Overview

overview

10

Static

static

3

9aeb76e2cd...f9.exe

windows7-x64

10

9aeb76e2cd...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2023 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9aeb76e2cd2a084799762be0ba3ac7a1f36da5546722cdacb052cf49792262f9.exe

  • Size

    1.5MB

  • MD5

    c9eb95def54841272a0c0dc3a0f056ae

  • SHA1

    e90c40e931eebb2017d9c59e24ecaa38541d5d8f

  • SHA256

    9aeb76e2cd2a084799762be0ba3ac7a1f36da5546722cdacb052cf49792262f9

  • SHA512

    3b20b87aeb292d9bd2ec7242e4a3512695a5c8203bf4f50b3f74f22dbca27d89b08d5c7bb766af44cf12f050ce6fd6d4cb62faece518e567df319678e1955952

  • SSDEEP

    24576:xyfZS9andozk33b2mOjZYLLTCvZquvYHa5HqI7bauSMg52eZtZAf/95jtc83om4O:kBYOdok3tLT4XYaKI7WRHHbGtfcCyTD

Score
10/10
redlinemazdadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes
  • auth_value

    3d2870537d84a4c6d7aeecd002871c51

Signatures

  • Detects Redline Stealer samples 3 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9aeb76e2cd2a084799762be0ba3ac7a1f36da5546722cdacb052cf49792262f9.exe
    "C:\Users\Admin\AppData\Local\Temp\9aeb76e2cd2a084799762be0ba3ac7a1f36da5546722cdacb052cf49792262f9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9352702.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9352702.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4474197.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4474197.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3378876.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3378876.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9165912.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9165912.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:736
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2881162.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2881162.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3776
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 1084
                7⤵
                • Program crash
                PID:2708
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8937619.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8937619.exe
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4948
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9588965.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9588965.exe
            5⤵
            • Executes dropped EXE
            PID:3636
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 696
              6⤵
              • Program crash
              PID:4816
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 752
              6⤵
              • Program crash
              PID:2984
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 796
              6⤵
              • Program crash
              PID:1608
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 940
              6⤵
              • Program crash
              PID:680
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 980
              6⤵
              • Program crash
              PID:3048
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 956
              6⤵
              • Program crash
              PID:3164
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1220
              6⤵
              • Program crash
              PID:1880
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1208
              6⤵
              • Program crash
              PID:2372
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3776 -ip 3776
    1⤵
      PID:4604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3636 -ip 3636
      1⤵
        PID:4892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3636 -ip 3636
        1⤵
          PID:1372
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3636 -ip 3636
          1⤵
            PID:1680
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3636 -ip 3636
            1⤵
              PID:2444
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3636 -ip 3636
              1⤵
                PID:3868
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3636 -ip 3636
                1⤵
                  PID:3976
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3636 -ip 3636
                  1⤵
                    PID:1540
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3636 -ip 3636
                    1⤵
                      PID:3100

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9352702.exe
                      Filesize

                      1.3MB

                      MD5

                      35c54204860280c0d5a4e4612ef2010a

                      SHA1

                      310d7bd92be77b835c388d3d412e24c05595011f

                      SHA256

                      6efc1c533030b754c20e3cdd1a9875319047e2d5e23d38c19946511e84962c71

                      SHA512

                      4355383e75dc8cac03bf67f15a0ed8968216306cbed64892fc4907b044cc272ba1503cd7bd7a6894eda0bdcd42868048214aa155ff5ed8475b5282db45377884

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9352702.exe
                      Filesize

                      1.3MB

                      MD5

                      35c54204860280c0d5a4e4612ef2010a

                      SHA1

                      310d7bd92be77b835c388d3d412e24c05595011f

                      SHA256

                      6efc1c533030b754c20e3cdd1a9875319047e2d5e23d38c19946511e84962c71

                      SHA512

                      4355383e75dc8cac03bf67f15a0ed8968216306cbed64892fc4907b044cc272ba1503cd7bd7a6894eda0bdcd42868048214aa155ff5ed8475b5282db45377884

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4474197.exe
                      Filesize

                      867KB

                      MD5

                      4ac7c7bb36e49216e1810bb58c63243e

                      SHA1

                      dad933ba7935afa9456b5eb0739eacdb716d4a02

                      SHA256

                      2cc79a98226d9fb79aded1b1343546f1638623dff6999e191842e08e7c8623a3

                      SHA512

                      9830b1524f4d9d23b4837d137a844b2372e850d172b17715a0ee50528df0e7a1c27a416e8021c5191ffc6b681bfd1e87a0f31ca6421f89792f6f20fd5c4cbeb0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4474197.exe
                      Filesize

