Overview

overview

10

Static

static

3

d90ea8bdc6...67.exe

windows7-x64

10

d90ea8bdc6...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d90ea8bdc64a2e2a1bc1fe2540aa8a8b08b1f1b05d44dc92e771273d4ebe6467.exe

  • Size

    480KB

  • MD5

    71a55dfbde1f3282695dd8cc2ec35955

  • SHA1

    c93660f0848c8af46fb04b043325710ffcae3b2b

  • SHA256

    d90ea8bdc64a2e2a1bc1fe2540aa8a8b08b1f1b05d44dc92e771273d4ebe6467

  • SHA512

    deae0d41db122d19a98524871e347f5d79b1140a254e295e2af857a385edcac0be86f5d7feaf32cec8177079c76aa0eeb44fc35fdb6ac3b84b53e14758c66232

  • SSDEEP

    12288:UMrwy90di7dAdzaxl8q9vBFrCuCHWE8zeD9s:cyddAzaMkdCuC2E8zIa

Score
10/10
redlinedarisdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes
  • auth_value

    3491f24ae0250969cd45ce4b3fe77549

Signatures

  • Detects Redline Stealer samples 3 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d90ea8bdc64a2e2a1bc1fe2540aa8a8b08b1f1b05d44dc92e771273d4ebe6467.exe
    "C:\Users\Admin\AppData\Local\Temp\d90ea8bdc64a2e2a1bc1fe2540aa8a8b08b1f1b05d44dc92e771273d4ebe6467.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2774713.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2774713.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6826939.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6826939.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0294678.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0294678.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3272552.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3272552.exe
      2⤵
      • Executes dropped EXE
      PID:4840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3272552.exe
    Filesize

    206KB

    MD5

    393419f7f0420f9e5459ca7c77f63f7d

    SHA1

    894d8a2e44ba85095afab81a4cf2d7ec6a3b490e

    SHA256

    07703062d66d1b05516834bed10c65bec274eafd390fce37d16262ecb0ae0e54

    SHA512

    5a2040a0528d9527d3a479afda5b3f059d2b95fae76dec4b01a3204ae0853c3dcb51f2007b372764741a541c7926207d0d5ccf0e1074cc798f339f94f9ed5ff6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3272552.exe
    Filesize

    206KB

    MD5

    393419f7f0420f9e5459ca7c77f63f7d

    SHA1

    894d8a2e44ba85095afab81a4cf2d7ec6a3b490e

    SHA256

    07703062d66d1b05516834bed10c65bec274eafd390fce37d16262ecb0ae0e54

    SHA512

    5a2040a0528d9527d3a479afda5b3f059d2b95fae76dec4b01a3204ae0853c3dcb51f2007b372764741a541c7926207d0d5ccf0e1074cc798f339f94f9ed5ff6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2774713.exe
    Filesize

    308KB

    MD5

    20426e769c9558554d8709ac0ff300f3

    SHA1

    83c3308d9d77decee1f125b6365f319584349b9f

    SHA256

    3b8022086260ce89131bfa38be42c6589ade5657056605fdbd0a0081c1689d2a

    SHA512

    cff1b85445d088bfeba9581f41f2c06a1d3658b44683f996f9dd29d44b58f903c24783c881513d23959f0aebca30fc74b655ac3f5b0911e02e7f9f869bdcd7a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2774713.exe
    Filesize

    308KB

    MD5

    20426e769c9558554d8709ac0ff300f3

    SHA1

    83c3308d9d77decee1f125b6365f319584349b9f

    SHA256

    3b8022086260ce89131bfa38be42c6589ade5657056605fdbd0a0081c1689d2a

    SHA512

    cff1b85445d088bfeba9581f41f2c06a1d3658b44683f996f9dd29d44b58f903c24783c881513d23959f0aebca30fc74b655ac3f5b0911e02e7f9f869bdcd7a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6826939.exe
    Filesize

    168KB

    MD5

    2301af2882f8fe0919359b31080348f5

    SHA1

    ce598529a52ad445afefda6e9ce7b02453439bab

    SHA256

    efe45c45c113a4eac2132e63e26b0646296659b90fafa6abdba97c6f27387c31

    SHA512

    43293aa13438f8f5c2242f890fb62af2bda7100d5330c68a538842bbbcf4382c8f0e42d577dd25cabce7f15f2e332ae9ae791475e230048d0b3f59b1f72f643a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6826939.exe
    Filesize

    168KB

    MD5

    2301af2882f8fe0919359b31080348f5

    SHA1

    ce598529a52ad445afefda6e9ce7b02453439bab

    SHA256

    efe45c45c113a4eac2132e63e26b0646296659b90fafa6abdba97c6f27387c31

    SHA512

    43293aa13438f8f5c2242f890fb62af2bda7100d5330c68a538842bbbcf4382c8f0e42d577dd25cabce7f15f2e332ae9ae791475e230048d0b3f59b1f72f643a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0294678.exe
    Filesize

    179KB

    MD5

    91ab710efa6b4b666fbd67220e1fb679

    SHA1

    8011552171cb08e5282063a85d6656071d024ba5

    SHA256

    3a482318b30f3654afe5106a50a42a1fc5e3cdfb2916ce5e6ca0c58abf0d16ac

    SHA512

    cb99aa348ea6036e4da99af389c7a6224895cbf12a513705222e36e9c8c3146ad1f2252518442573c005f667ec346d5224c9c1457a4636d3be3cd3a2d2243ef8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0294678.exe
    Filesize

    179KB

    MD5

    91ab710efa6b4b666fbd67220e1fb679

    SHA1

    8011552171cb08e5282063a85d6656071d024ba5

    SHA256

    3a482318b30f3654afe5106a50a42a1fc5e3cdfb2916ce5e6ca0c58abf0d16ac

    SHA512

    cb99aa348ea6036e4da99af389c7a6224895cbf12a513705222e36e9c8c3146ad1f2252518442573c005f667ec346d5224c9c1457a4636d3be3cd3a2d2243ef8

    Download Submit

  • memory/2044-153-0x0000000005780000-0x0000000005790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2044-158-0x000000000C550000-0x000000000C712000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2044-151-0x000000000AC20000-0x000000000AC5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2044-154-0x0000000002E50000-0x0000000002EC6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2044-155-0x000000000B850000-0x000000000B8E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2044-156-0x000000000BFA0000-0x000000000C544000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2044-157-0x000000000BA60000-0x000000000BAC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2044-152-0x0000000005780000-0x0000000005790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2044-159-0x000000000CC50000-0x000000000D17C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2044-160-0x000000000BEC0000-0x000000000BF10000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2044-150-0x000000000ABC0000-0x000000000ABD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2044-149-0x000000000AC90000-0x000000000AD9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2044-148-0x000000000B130000-0x000000000B748000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2044-147-0x0000000000E50000-0x0000000000E7E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2552-166-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-170-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-172-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-174-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-176-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-178-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-180-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-182-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-184-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-186-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-188-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-190-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-192-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-193-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-194-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-195-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-196-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-197-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-168-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-165-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download