccd5c9f82d3ed7cb931d973d27bf1f9ac14efd9ed7
SHA512d00d9675d54627e3fedc457b902dd4edeb73144f14b3202c775c5ebba6a1c027f0675126e35d0129b5ccf866f09ce354a1499848a8e6ae8392b23c62ff49156e
-
Filesize
348KB
MD51b6b914aec47b0255742b156456229f0
SHA10fb2ad395dfda1227922af244c2323dced6f25fc
SHA2562bbc822303bd5a1f6a4b00ccd5c9f82d3ed7cb931d973d27bf1f9ac14efd9ed7
SHA512d00d9675d54627e3fedc457b902dd4edeb73144f14b3202c775c5ebba6a1c027f0675126e35d0129b5ccf866f09ce354a1499848a8e6ae8392b23c62ff49156e