                      867KB

                      MD5

                      4ac7c7bb36e49216e1810bb58c63243e

                      SHA1

                      dad933ba7935afa9456b5eb0739eacdb716d4a02

                      SHA256

                      2cc79a98226d9fb79aded1b1343546f1638623dff6999e191842e08e7c8623a3

                      SHA512

                      9830b1524f4d9d23b4837d137a844b2372e850d172b17715a0ee50528df0e7a1c27a416e8021c5191ffc6b681bfd1e87a0f31ca6421f89792f6f20fd5c4cbeb0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3378876.exe
                      Filesize

                      663KB

                      MD5

                      22474c95b49ad786a933c12df0202313

                      SHA1

                      7d98b798200ae46d6e6ab0213f863ab60d33bdd9

                      SHA256

                      ff118cc216afb583f5e85368fa5f7035cd401dba330860005dd4dc178c41e6c2

                      SHA512

                      81d08d52fe6ee89ba0953a3b9b3b60b36e48b475c5a6825973b64309e7b4b18afb191164a803c2b316b1d75bce15969277c09dfdd8b5b9974d1797b33a2b1102

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3378876.exe
                      Filesize

                      663KB

                      MD5

                      22474c95b49ad786a933c12df0202313

                      SHA1

                      7d98b798200ae46d6e6ab0213f863ab60d33bdd9

                      SHA256

                      ff118cc216afb583f5e85368fa5f7035cd401dba330860005dd4dc178c41e6c2

                      SHA512

                      81d08d52fe6ee89ba0953a3b9b3b60b36e48b475c5a6825973b64309e7b4b18afb191164a803c2b316b1d75bce15969277c09dfdd8b5b9974d1797b33a2b1102

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9588965.exe
                      Filesize

                      295KB

                      MD5

                      fe53a5ea5312c37093c83b0f31853db1

                      SHA1

                      77d53b3d0383c8456b2b218226c12ef473751d41

                      SHA256

                      cd0b7b761602e343eb6d6b2d185984db253aeee80307685451d3929f56fd78c9

                      SHA512

                      4d8ca8bbf1752b39e7bdc36094a51ccb382b00a9fb9e27287b7e3f0827f5c221a79fc8b06869fc4f827e5d38839e2175e5447a3159f167b649b4ede11f168299

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9588965.exe
                      Filesize

                      295KB

                      MD5

                      fe53a5ea5312c37093c83b0f31853db1

                      SHA1

                      77d53b3d0383c8456b2b218226c12ef473751d41

                      SHA256

                      cd0b7b761602e343eb6d6b2d185984db253aeee80307685451d3929f56fd78c9

                      SHA512

                      4d8ca8bbf1752b39e7bdc36094a51ccb382b00a9fb9e27287b7e3f0827f5c221a79fc8b06869fc4f827e5d38839e2175e5447a3159f167b649b4ede11f168299

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9165912.exe
                      Filesize

                      394KB

                      MD5

                      e0bdbeae5407856e1d9f866d0ca27e0c

                      SHA1

                      bd8b7470511d59e6c01828a0eb40af521db0dd92

                      SHA256

                      269f6bfad4bc77fa8a5d6e7725ead871ac60b6288c031fb70667c1d7dfaaef12

                      SHA512

                      f67699209bc69e9c52dedddd624bbae70c1e98165df6b9717879f4879b6d40488708dc75a4e8ae5fe511fa6853b34b5fde5c50e7d982158652539e4c707a6320

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9165912.exe
                      Filesize

                      394KB

                      MD5

                      e0bdbeae5407856e1d9f866d0ca27e0c

                      SHA1

                      bd8b7470511d59e6c01828a0eb40af521db0dd92

                      SHA256

                      269f6bfad4bc77fa8a5d6e7725ead871ac60b6288c031fb70667c1d7dfaaef12

                      SHA512

                      f67699209bc69e9c52dedddd624bbae70c1e98165df6b9717879f4879b6d40488708dc75a4e8ae5fe511fa6853b34b5fde5c50e7d982158652539e4c707a6320

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2881162.exe
                      Filesize

