Overview

overview

10

Static

static

3

26a8200a68...78.exe

windows7-x64

10

26a8200a68...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 18:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    26a8200a6884f82e07b85f103467ee3d72854c14655af3bba15e7905103dc078.exe

  • Size

    308KB

  • MD5

    e5ccca4856f60651c62e9b9db3ac7a82

  • SHA1

    caf5368ae43b366b31036c4270a88d56ba8231b6

  • SHA256

    26a8200a6884f82e07b85f103467ee3d72854c14655af3bba15e7905103dc078

  • SHA512

    432fda43f2e936adf9aa5781747eb756a82665bc3fcdf77f511a60c4d25da3e71550b486a600d2fa60e43642f9bb957375a4bba29db0f6c24357a0f6fda3bc9f

  • SSDEEP

    6144:K1y+bnr+/p0yN90QEYlEY+zbPsR4JDFR7wCv7TJbOLuUXEe:nMrby90Gb+zKeYwJbOae

Score
10/10
redlinediscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 3 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26a8200a6884f82e07b85f103467ee3d72854c14655af3bba15e7905103dc078.exe
    "C:\Users\Admin\AppData\Local\Temp\26a8200a6884f82e07b85f103467ee3d72854c14655af3bba15e7905103dc078.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3644476.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3644476.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4655576.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4655576.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4084

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3644476.exe
          Filesize

          176KB

          MD5

          8ad9ebb607ade3b8efcdefe8ee8f6061

          SHA1

          c0f7cfa513438e078f9244e1f1a547587bac1bae

          SHA256

          b726f60be2e4d913ef91697172269c89febacb96b53874acda76f27025d7af3e

          SHA512

          6f9520c09c872612a870305b02c190e4e6fc3b0fe826d35c8a2d726e665bed418b31d1aaedbacaa7449ffda986de660be46a8cc668b8992e6bba3828ec59b4a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3644476.exe
          Filesize

          176KB

          MD5

          8ad9ebb607ade3b8efcdefe8ee8f6061

          SHA1

          c0f7cfa513438e078f9244e1f1a547587bac1bae

          SHA256

          b726f60be2e4d913ef91697172269c89febacb96b53874acda76f27025d7af3e

          SHA512

          6f9520c09c872612a870305b02c190e4e6fc3b0fe826d35c8a2d726e665bed418b31d1aaedbacaa7449ffda986de660be46a8cc668b8992e6bba3828ec59b4a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4655576.exe
          Filesize

          136KB

          MD5

          f1bf39c66cabfea2224d9e8841fee124

          SHA1

          5d91d1baab417c343ec36487edf5f804781ff8fb

          SHA256

          a62c87c9784eb87c3a5ca307ac57a52aa3b8347682e96276952f42dd6aac15cf

          SHA512

          2faa49b5d037aa7b79f4762843f7d93f1c0044245bace6295247c8013054cc0766ca0edb2714a4119578d99a3f8753326e0b7c2fe0ea6bc720377a1f085c179e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4655576.exe
          Filesize

          136KB

          MD5

          f1bf39c66cabfea2224d9e8841fee124

          SHA1

          5d91d1baab417c343ec36487edf5f804781ff8fb

          SHA256

          a62c87c9784eb87c3a5ca307ac57a52aa3b8347682e96276952f42dd6aac15cf

          SHA512

          2faa49b5d037aa7b79f4762843f7d93f1c0044245bace6295247c8013054cc0766ca0edb2714a4119578d99a3f8753326e0b7c2fe0ea6bc720377a1f085c179e

          Download Submit

        • memory/2684-167-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-141-0x00000000049A0000-0x00000000049B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2684-144-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-145-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-149-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-147-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-151-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-153-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-155-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-157-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-159-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-161-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-163-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-165-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-142-0x00000000049A0000-0x00000000049B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2684-169-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-171-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2684-143-0x00000000049A0000-0x00000000049B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2684-140-0x00000000049B0000-0x0000000004F54000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4084-182-0x0000000007E90000-0x0000000007EF6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4084-188-0x0000000009C70000-0x000000000A19C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4084-178-0x0000000007A90000-0x0000000007AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4084-179-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4084-180-0x0000000007E10000-0x0000000007E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4084-181-0x0000000007AF0000-0x0000000007B2C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4084-184-0x0000000008AB0000-0x0000000008B42000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4084-176-0x0000000000D80000-0x0000000000DA8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4084-177-0x0000000007FF0000-0x0000000008608000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4084-185-0x0000000008B50000-0x0000000008BC6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4084-186-0x0000000007FD0000-0x0000000007FEE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4084-187-0x0000000009570000-0x0000000009732000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4084-183-0x0000000007E10000-0x0000000007E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4084-189-0x0000000008C10000-0x0000000008C60000-memory.dmp

          Filesize

          320KB

          Download