Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 19:14
General
-
Target
bb428916a7dec676ed480506a147282be4e39477e43d0c4c393bdd07fe337f1f.exe
-
Size
934KB
-
MD5
455d3d47c2b9e8970c9a0b70bc7bfc7f
-
SHA1
9354b50776cb2c6437586becdc69c87266a9a806
-
SHA256
bb428916a7dec676ed480506a147282be4e39477e43d0c4c393bdd07fe337f1f
-
SHA512
f821fbd07a59930629cb4c4d5f6434ad372d4040b3195a1427545d51738ae65d62bc48af8e5394a6b1c61cab1ae10ae7105de674f3340650a19e2c0983338722
-
SSDEEP
24576:9ySH1lXniloIBIxGbS+as2mL8kjIYhxITqdgyqgRD:YSvniyI0WSc2lT4qgR
Malware Config
Extracted
redline
dark
185.161.248.73:4164
-
auth_value
ae85b01f66afe8770afeed560513fc2d
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb428916a7dec676ed480506a147282be4e39477e43d0c4c393bdd07fe337f1f.exe"C:\Users\Admin\AppData\Local\Temp\bb428916a7dec676ed480506a147282be4e39477e43d0c4c393bdd07fe337f1f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621821.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un621821.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\75216687.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\75216687.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 13844⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk689631.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk689631.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 12724⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255650.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si255650.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1768 -ip 17681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1640 -ip 16401⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5490042ebef3e77da4daccbab86acafd0
SHA14f8e1ababbb65efc858546cdb61e15ed4fd2dc7c
SHA256cff72b46995c3dc07cc1ea0d60242eadcdb69671f6c08412251715fbcb76b454
SHA5123d71976e1901ec6c164d65525b77b7c5141b0aba05db59bf1f4ad489182a598f5c49b3365911e1281f7b419481be9d3802f1fcdbe586bbc79b3d3bb043ae0b93
-
Filesize
170KB
MD5490042ebef3e77da4daccbab86acafd0
SHA14f8e1ababbb65efc858546cdb61e15ed4fd2dc7c
SHA256cff72b46995c3dc07cc1ea0d60242eadcdb69671f6c08412251715fbcb76b454
SHA5123d71976e1901ec6c164d65525b77b7c5141b0aba05db59bf1f4ad489182a598f5c49b3365911e1281f7b419481be9d3802f1fcdbe586bbc79b3d3bb043ae0b93
-
Filesize
781KB
MD5b6a6f3cf6599ad655efd81da2ead0987
SHA165d1ed08992ca747029cd93033498fcfaf25c180
SHA256cb2f0ac01e6a17f0abf23307288bf44b2a65d7cf77f12115c222c1dae64cdc63
SHA51203ad98e87a1d53b71c3a06e162726086e017f512be602b6b03b98e2d2659bb0417b85485df5f3b903e2d2415776d517dd712ce26f4063400c21775ce984208c6
-
Filesize
781KB
MD5b6a6f3cf6599ad655efd81da2ead0987
SHA165d1ed08992ca747029cd93033498fcfaf25c180
SHA256cb2f0ac01e6a17f0abf23307288bf44b2a65d7cf77f12115c222c1dae64cdc63
SHA51203ad98e87a1d53b71c3a06e162726086e017f512be602b6b03b98e2d2659bb0417b85485df5f3b903e2d2415776d517dd712ce26f4063400c21775ce984208c6
-
Filesize
516KB
MD5a9915da13763a87b0d731ca37c2b92c6
SHA1900861a16ee9ebe3a8da186443b19c0817ee26a2
SHA25603208e438227b4ea372c79232275ae80f6593c36d2140064cfaf3bba98e43a60
SHA512af3c14fa30a3403ed23ddfe78754ea93ab23e55c70ab5b1f68220ee3ccdef384dd18f4622f1d9b51d6b8c1e198204e9e73eae633f876d6f20c2c8ef5e10e011b
-
Filesize
516KB
MD5a9915da13763a87b0d731ca37c2b92c6
SHA1900861a16ee9ebe3a8da186443b19c0817ee26a2
SHA25603208e438227b4ea372c79232275ae80f6593c36d2140064cfaf3bba98e43a60
SHA512af3c14fa30a3403ed23ddfe78754ea93ab23e55c70ab5b1f68220ee3ccdef384dd18f4622f1d9b51d6b8c1e198204e9e73eae633f876d6f20c2c8ef5e10e011b
-
Filesize
576KB
MD59985a39dce22f75953b18909b2720ad2
SHA1caa42480dacfc948ad9aa3a78b69050c8c5cc89d
SHA25659b662b34599ad430b9674462e4867549fb25096a3dbbbec98a66df7a3421317
SHA5123d2a2a24f0c3ba1f4055e48d52b237df05c0cff6e0249596aa628fbc8c96cb078ca38516462938e6c5ea1206580e22b893f220fe0e260f5b4e104d08c59bf0d4
-
Filesize
576KB
MD59985a39dce22f75953b18909b2720ad2
SHA1caa42480dacfc948ad9aa3a78b69050c8c5cc89d
SHA25659b662b34599ad430b9674462e4867549fb25096a3dbbbec98a66df7a3421317
SHA5123d2a2a24f0c3ba1f4055e48d52b237df05c0cff6e0249596aa628fbc8c96cb078ca38516462938e6c5ea1206580e22b893f220fe0e260f5b4e104d08c59bf0d4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
364KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
64KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
64KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
192KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB