Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 20:21
Static task
static1
Behavioral task
behavioral1
Sample
ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe
Resource
win10v2004-20230220-en
General
-
Target
ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe
-
Size
1.2MB
-
MD5
fdcdd8760d67d06090ba104a84ccc05e
-
SHA1
dab56090e98c7d6efaad3aa82069de86f0bda51e
-
SHA256
ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c
-
SHA512
c2122b07b5a27424dc6f3b12d3bf207a380dc1bd09fe3a2b7c8eed5701848fa17308f8b14794eafeef2042058a4fc2d733ca7438b0b1efbc27f8f0950159790c
-
SSDEEP
24576:Pyc5iRJCXhneR4HGha1o651aQMP6X04eTzPJQKJXxkvaUh:aAKJCXtzGM1d51aLg0fTzJ2v
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/2040-2335-0x000000000A960000-0x000000000AF78000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s08790533.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation s08790533.exe -
Executes dropped EXE 6 IoCs
Processes:
z44032106.exez98841198.exez24506059.exes08790533.exe1.exet77921014.exepid process 1748 z44032106.exe 1428 z98841198.exe 5012 z24506059.exe 1516 s08790533.exe 2040 1.exe 1208 t77921014.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exez44032106.exez98841198.exez24506059.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z44032106.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z44032106.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z98841198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z98841198.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z24506059.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z24506059.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4148 1516 WerFault.exe s08790533.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s08790533.exedescription pid process Token: SeDebugPrivilege 1516 s08790533.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exez44032106.exez98841198.exez24506059.exes08790533.exedescription pid process target process PID 1256 wrote to memory of 1748 1256 ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe z44032106.exe PID 1256 wrote to memory of 1748 1256 ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe z44032106.exe PID 1256 wrote to memory of 1748 1256 ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe z44032106.exe PID 1748 wrote to memory of 1428 1748 z44032106.exe z98841198.exe PID 1748 wrote to memory of 1428 1748 z44032106.exe z98841198.exe PID 1748 wrote to memory of 1428 1748 z44032106.exe z98841198.exe PID 1428 wrote to memory of 5012 1428 z98841198.exe z24506059.exe PID 1428 wrote to memory of 5012 1428 z98841198.exe z24506059.exe PID 1428 wrote to memory of 5012 1428 z98841198.exe z24506059.exe PID 5012 wrote to memory of 1516 5012 z24506059.exe s08790533.exe PID 5012 wrote to memory of 1516 5012 z24506059.exe s08790533.exe PID 5012 wrote to memory of 1516 5012 z24506059.exe s08790533.exe PID 1516 wrote to memory of 2040 1516 s08790533.exe 1.exe PID 1516 wrote to memory of 2040 1516 s08790533.exe 1.exe PID 1516 wrote to memory of 2040 1516 s08790533.exe 1.exe PID 5012 wrote to memory of 1208 5012 z24506059.exe t77921014.exe PID 5012 wrote to memory of 1208 5012 z24506059.exe t77921014.exe PID 5012 wrote to memory of 1208 5012 z24506059.exe t77921014.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe"C:\Users\Admin\AppData\Local\Temp\ec1445ae98d0e55f8d9b9802d4010dfaa8f2ebe5c7b6ce5cbb31e5227a5e2b9c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z44032106.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z44032106.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z98841198.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z98841198.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24506059.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24506059.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08790533.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08790533.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 13806⤵
- Program crash
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77921014.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77921014.exe5⤵
- Executes dropped EXE
PID:1208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1516 -ip 15161⤵PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z44032106.exeFilesize
1.0MB
MD50b2a75605984bda839eb7fe71c4d762f
SHA1806130e18e0eef681f450dd427f70c36a98e1ced
SHA2562478ef2177d7780cab44d69d705ce8801ba6febf0f298f17b270653fa9bc3f5a
SHA512b4f192122152e38bc5fbd2eab15fcc66fd24cecaee57ba3d7b36b05950d0898c0c308bd184c72334d8bc3418ab769194221e4934d3b6e801257f5d1f2d5f0b68
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z44032106.exeFilesize
1.0MB
MD50b2a75605984bda839eb7fe71c4d762f
SHA1806130e18e0eef681f450dd427f70c36a98e1ced
SHA2562478ef2177d7780cab44d69d705ce8801ba6febf0f298f17b270653fa9bc3f5a
SHA512b4f192122152e38bc5fbd2eab15fcc66fd24cecaee57ba3d7b36b05950d0898c0c308bd184c72334d8bc3418ab769194221e4934d3b6e801257f5d1f2d5f0b68
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z98841198.exeFilesize
752KB
MD5562bbd2d1308f16112f6492d64efd909
SHA1dc4a564b3fd0bf4e8b845df6cb4ad5557ba3eb2f
SHA25608652a1942616994db4d960bf9be568b590e43b9bedb02565ce9a914f8d3a062
SHA51291e2d0a100e9bd76b2b75b6b4237f8347fdaed1062a283a1ea32631bda728f6fefeb1f968dac5f3cc51f86797d7cf9dfc2dd2ff04e7f70a4f31d3cd6482948da
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z98841198.exeFilesize
752KB
MD5562bbd2d1308f16112f6492d64efd909
SHA1dc4a564b3fd0bf4e8b845df6cb4ad5557ba3eb2f
SHA25608652a1942616994db4d960bf9be568b590e43b9bedb02565ce9a914f8d3a062
SHA51291e2d0a100e9bd76b2b75b6b4237f8347fdaed1062a283a1ea32631bda728f6fefeb1f968dac5f3cc51f86797d7cf9dfc2dd2ff04e7f70a4f31d3cd6482948da