                      315KB

                      MD5

                      3861448f98606abff318ee210fc1e8ae

                      SHA1

                      9c7dfd45a01f7db912827a1f95623431f1d97dd8

                      SHA256

                      fb5f47dfb21a6fa908978067ea15def1aeb4e60584a122d19e52eee8075072f4

                      SHA512

                      930ef8a1205b73eda729a2c9daeaa9c7bcd2b4a3a57031eb627cd0deea9951dc1c9d049ed539984b9ed21a170778cde04791515951440a4f25e02b74cb909bd5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2881162.exe
                      Filesize

                      315KB

                      MD5

                      3861448f98606abff318ee210fc1e8ae

                      SHA1

                      9c7dfd45a01f7db912827a1f95623431f1d97dd8

                      SHA256

                      fb5f47dfb21a6fa908978067ea15def1aeb4e60584a122d19e52eee8075072f4

                      SHA512

                      930ef8a1205b73eda729a2c9daeaa9c7bcd2b4a3a57031eb627cd0deea9951dc1c9d049ed539984b9ed21a170778cde04791515951440a4f25e02b74cb909bd5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8937619.exe
                      Filesize

                      168KB

                      MD5

                      95eb0f6c78aee8f954bbe0ebc9dae607

                      SHA1

                      ba165208f693639f2293d8ab6d0efdce52a28e5b

                      SHA256

                      b96d1b26c7c2a8a6d61ba0080c8e341b471229714db331e923e7d2a57949c730

                      SHA512

                      bf575484aa4a7b26b493c530f2419a611a91c312f067619076f423dbba233ff4e93223b6bbb155360af26f4e130c41d3dd063c787a989b2e879b2ce567262193

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8937619.exe
                      Filesize

                      168KB

                      MD5

                      95eb0f6c78aee8f954bbe0ebc9dae607

                      SHA1

                      ba165208f693639f2293d8ab6d0efdce52a28e5b

                      SHA256

                      b96d1b26c7c2a8a6d61ba0080c8e341b471229714db331e923e7d2a57949c730

                      SHA512

                      bf575484aa4a7b26b493c530f2419a611a91c312f067619076f423dbba233ff4e93223b6bbb155360af26f4e130c41d3dd063c787a989b2e879b2ce567262193

                      Download Submit

                    • memory/3636-233-0x00000000006D0000-0x0000000000705000-memory.dmp

                      Filesize

                      212KB

                      Download

                    • memory/3636-234-0x0000000000400000-0x00000000006CA000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/3776-184-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-202-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-172-0x0000000004B80000-0x0000000004B90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3776-173-0x0000000004B80000-0x0000000004B90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3776-174-0x0000000004B80000-0x0000000004B90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3776-175-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-176-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-178-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-180-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-182-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-170-0x0000000004B90000-0x0000000005134000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/3776-186-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-188-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-190-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-192-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-194-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-196-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-198-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-200-0x0000000002560000-0x0000000002572000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3776-171-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                      Download

                    • memory/3776-203-0x0000000000560000-0x000000000058D000-memory.dmp

                      Filesize

                      180KB

                      Download

                    • memory/3776-205-0x0000000004B80000-0x0000000004B90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3776-206-0x0000000004B80000-0x0000000004B90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3776-207-0x0000000004B80000-0x0000000004B90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3776-209-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                      Download

                    • memory/3776-169-0x0000000000560000-0x000000000058D000-memory.dmp

                      Filesize

                      180KB

                      Download

                    • memory/4948-222-0x0000000005F60000-0x0000000005FD6000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/4948-217-0x00000000052B0000-0x00000000053BA000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/4948-218-0x00000000051C0000-0x00000000051D2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4948-219-0x0000000005090000-0x00000000050A0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4948-220-0x0000000005220000-0x000000000525C000-memory.dmp

                      Filesize

                      240KB

                      Download

                    • memory/4948-221-0x0000000005090000-0x00000000050A0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4948-216-0x00000000057C0000-0x0000000005DD8000-memory.dmp

                      Filesize

                      6.1MB

                      Download

                    • memory/4948-223-0x00000000061D0000-0x0000000006262000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/4948-224-0x0000000005FE0000-0x0000000006046000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/4948-215-0x0000000000720000-0x0000000000750000-memory.dmp

                      Filesize

                      192KB

                      Download

                    • memory/4948-225-0x0000000006650000-0x0000000006812000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/4948-226-0x0000000008950000-0x0000000008E7C000-memory.dmp

                      Filesize

                      5.2MB

                      Download

                    • memory/4948-227-0x0000000006DD0000-0x0000000006E20000-memory.dmp

                      Filesize

                      320KB

                      Download