Overview

overview

10

Static

static

3

cbf3f4ad9a...8a.exe

windows7-x64

10

cbf3f4ad9a...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbf3f4ad9aa4c04a807f0d5354e387657cdc4cb5fe834b76e4f7aed79f48668a.exe

  • Size

    707KB

  • MD5

    be984f5a48f5d1a41d0642589ce66a74

  • SHA1

    adce4929ec3feb33d98577c22f8fb7e640a69115

  • SHA256

    cbf3f4ad9aa4c04a807f0d5354e387657cdc4cb5fe834b76e4f7aed79f48668a

  • SHA512

    f8a0e5725d0ebc720f0f867857f0e7fff10e410a9822a75ebee193e74f494341a32b40925cafa2273586591c2f58804982ec2b51d6be8c5ea0c1801b4f8f90ad

  • SSDEEP

    12288:oy90RN1qsMOdo1MNFFaaPlcZgbTgQ/TTdnRUmJiSxAJmTfctYS4GQ:oyO1qsx0MRf9cZgbTLhRx92tYOQ

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbf3f4ad9aa4c04a807f0d5354e387657cdc4cb5fe834b76e4f7aed79f48668a.exe
    "C:\Users\Admin\AppData\Local\Temp\cbf3f4ad9aa4c04a807f0d5354e387657cdc4cb5fe834b76e4f7aed79f48668a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233350.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233350.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14336960.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14336960.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4432
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1016
          4⤵
          • Program crash
          PID:1812
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk579539.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk579539.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4432 -ip 4432
    1⤵
      PID:3980

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233350.exe
      Filesize

      553KB

      MD5

      0bb9522c5c378737556d286e7df4778b

      SHA1

      02ac5517766abac08c06209d5db58ebfaf0ef950

      SHA256

      f6b1bd64207786c36be158098b1bf2bc31a95c8b3e514ef1f40fa404408ef536

      SHA512

      0be6de8fa40f88b1b9e9ab56e9153b7d6a09833b1769e601c8e6b5443981e42591e5aad37b9cef67e60f2c93570446a071d672d7cb14b71a13ffeef690e27b63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233350.exe
      Filesize

      553KB

      MD5

      0bb9522c5c378737556d286e7df4778b

      SHA1

      02ac5517766abac08c06209d5db58ebfaf0ef950

      SHA256

      f6b1bd64207786c36be158098b1bf2bc31a95c8b3e514ef1f40fa404408ef536

      SHA512

      0be6de8fa40f88b1b9e9ab56e9153b7d6a09833b1769e601c8e6b5443981e42591e5aad37b9cef67e60f2c93570446a071d672d7cb14b71a13ffeef690e27b63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14336960.exe
      Filesize

      258KB

      MD5

      8ff41f40c7c8b23d5dd0ecb9a888a48c

      SHA1

      c28f0da22bbee700d4b5e23c123e1935a7b52b68

      SHA256

      eec0a44ea91176c893226eda20dd643afc88cd9d08406f206191bfdb71f36714

      SHA512

      f673555d4ecd11662e26912114f70dd4b90012b6d51e6130a13607106b63ca044ca23daf51221db49072d7ba5e5bf9bf3cdac85a25b801cce4f867709889eabe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14336960.exe
      Filesize

      258KB

      MD5

      8ff41f40c7c8b23d5dd0ecb9a888a48c

      SHA1

      c28f0da22bbee700d4b5e23c123e1935a7b52b68

      SHA256

      eec0a44ea91176c893226eda20dd643afc88cd9d08406f206191bfdb71f36714

      SHA512

      f673555d4ecd11662e26912114f70dd4b90012b6d51e6130a13607106b63ca044ca23daf51221db49072d7ba5e5bf9bf3cdac85a25b801cce4f867709889eabe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk579539.exe
      Filesize

      353KB

      MD5

      71a3bff7c6570a9d5003296521bc993b

      SHA1

      a11b67ef1aa624797c57b9b5b16f044658a849a0

      SHA256

      111a9e80a575667842d690bd56dae1b8e76d7cc37855722f229d26d6db154cbf

      SHA512

      869447569cf1ae863645d44c83660003f851b2388f0e58eda861f49b4ee3d172f32536a0bfb077f802915ae47c43a10730ca03b4e17d938714f75190c2474f13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk579539.exe
      Filesize

      353KB

      MD5

      71a3bff7c6570a9d5003296521bc993b

      SHA1

      a11b67ef1aa624797c57b9b5b16f044658a849a0

      SHA256

      111a9e80a575667842d690bd56dae1b8e76d7cc37855722f229d26d6db154cbf

      SHA512

      869447569cf1ae863645d44c83660003f851b2388f0e58eda861f49b4ee3d172f32536a0bfb077f802915ae47c43a10730ca03b4e17d938714f75190c2474f13

      Download Submit

    • memory/1324-218-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-219-0x0000000002BC0000-0x0000000002C06000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1324-998-0x0000000007210000-0x0000000007220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1324-996-0x0000000007210000-0x0000000007220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1324-995-0x000000000A480000-0x000000000A4BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1324-994-0x000000000A370000-0x000000000A47A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1324-992-0x00000000071B0000-0x00000000071C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1324-991-0x0000000009D50000-0x000000000A368000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1324-990-0x0000000007210000-0x0000000007220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1324-196-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-225-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-220-0x0000000007210000-0x0000000007220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1324-222-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-223-0x0000000007210000-0x0000000007220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1324-194-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-216-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-214-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-212-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-210-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-208-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-206-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-204-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-202-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-193-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-200-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1324-989-0x0000000007210000-0x0000000007220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1324-198-0x0000000004C30000-0x0000000004C65000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4432-181-0x00000000048F0000-0x0000000004900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4432-176-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-150-0x00000000071F0000-0x0000000007794000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4432-186-0x0000000000400000-0x0000000002B9B000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/4432-182-0x00000000048F0000-0x0000000004900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4432-174-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-180-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-170-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-164-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-151-0x00000000048F0000-0x0000000004900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4432-149-0x00000000048F0000-0x0000000004900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4432-148-0x0000000002C70000-0x0000000002C9D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4432-178-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-168-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-166-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-172-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-162-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-160-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-158-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-156-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-153-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-154-0x0000000004BC0000-0x0000000004BD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4432-152-0x0000000000400000-0x0000000002B9B000-memory.dmp

      Filesize

      39.6MB

      Download