Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:47
Static task
static1
Behavioral task
behavioral1
Sample
a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe
Resource
win10v2004-20230220-en
General
-
Target
a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe
-
Size
1.5MB
-
MD5
c1ad9354ae7e8a733f9c12643554ed1c
-
SHA1
419dc90e728e5fea52f28e5c5541873cb83b136f
-
SHA256
a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566
-
SHA512
109e3090fb032c1ddd96ca705932b6fa73209a642fb5fada0b27ab9ede394f5b17bde4874da844f96456c8f53b590fa221b393692c671eb11c8c80734a64cb4d
-
SSDEEP
49152:wL7b0i7Re4pCcKBuQeTZNxAbkOSqfnuATv0:2b0V4p/26T6bjPu7
Malware Config
Extracted
redline
maxbi
185.161.248.73:4164
-
auth_value
6aa7dba884fe45693dfa04c91440daef
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/820-211-0x000000000A780000-0x000000000AD98000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a39708225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a39708225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a39708225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a39708225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a39708225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a39708225.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 4140 i43563383.exe 4144 i92901856.exe 3744 i21401076.exe 3208 i79422272.exe 4788 a39708225.exe 820 b18039794.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a39708225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a39708225.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i79422272.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i79422272.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i43563383.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i92901856.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i92901856.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i21401076.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i43563383.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i21401076.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3720 4788 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4788 a39708225.exe 4788 a39708225.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4788 a39708225.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3032 wrote to memory of 4140 3032 a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe 84 PID 3032 wrote to memory of 4140 3032 a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe 84 PID 3032 wrote to memory of 4140 3032 a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe 84 PID 4140 wrote to memory of 4144 4140 i43563383.exe 85 PID 4140 wrote to memory of 4144 4140 i43563383.exe 85 PID 4140 wrote to memory of 4144 4140 i43563383.exe 85 PID 4144 wrote to memory of 3744 4144 i92901856.exe 86 PID 4144 wrote to memory of 3744 4144 i92901856.exe 86 PID 4144 wrote to memory of 3744 4144 i92901856.exe 86 PID 3744 wrote to memory of 3208 3744 i21401076.exe 87 PID 3744 wrote to memory of 3208 3744 i21401076.exe 87 PID 3744 wrote to memory of 3208 3744 i21401076.exe 87 PID 3208 wrote to memory of 4788 3208 i79422272.exe 88 PID 3208 wrote to memory of 4788 3208 i79422272.exe 88 PID 3208 wrote to memory of 4788 3208 i79422272.exe 88 PID 3208 wrote to memory of 820 3208 i79422272.exe 93 PID 3208 wrote to memory of 820 3208 i79422272.exe 93 PID 3208 wrote to memory of 820 3208 i79422272.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe"C:\Users\Admin\AppData\Local\Temp\a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i43563383.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i43563383.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92901856.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92901856.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i21401076.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i21401076.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79422272.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79422272.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a39708225.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a39708225.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 10807⤵
- Program crash
PID:3720
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18039794.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18039794.exe6⤵
- Executes dropped EXE
PID:820
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4788 -ip 47881⤵PID:3984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51049b71526da4f679e60d53958472768
SHA16a92628cb148e682e96ee5a6824286a60e57e51b
SHA2563bde7e66af20ab6d60e2314755ad36e899d77d9357d7968fcc5cb14aec2d229e
SHA512b0b8e0d206a3ab5f501c02a04efe73fa37ed816e9266bbc33cf3a3aa7bf87fb751bdee5ffe09646a0d77fa92ef28a78666f55a728ce3af7514e7f3f171a7ce5b
-
Filesize
1.3MB
MD51049b71526da4f679e60d53958472768
SHA16a92628cb148e682e96ee5a6824286a60e57e51b
SHA2563bde7e66af20ab6d60e2314755ad36e899d77d9357d7968fcc5cb14aec2d229e
SHA512b0b8e0d206a3ab5f501c02a04efe73fa37ed816e9266bbc33cf3a3aa7bf87fb751bdee5ffe09646a0d77fa92ef28a78666f55a728ce3af7514e7f3f171a7ce5b
-
Filesize
1.1MB
MD56b38f9ba29e5815bb99ba009be3cc19b
SHA16e0039d9c066d1a29768b3d83332c56e1bc864cd
SHA25699dc05110c1f3ef72e261e8463b24e15087980113d9d802edfb65f6004e02d36
SHA512c57ad22461e96ba5389cec2571c5fd2439e9a2c354fbb03133de04a3e98cc1c26449652597c21d7adbeb4b0468adccf9c9389db4834a2192bd581fbd4322fdb2
-
Filesize
1.1MB
MD56b38f9ba29e5815bb99ba009be3cc19b
SHA16e0039d9c066d1a29768b3d83332c56e1bc864cd
SHA25699dc05110c1f3ef72e261e8463b24e15087980113d9d802edfb65f6004e02d36
SHA512c57ad22461e96ba5389cec2571c5fd2439e9a2c354fbb03133de04a3e98cc1c26449652597c21d7adbeb4b0468adccf9c9389db4834a2192bd581fbd4322fdb2
-
Filesize
689KB
MD54e2299e4dd9fd58c43808722e29a2da6
SHA17dece19734acb8593549c3484a3860efed6e4221
SHA2564c5fe6919a40d712f3a120dbed893e5d72f46f1c9d12c2f06ff73a4ba4161718
SHA5123dbced9c44f9f5b8408cb108d90fdca59c5ad6e8850de8be8c6dea4ccd37f781559b26273c354ba871740b32a2ad699fa364cf3b8547585e8367d6598e7a068d
-
Filesize
689KB
MD54e2299e4dd9fd58c43808722e29a2da6
SHA17dece19734acb8593549c3484a3860efed6e4221
SHA2564c5fe6919a40d712f3a120dbed893e5d72f46f1c9d12c2f06ff73a4ba4161718
SHA5123dbced9c44f9f5b8408cb108d90fdca59c5ad6e8850de8be8c6dea4ccd37f781559b26273c354ba871740b32a2ad699fa364cf3b8547585e8367d6598e7a068d
-
Filesize
409KB
MD5bb636b14520a4e9e518281eedf024543
SHA185672560f8bab56472978f49ef99645b3324ea5b
SHA256fef6618411f88cf0b60095eeb8ed23ab8b30f9c29becd204a840a5aa755cf2bb
SHA512bae2c44f845d066072faf7dd394e4d46daf6d5718ca15cead47bdab1f457d5a36ba97fab3959a105664296310415dc7bc849c433adbc418d3faa2ddd18821e61
-
Filesize
409KB
MD5bb636b14520a4e9e518281eedf024543
SHA185672560f8bab56472978f49ef99645b3324ea5b
SHA256fef6618411f88cf0b60095eeb8ed23ab8b30f9c29becd204a840a5aa755cf2bb
SHA512bae2c44f845d066072faf7dd394e4d46daf6d5718ca15cead47bdab1f457d5a36ba97fab3959a105664296310415dc7bc849c433adbc418d3faa2ddd18821e61
-
Filesize
347KB
MD5664f7b6be3f83e162cf6b2b6743f8721
SHA15f43504d69b62c0abbc4f7ec5e7a9fd8d22a1d0b
SHA256067c3658e4e6eec911e451c61885370a205ab20ad024a80ab987d6272cff81e8
SHA512e9d347c07cb81a0f32d6e8039091bc21b43ec75ab62a23c58889bfb4b50f452b1377ba18fa404c1868014b4f3335c3e86bdf2cd26d3ad2ecc0dba3fb97f01c59
-
Filesize
347KB
MD5664f7b6be3f83e162cf6b2b6743f8721
SHA15f43504d69b62c0abbc4f7ec5e7a9fd8d22a1d0b
SHA256067c3658e4e6eec911e451c61885370a205ab20ad024a80ab987d6272cff81e8
SHA512e9d347c07cb81a0f32d6e8039091bc21b43ec75ab62a23c58889bfb4b50f452b1377ba18fa404c1868014b4f3335c3e86bdf2cd26d3ad2ecc0dba3fb97f01c59
-
Filesize
168KB
MD59e474affcd271db2f33d4f37931356c1
SHA1116b666c3baa969edf72deb40aca5b13e075d8ee
SHA25697c3c79a4170a86bc6d8acf2939f010297850d0c99b0b96ccf3868f06a99cfd1
SHA51271f6aa482b48d7718b052ed4d0ecb68b84d4bc8da2fb6f1ce56dd067bcf638e2bf40cf6d23194e84853f74cc82bc64e5cf7d9e6b0341b49a6ca93d8c51dd02e0
-
Filesize
168KB
MD59e474affcd271db2f33d4f37931356c1
SHA1116b666c3baa969edf72deb40aca5b13e075d8ee
SHA25697c3c79a4170a86bc6d8acf2939f010297850d0c99b0b96ccf3868f06a99cfd1
SHA51271f6aa482b48d7718b052ed4d0ecb68b84d4bc8da2fb6f1ce56dd067bcf638e2bf40cf6d23194e84853f74cc82bc64e5cf7d9e6b0341b49a6ca93d8c51dd02e0