Analysis
-
max time kernel
187s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 19:35 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe
Resource
win10v2004-20230220-en
General
-
Target
ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe
-
Size
1.2MB
-
MD5
d1d0ccd9c3c421aaeeadcbc0aaa99818
-
SHA1
4152e1f2e476da9220539114764f4d5c7f8a5c2b
-
SHA256
ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a
-
SHA512
ef2489127dde465be219595d02b7b448fc7899b0aa8cf28328cc59b17fe7a8cec2a35186519675f02621049e20cdedb3eae6691a129db9c1206a9c2f61487618
-
SSDEEP
24576:VCbht9y/vN4jFVkUI4Hiew2ltipvLt87VLLLVxCwaUdw578ObN/4SYrnP4uO:VCz9uyy4Hrw2lt2CxxCwbdw57fQSG
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3424-1005-0x00000000078B0000-0x0000000007EC8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 140109293.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 140109293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 140109293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 140109293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 140109293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 140109293.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
pid Process 544 yO446889.exe 364 qB246406.exe 5016 140109293.exe 3424 274081212.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 140109293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 140109293.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce qB246406.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" qB246406.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce yO446889.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" yO446889.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5016 140109293.exe 5016 140109293.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5016 140109293.exe Token: SeDebugPrivilege 3424 274081212.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4632 wrote to memory of 544 4632 ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe 80 PID 4632 wrote to memory of 544 4632 ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe 80 PID 4632 wrote to memory of 544 4632 ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe 80 PID 544 wrote to memory of 364 544 yO446889.exe 81 PID 544 wrote to memory of 364 544 yO446889.exe 81 PID 544 wrote to memory of 364 544 yO446889.exe 81 PID 364 wrote to memory of 5016 364 qB246406.exe 82 PID 364 wrote to memory of 5016 364 qB246406.exe 82 PID 364 wrote to memory of 5016 364 qB246406.exe 82 PID 364 wrote to memory of 3424 364 qB246406.exe 83 PID 364 wrote to memory of 3424 364 qB246406.exe 83 PID 364 wrote to memory of 3424 364 qB246406.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe"C:\Users\Admin\AppData\Local\Temp\ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yO446889.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yO446889.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qB246406.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qB246406.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\140109293.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\140109293.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\274081212.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\274081212.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
-
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.232.18.117.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request64.13.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request143.145.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.38.195.152.in-addr.arpaIN PTRResponse
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3
-
52 B 1
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.232.18.117.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
64.13.109.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
143.145.190.20.in-addr.arpa
-
72 B 143 B 1 1
DNS Request
76.38.195.152.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD5600476bf25074113fe6c45c5e40641b7
SHA1b85e680f76ce4fe49940f83231f5a042f5c1ffbb
SHA2563e712a0a91c15a1248bb2379a8319845bd03ac7bbb245652db0d28d78d803852
SHA5123a6476379f08fd67f81095f52b3385872b8abcdba87908bc5260a35ce42289dfcf8e4433796caa80e8c9907e9d4eaedd61709b0d3cd1e513dfcaa4c124111795
-
Filesize
764KB
MD5600476bf25074113fe6c45c5e40641b7
SHA1b85e680f76ce4fe49940f83231f5a042f5c1ffbb
SHA2563e712a0a91c15a1248bb2379a8319845bd03ac7bbb245652db0d28d78d803852
SHA5123a6476379f08fd67f81095f52b3385872b8abcdba87908bc5260a35ce42289dfcf8e4433796caa80e8c9907e9d4eaedd61709b0d3cd1e513dfcaa4c124111795
-
Filesize
592KB
MD53415de0d7184a8e3cf4bbdb8bad1da3f
SHA145ae1c0661ecbf187cc7e81bec3a5c4172d13c85
SHA2564b70ec7176f70274c52058887a5c28f0520b057a38a81e28689aeb33fa7ab756
SHA5127f35d81b4e06777f7b8f9a58686450a7eb74209cde7d002f8ab2882c26ac3f96d3ed9e130db2eb3d166d92f411d9a83983f580c83ea9a4baa4da56a1e27b813c
-
Filesize
592KB
MD53415de0d7184a8e3cf4bbdb8bad1da3f
SHA145ae1c0661ecbf187cc7e81bec3a5c4172d13c85
SHA2564b70ec7176f70274c52058887a5c28f0520b057a38a81e28689aeb33fa7ab756
SHA5127f35d81b4e06777f7b8f9a58686450a7eb74209cde7d002f8ab2882c26ac3f96d3ed9e130db2eb3d166d92f411d9a83983f580c83ea9a4baa4da56a1e27b813c
-
Filesize
377KB
MD54c6f4b1b21c88d4c448735da40062b19
SHA1db46ddbe0e87f3d4564920baa64cbcf36067372f
SHA256454936c08ed3ee121e0f39dec419843247881c016b720eff6258fcae39c7c6ae
SHA5120b790eefe656f6b5a87cf3d41cc86d6cf657988e2c2a74dec6299366e60dea60c2054fbec0676f2bbbb6ded87397e435a2b7194f946400b6737ffb3da300fcb2
-
Filesize
377KB
MD54c6f4b1b21c88d4c448735da40062b19
SHA1db46ddbe0e87f3d4564920baa64cbcf36067372f
SHA256454936c08ed3ee121e0f39dec419843247881c016b720eff6258fcae39c7c6ae
SHA5120b790eefe656f6b5a87cf3d41cc86d6cf657988e2c2a74dec6299366e60dea60c2054fbec0676f2bbbb6ded87397e435a2b7194f946400b6737ffb3da300fcb2
-
Filesize
459KB
MD51bea2505609a88ba8f010303c0468d45
SHA19d199dd335b22ba2bb2dd70be5b88b1f16e18281
SHA2569e3c72dd1a54b6571d5aa394845613c9e6f75738a56850b930a1f784a049fa1a
SHA51298cc3f474f9b7b266a693646723105a23a8c0e8be0d47ca6b0e5238605778e93371ea35def47ffe049c1c3d6573a21d489ea650ed77c8ea0383515088913fb06
-
Filesize
459KB
MD51bea2505609a88ba8f010303c0468d45
SHA19d199dd335b22ba2bb2dd70be5b88b1f16e18281
SHA2569e3c72dd1a54b6571d5aa394845613c9e6f75738a56850b930a1f784a049fa1a
SHA51298cc3f474f9b7b266a693646723105a23a8c0e8be0d47ca6b0e5238605778e93371ea35def47ffe049c1c3d6573a21d489ea650ed77c8ea0383515088913fb06