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24506059.exeFilesize
569KB
MD5a69341fb363c16401830f3651fc6b4df
SHA1384a34448d0c0f5c3a8dda95bdc032e962c4ce4c
SHA2565a434b623da6ac34a901fa18a9e3f75322cd769995396cd5acf0d076431e1bdb
SHA512706e4107868a6d42bc485bb77043ec2f9b5c48ab1df69e190cca7d851e7b6f8102143602261a358d8b46afc80afb0aaf895d4f099acb1318159c2a16fe1d9de0
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24506059.exeFilesize
569KB
MD5a69341fb363c16401830f3651fc6b4df
SHA1384a34448d0c0f5c3a8dda95bdc032e962c4ce4c
SHA2565a434b623da6ac34a901fa18a9e3f75322cd769995396cd5acf0d076431e1bdb
SHA512706e4107868a6d42bc485bb77043ec2f9b5c48ab1df69e190cca7d851e7b6f8102143602261a358d8b46afc80afb0aaf895d4f099acb1318159c2a16fe1d9de0
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08790533.exeFilesize
488KB
MD56e02509433ea5cd4af7845627044cc1d
SHA13675c378cbc37c62baba171775ec3644a2c9954d
SHA256f49d7d88cb05b47f8426f109b42afc22eef64fd2a2144ad9fdd647512e0377f1
SHA512a453507e82779cbd12c94a20a63a17537e1715a6af27ad6a3d393f5389ea9d042382d63c660419ad056c4534229f7d00f6feaee571f0fccc7f0214b5ec6091e2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08790533.exeFilesize
488KB
MD56e02509433ea5cd4af7845627044cc1d
SHA13675c378cbc37c62baba171775ec3644a2c9954d
SHA256f49d7d88cb05b47f8426f109b42afc22eef64fd2a2144ad9fdd647512e0377f1
SHA512a453507e82779cbd12c94a20a63a17537e1715a6af27ad6a3d393f5389ea9d042382d63c660419ad056c4534229f7d00f6feaee571f0fccc7f0214b5ec6091e2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77921014.exeFilesize
170KB
MD5ece8b986a738093284e9f5f87710f775
SHA103f9041b9316612f2e098db26370d206b4a5b673
SHA256fc1ea1b02f20af06a61c15f44e9507eadfbaf6c0caae5e17e972efba4afcb053
SHA512d1873fb317f4ab66f3ee437075f4b94a359a1576d806daa8e38a4a5e63eb8ddee4eb9efa1e23c7769197afac9d8c94a2d6a6f51f645b7b414c0d42539b1cf837
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77921014.exeFilesize
170KB
MD5ece8b986a738093284e9f5f87710f775
SHA103f9041b9316612f2e098db26370d206b4a5b673
SHA256fc1ea1b02f20af06a61c15f44e9507eadfbaf6c0caae5e17e972efba4afcb053
SHA512d1873fb317f4ab66f3ee437075f4b94a359a1576d806daa8e38a4a5e63eb8ddee4eb9efa1e23c7769197afac9d8c94a2d6a6f51f645b7b414c0d42539b1cf837
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
memory/1208-2347-0x0000000000F70000-0x0000000000F80000-memory.dmpFilesize
64KB
-
memory/1208-2345-0x0000000000F70000-0x0000000000F80000-memory.dmpFilesize
64KB
-
memory/1208-2344-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1516-196-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-214-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-168-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-170-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-172-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-174-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-176-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-178-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-180-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-182-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-184-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-188-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-186-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-190-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-192-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-194-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-166-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/1516-198-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-200-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-202-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-204-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-206-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-208-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-210-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-212-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-167-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-216-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-218-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-220-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-222-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-224-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-226-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-228-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-230-0x0000000004F60000-0x0000000004FC0000-memory.dmpFilesize
384KB
-
memory/1516-2314-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/1516-2315-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/1516-2316-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/1516-2318-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/1516-2333-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/1516-162-0x0000000000920000-0x000000000097B000-memory.dmpFilesize
364KB
-
memory/1516-163-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/1516-164-0x0000000004FF0000-0x0000000005594000-memory.dmpFilesize
5.6MB
-
memory/1516-165-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/2040-2338-0x000000000A340000-0x000000000A37C000-memory.dmpFilesize
240KB
-
memory/2040-2337-0x0000000004F20000-0x0000000004F32000-memory.dmpFilesize
72KB
-
memory/2040-2336-0x000000000A450000-0x000000000A55A000-memory.dmpFilesize
1.0MB
-
memory/2040-2335-0x000000000A960000-0x000000000AF78000-memory.dmpFilesize
6.1MB
-
memory/2040-2339-0x0000000004E40000-0x0000000004E50000-memory.dmpFilesize
64KB
-
memory/2040-2346-0x0000000004E40000-0x0000000004E50000-memory.dmpFilesize
64KB
-
memory/2040-2331-0x00000000006A0000-0x00000000006CE000-memory.dmpFilesize
184KB