Analysis
-
max time kernel
240s -
max time network
259s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
05/05/2023, 18:23
General
-
Target
4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe
-
Size
1.2MB
-
MD5
59df4066422b0c50649fabcd283c05d3
-
SHA1
07dbcae5a88a1ee48b8fc02a4edc9482b5ee0282
-
SHA256
4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c
-
SHA512
0ba84cfad65c6d040fcbaf5c66c6fe99f2d46be91e176bdb508d839d0841c1c53a17ee4cf27474e010bb1e3202f60df948b2ff57362557b17820a37cf1f0bcfc
-
SSDEEP
24576:nyZEnlHUfcT5DV7PR6C/JhnFDXsFsI1uQYK1BRXWyBw++52THDG:yWHU0T5RzRDr5XsFsY1BRX2++SD
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe"C:\Users\Admin\AppData\Local\Temp\4fef6144af1eab04fb95c4a17793a29d562e5714af766d338e46c94051f1fb8c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6683454.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6683454.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3815054.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3815054.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7265315.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7265315.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1964081.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1964081.exe4⤵
- Executes dropped EXE
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914KB
MD5123dd236919782276489c5d5d0153e95
SHA18a6f9cd6f1db639863bbdc6d59c72aa3b5fe313d
SHA25659f203cb545d3f2afeba58fda390b1540839fbd7542463ad590f79e3b151cf1d
SHA512341431f0afb0af639213f34db419bc1af94183d5a3054a1639b9bde7951bd0fdd7cb86ee885845a9fc72b8108ad2edaa768c5b4f64a875cf12e575b22f7d2686
-
Filesize
914KB
MD5123dd236919782276489c5d5d0153e95
SHA18a6f9cd6f1db639863bbdc6d59c72aa3b5fe313d
SHA25659f203cb545d3f2afeba58fda390b1540839fbd7542463ad590f79e3b151cf1d
SHA512341431f0afb0af639213f34db419bc1af94183d5a3054a1639b9bde7951bd0fdd7cb86ee885845a9fc72b8108ad2edaa768c5b4f64a875cf12e575b22f7d2686
-
Filesize
416KB
MD53ba91b7455589cd5621d2e6c5fa9fcd1
SHA10a67e20f04ca132a49da9ddd9c45ce606dc61f49
SHA2560868391c6786c157fbf37af16774e04e7bd3c0121f2ee4a1aa58cbdebb1ae14b
SHA512158db1327816e73d0c04429c3658f29c2b002fa23424bc2a82be7155359d4ff4a901c66f54005ccd83d87f3e116bc6e059fb31550186994643a388d741002b01
-
Filesize
416KB
MD53ba91b7455589cd5621d2e6c5fa9fcd1
SHA10a67e20f04ca132a49da9ddd9c45ce606dc61f49
SHA2560868391c6786c157fbf37af16774e04e7bd3c0121f2ee4a1aa58cbdebb1ae14b
SHA512158db1327816e73d0c04429c3658f29c2b002fa23424bc2a82be7155359d4ff4a901c66f54005ccd83d87f3e116bc6e059fb31550186994643a388d741002b01
-
Filesize
137KB
MD51da35ea199696ab2ae0d3e1fed9d3d31
SHA12cef0c0da8d9fbad5a423a9faad81dba8fdddcff
SHA25689ecb927a2edd64606b47f99c0fbe2f924ea4af755737c702d1dac451484ee93
SHA51241e420d76438cee42c53b114e1ec3464594c93789dbfebb9c11215900a7f507b6645a3d5b599beb9bcac86d1caaae711effdb24c101468479b8b51ddb1f6df5d
-
Filesize
137KB
MD51da35ea199696ab2ae0d3e1fed9d3d31
SHA12cef0c0da8d9fbad5a423a9faad81dba8fdddcff
SHA25689ecb927a2edd64606b47f99c0fbe2f924ea4af755737c702d1dac451484ee93
SHA51241e420d76438cee42c53b114e1ec3464594c93789dbfebb9c11215900a7f507b6645a3d5b599beb9bcac86d1caaae711effdb24c101468479b8b51ddb1f6df5d
-
Filesize
360KB
MD51247141f044c80850cdf6e951e272f3d
SHA1602a51892cf1877b7d976d44a1fea723dd870056
SHA256f7c19fedad1ebdaa9512ec8c37cddad91769360bf947c54b368561fc3d520819
SHA51291375e17c814abbab52acd62229183b138417d88dfe41455a7a2cc27573891692169ebde5c0393e0021a553ca2cad711d1acebf79b72fa2272041955689c002f
-
Filesize
360KB
MD51247141f044c80850cdf6e951e272f3d
SHA1602a51892cf1877b7d976d44a1fea723dd870056
SHA256f7c19fedad1ebdaa9512ec8c37cddad91769360bf947c54b368561fc3d520819
SHA51291375e17c814abbab52acd62229183b138417d88dfe41455a7a2cc27573891692169ebde5c0393e0021a553ca2cad711d1acebf79b72fa2272041955689c002f
-
Filesize
240KB
-
Filesize
472KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
1.0MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
6.1MB
-
Filesize
160KB