Analysis
-
max time kernel
197s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05-05-2023 18:11
General
-
Target
177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe
-
Size
567KB
-
MD5
9997fd3175f50c1e35624662175bdbd6
-
SHA1
34ba74cf508783b78f63dd70c791b8aad0dca1bb
-
SHA256
177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793
-
SHA512
477b5b154f7e0ad8babadd13755af0aaed4ce23180cfa0fd03c752e7272e88f16bba233f80b8987c325d31fbcf74ded1a81dee0088970fbf6ac8bdf10753b81c
-
SSDEEP
12288:5MrZy90GIn3fD4C9ePFiV0BgJm6iWGcZPi4RS4hT8UBlu:Yyk3fDDec0BgE6iWXZqMSsTnS
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe"C:\Users\Admin\AppData\Local\Temp\177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD56f9028d26c741abbf8025a7adf0d80ae
SHA1c8886b8da83ecf31be49b7cd164912e9031ea158
SHA2561368316846cca9f75a41f98b82ca73c7777f3aa13337308d54893fd18bb8ffc8
SHA51216dcf7f1365e911ae7d523cf5a416f3b4275b67b7b31d34dbbac03876a8614c89826df4e940e9e2c88fb4171f914de8930bde2fac344020af96a2c8addfc65cc
-
Filesize
308KB
MD56f9028d26c741abbf8025a7adf0d80ae
SHA1c8886b8da83ecf31be49b7cd164912e9031ea158
SHA2561368316846cca9f75a41f98b82ca73c7777f3aa13337308d54893fd18bb8ffc8
SHA51216dcf7f1365e911ae7d523cf5a416f3b4275b67b7b31d34dbbac03876a8614c89826df4e940e9e2c88fb4171f914de8930bde2fac344020af96a2c8addfc65cc
-
Filesize
168KB
MD5dcbce19930d7abe573cd3c797ed0bfba
SHA1dbded78b656816c7b2c1ba7e185b3952f7c6eb6d
SHA2561f45227a3178875c6740a85595b72fb981863aa70e103ea6284a9d4a4fead2d4
SHA512761756723189f0fa97d35470f99d80f4c48f1ba066a2b64fa8a9b6b6aa582998537fd4efabb8920f807f729367f1f6b8dd8da5bfcfe441ceccddff0ceed39fd6
-
Filesize
168KB
MD5dcbce19930d7abe573cd3c797ed0bfba
SHA1dbded78b656816c7b2c1ba7e185b3952f7c6eb6d
SHA2561f45227a3178875c6740a85595b72fb981863aa70e103ea6284a9d4a4fead2d4
SHA512761756723189f0fa97d35470f99d80f4c48f1ba066a2b64fa8a9b6b6aa582998537fd4efabb8920f807f729367f1f6b8dd8da5bfcfe441ceccddff0ceed39fd6
-
Filesize
192KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB