Analysis
-
max time kernel
190s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 20:22
Static task
static1
Behavioral task
behavioral1
Sample
edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe
Resource
win10v2004-20230220-en
General
-
Target
edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe
-
Size
1.2MB
-
MD5
4920b94ea7d0c18b5cc3a2915bb1cfba
-
SHA1
3e9b7ddd899110e5876e0b9461c1914251ed8a38
-
SHA256
edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c
-
SHA512
b0c62a842870dffc9d681164a8827a16becf882b0a1a615f28c60564e960a0d75c467037bcd719e2b1df2401eb04632f796bcf63b24fec0784153f790ea5ce90
-
SSDEEP
24576:DyB+6wPK4fCkSB2Dz1rEyoN/rZ6WZ0e2GVRWBLkYZT/ioOiMyvF1WTjUd:WBNwPJfU414yoNdz5OJ/iby9oTjU
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/2784-2335-0x000000000AC40000-0x000000000B258000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s16166419.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation s16166419.exe -
Executes dropped EXE 6 IoCs
Processes:
z78750995.exez19803407.exez29944310.exes16166419.exe1.exet94216193.exepid process 3024 z78750995.exe 1328 z19803407.exe 220 z29944310.exe 3312 s16166419.exe 2784 1.exe 4908 t94216193.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z29944310.exeedd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exez78750995.exez19803407.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z29944310.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z78750995.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z78750995.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z19803407.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z19803407.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z29944310.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 776 3312 WerFault.exe s16166419.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s16166419.exedescription pid process Token: SeDebugPrivilege 3312 s16166419.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exez78750995.exez19803407.exez29944310.exes16166419.exedescription pid process target process PID 2264 wrote to memory of 3024 2264 edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe z78750995.exe PID 2264 wrote to memory of 3024 2264 edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe z78750995.exe PID 2264 wrote to memory of 3024 2264 edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe z78750995.exe PID 3024 wrote to memory of 1328 3024 z78750995.exe z19803407.exe PID 3024 wrote to memory of 1328 3024 z78750995.exe z19803407.exe PID 3024 wrote to memory of 1328 3024 z78750995.exe z19803407.exe PID 1328 wrote to memory of 220 1328 z19803407.exe z29944310.exe PID 1328 wrote to memory of 220 1328 z19803407.exe z29944310.exe PID 1328 wrote to memory of 220 1328 z19803407.exe z29944310.exe PID 220 wrote to memory of 3312 220 z29944310.exe s16166419.exe PID 220 wrote to memory of 3312 220 z29944310.exe s16166419.exe PID 220 wrote to memory of 3312 220 z29944310.exe s16166419.exe PID 3312 wrote to memory of 2784 3312 s16166419.exe 1.exe PID 3312 wrote to memory of 2784 3312 s16166419.exe 1.exe PID 3312 wrote to memory of 2784 3312 s16166419.exe 1.exe PID 220 wrote to memory of 4908 220 z29944310.exe t94216193.exe PID 220 wrote to memory of 4908 220 z29944310.exe t94216193.exe PID 220 wrote to memory of 4908 220 z29944310.exe t94216193.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe"C:\Users\Admin\AppData\Local\Temp\edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78750995.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78750995.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z19803407.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z19803407.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z29944310.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z29944310.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s16166419.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s16166419.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 13846⤵
- Program crash
PID:776
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94216193.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94216193.exe5⤵
- Executes dropped EXE
PID:4908
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3312 -ip 33121⤵PID:1696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5b3fa776e9cccdfa79364675cbeb632b4
SHA1dafffbc79bd87e3d5235d42fd06d70bfa9231fdb
SHA256d392169f49c954d14be07c553b7992b02bdbc717cff9641cc7b217c514bcdeda
SHA512f24ae65c85b142c46db93cc3fbe164dc33e2852973cf58717b695d9e53753c778d760435484a7f9c02546a06127945d6ac31afbd39f941cae1d73cf49b14c0be
-
Filesize
1.0MB
MD5b3fa776e9cccdfa79364675cbeb632b4
SHA1dafffbc79bd87e3d5235d42fd06d70bfa9231fdb
SHA256d392169f49c954d14be07c553b7992b02bdbc717cff9641cc7b217c514bcdeda
SHA512f24ae65c85b142c46db93cc3fbe164dc33e2852973cf58717b695d9e53753c778d760435484a7f9c02546a06127945d6ac31afbd39f941cae1d73cf49b14c0be
-
Filesize
764KB
MD5aeb899bf39b4de18da0bb5db378c8a2d
SHA13a437d23bb1ce28c4b54e0efa5a1aa7e607e5503
SHA256456a71ea9ba6ec6e9cd20d29548e13d2047a5697af6d6f5e04474dfeae16994b
SHA512646c2d82aa94f2c31d460df847d53692038fad26637e6d06442d43997c926e7a4d555bddcfb71275d66662099ff25b9b1ef1b909043f3a89eb4e983e41664251
-
Filesize
764KB
MD5aeb899bf39b4de18da0bb5db378c8a2d
SHA13a437d23bb1ce28c4b54e0efa5a1aa7e607e5503
SHA256456a71ea9ba6ec6e9cd20d29548e13d2047a5697af6d6f5e04474dfeae16994b
SHA512646c2d82aa94f2c31d460df847d53692038fad26637e6d06442d43997c926e7a4d555bddcfb71275d66662099ff25b9b1ef1b909043f3a89eb4e983e41664251
-
Filesize
581KB
MD535698cff3e94c33d3610b5626e368a44
SHA14b31580dc67373cfe6bad2e20f003a8cb33d7562
SHA25637cfad99c413661b015d1c6875b19a35faf4c6bbb1488b2b5d25ab85a289e246
SHA512e7cb913bf4b9ebe06d0c9afeed1a7928671132079f13c30f72c4a4e5c1e8b14ab6032e31897484387afb3da7668ea0020034570c3f153ca8d2ff2f51161c3e29
-
Filesize
581KB
MD535698cff3e94c33d3610b5626e368a44
SHA14b31580dc67373cfe6bad2e20f003a8cb33d7562
SHA25637cfad99c413661b015d1c6875b19a35faf4c6bbb1488b2b5d25ab85a289e246
SHA512e7cb913bf4b9ebe06d0c9afeed1a7928671132079f13c30f72c4a4e5c1e8b14ab6032e31897484387afb3da7668ea0020034570c3f153ca8d2ff2f51161c3e29
-
Filesize
580KB
MD52b7a09408462f72d37d0ad514f9c0458
SHA1230db1374aa153f3d3edf275569043a59815dce7
SHA2560b2f000d423cae62513a64ef15f4e8ccec1784be55a175f3fc43cafd024b2691
SHA51215077015ddc9c7b67d1d828ce201ef1f904f7924a8f923e26d9d161a6453b8e9e02851e3430302dc3815f619c6656efbc69d7021b6f16756e6b25a3b4fc7ff5b
-
Filesize
580KB
MD52b7a09408462f72d37d0ad514f9c0458
SHA1230db1374aa153f3d3edf275569043a59815dce7
SHA2560b2f000d423cae62513a64ef15f4e8ccec1784be55a175f3fc43cafd024b2691
SHA51215077015ddc9c7b67d1d828ce201ef1f904f7924a8f923e26d9d161a6453b8e9e02851e3430302dc3815f619c6656efbc69d7021b6f16756e6b25a3b4fc7ff5b
-
Filesize
169KB
MD597f5242a2c93f68b3b7978cef16b84bd
SHA18997ba1cce5c36d23a69aaaa8be71c92fff47461
SHA25672455f337b2d7da9702594004b19e8e3b266dbfd5c6cffc1a455cbaea0a212a7
SHA51210f11a0d9cc9725bbc85c7e87f7e9c7d37cbf2e3c166ac7e683cd9f976accebbc877edccf38fadd4d4e0a452239769a9403083456ece677839fbab20c1967a55
-
Filesize
169KB
MD597f5242a2c93f68b3b7978cef16b84bd
SHA18997ba1cce5c36d23a69aaaa8be71c92fff47461
SHA25672455f337b2d7da9702594004b19e8e3b266dbfd5c6cffc1a455cbaea0a212a7
SHA51210f11a0d9cc9725bbc85c7e87f7e9c7d37cbf2e3c166ac7e683cd9f976accebbc877edccf38fadd4d4e0a452239769a9403083456ece677839fbab20c1967a55
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf