Overview

overview

10

Static

static

3

f831d980af...b2.exe

windows7-x64

10

f831d980af...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 20:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f831d980af81c5d2a04319794c73bab19ea76eeeb2202a9c3e15eb4aa0c8a0b2.exe

  • Size

    892KB

  • MD5

    e2ae0107d138a18ee97a0674d1704539

  • SHA1

    b37606c722b71e74324b984f68e8a47b66fe738c

  • SHA256

    f831d980af81c5d2a04319794c73bab19ea76eeeb2202a9c3e15eb4aa0c8a0b2

  • SHA512

    cf05936b4b31245e80eae0d3b57fdbfb864da48d6e35a287c5f698f2e06b3ae53839cb01bcc8daa6ea285f3f8f988f3bade00b69a9ddb6a72fb5d99f00d68c5e

  • SSDEEP

    24576:YyWJB9cr4Owta/aRC8OFxFNpGKL3wUDyIxmpE:fWtA47t2/ZFTNUKEIyIg

Score
10/10
redlinedarkevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dark

C2

185.161.248.73:4164

Attributes
  • auth_value

    ae85b01f66afe8770afeed560513fc2d

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f831d980af81c5d2a04319794c73bab19ea76eeeb2202a9c3e15eb4aa0c8a0b2.exe
    "C:\Users\Admin\AppData\Local\Temp\f831d980af81c5d2a04319794c73bab19ea76eeeb2202a9c3e15eb4aa0c8a0b2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st469462.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st469462.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91278659.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91278659.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp819391.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp819391.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1256
          4⤵
          • Program crash
          PID:1776
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr798924.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr798924.exe
      2⤵
      • Executes dropped EXE
      PID:4376
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2028 -ip 2028
    1⤵
      PID:3540

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr798924.exe
            Filesize

            170KB

            MD5

            1914eaab4eb60ad1c49ab94d7c2ddbed

            SHA1

            1e02d40b2c793e1767d653ce5c3cab333ca193f2

            SHA256

            41e29a503f144201d03b7bb21fcc22f6c08a739f0c21f6788c71548c13d580ae

            SHA512

            fb16312878a68890636cd8c5c60d68b572ea55c1d8322d8bba6d491038d3f0f7415600929f4cd971f03543584ef63cf550b6687696d6e760c18f99e48c4c6c23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr798924.exe
            Filesize

            170KB

            MD5

            1914eaab4eb60ad1c49ab94d7c2ddbed

            SHA1

            1e02d40b2c793e1767d653ce5c3cab333ca193f2

            SHA256

            41e29a503f144201d03b7bb21fcc22f6c08a739f0c21f6788c71548c13d580ae

            SHA512

            fb16312878a68890636cd8c5c60d68b572ea55c1d8322d8bba6d491038d3f0f7415600929f4cd971f03543584ef63cf550b6687696d6e760c18f99e48c4c6c23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st469462.exe
            Filesize

            739KB

            MD5

            0d161b09550c1f9b639686d869ea73ac

            SHA1

            12c3ff640bc50e610f09d8585e2a241d39d5a231

            SHA256

            d1c9a3433cbd181f91bf64fdd7baf3a78cdecbfbddeffed9b0e9aa2f1438a643

            SHA512

            9fe35c8950997406356d593234586e73796273b67e40d8e9877d5f5148d15e2290ab94eb26c54241003d628eb2c40a9007d429c5161ce8d043e67dfbdb3cb010

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st469462.exe
            Filesize

            739KB

            MD5

            0d161b09550c1f9b639686d869ea73ac

            SHA1

            12c3ff640bc50e610f09d8585e2a241d39d5a231

            SHA256

            d1c9a3433cbd181f91bf64fdd7baf3a78cdecbfbddeffed9b0e9aa2f1438a643

            SHA512

            9fe35c8950997406356d593234586e73796273b67e40d8e9877d5f5148d15e2290ab94eb26c54241003d628eb2c40a9007d429c5161ce8d043e67dfbdb3cb010

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91278659.exe
            Filesize

            302KB

            MD5

            16466b3dbaeb8b9f6f5707c5cb0c9632

            SHA1

            cf5ae1d494824eb98c0912f412ec75684f842484

            SHA256

            5d2108aee36712fc8a61562afbd68598254bdc4a97215b183cb90417805b9ac4

            SHA512

            4140a66df223d555fb0c5d0d740afe0370e61a0e48a1bf607e7ae289f48d4d3015f93d813320b83480a66a9f0a834028c3b47fe1705c74e5568fbed63d06e8a3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\91278659.exe
            Filesize

            302KB

            MD5

            16466b3dbaeb8b9f6f5707c5cb0c9632

            SHA1

            cf5ae1d494824eb98c0912f412ec75684f842484

            SHA256

            5d2108aee36712fc8a61562afbd68598254bdc4a97215b183cb90417805b9ac4

            SHA512

            4140a66df223d555fb0c5d0d740afe0370e61a0e48a1bf607e7ae289f48d4d3015f93d813320b83480a66a9f0a834028c3b47fe1705c74e5568fbed63d06e8a3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp819391.exe
            Filesize

            581KB

            MD5

            91e6986a2b439477ca33c9f3f7fe0ea0

            SHA1

            8a9a0667835d45ad25d6af3067ac4599529f7e05

            SHA256

            2ae0e36f5a300e6c18ea2c93436d8e94b11cd0f2ca4274d2c4939e7ddfced1bb

            SHA512

            c58d02c959d48bca30ae60fbc7d9f26dc16baaca05f15980e868533f6a846ddb26e7e6e085070855453e6f92b3b3e65e4e0df554a34e233701ded8cce23461ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp819391.exe
            Filesize

            581KB

            MD5

            91e6986a2b439477ca33c9f3f7fe0ea0

            SHA1

            8a9a0667835d45ad25d6af3067ac4599529f7e05

            SHA256

            2ae0e36f5a300e6c18ea2c93436d8e94b11cd0f2ca4274d2c4939e7ddfced1bb

            SHA512

            c58d02c959d48bca30ae60fbc7d9f26dc16baaca05f15980e868533f6a846ddb26e7e6e085070855453e6f92b3b3e65e4e0df554a34e233701ded8cce23461ee

            Download Submit

          • C:\Windows\Temp\1.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Windows\Temp\1.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Windows\Temp\1.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • memory/1420-198-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-210-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-160-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-162-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-164-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-166-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-168-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-170-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-172-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-174-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-176-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-178-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-180-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-182-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-184-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-186-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-188-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-190-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-192-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-194-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-196-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-156-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-200-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-202-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-204-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-206-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-208-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-158-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-212-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-214-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-2279-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1420-154-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-152-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-151-0x00000000049C0000-0x0000000004A11000-memory.dmp

            Filesize

            324KB

            Download

          • memory/1420-150-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1420-149-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1420-147-0x0000000004AE0000-0x0000000005084000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1420-148-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2028-4452-0x00000000024F0000-0x0000000002500000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2028-2359-0x0000000000840000-0x000000000089B000-memory.dmp

            Filesize

            364KB

            Download

          • memory/2028-4446-0x00000000024F0000-0x0000000002500000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2028-4448-0x00000000024F0000-0x0000000002500000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2028-4449-0x00000000024F0000-0x0000000002500000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2028-4451-0x0000000005760000-0x00000000057F2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2028-2360-0x00000000024F0000-0x0000000002500000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2028-2362-0x00000000024F0000-0x0000000002500000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3692-2295-0x0000000000750000-0x000000000075A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4376-4460-0x000000000ABB0000-0x000000000B1C8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4376-4459-0x00000000007B0000-0x00000000007E0000-memory.dmp

            Filesize

            192KB

            Download

          • memory/4376-4461-0x000000000A730000-0x000000000A83A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4376-4462-0x000000000A660000-0x000000000A672000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4376-4463-0x0000000005100000-0x0000000005110000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-4464-0x000000000A6C0000-0x000000000A6FC000-memory.dmp

            Filesize

            240KB

            Download