Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 20:38
Static task
static1
Behavioral task
behavioral1
Sample
fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe
Resource
win10v2004-20230220-en
General
-
Target
fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe
-
Size
690KB
-
MD5
8cb991d44f83950d56b05c5513480254
-
SHA1
91861e9496f01a1681d9c1239f3ac4d7803c6883
-
SHA256
fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9
-
SHA512
75e97aa1adc0a96f21816fee16a821fbd2e10921f0a989eb509274284da2b8017758e76369829438d1e25e8bc288d1b4536c2320258c7ae5b00fe8a84eab5336
-
SSDEEP
12288:3y90dmJsQJUcyKb+/83yb1E/VIE80qKR2ymJOD7zLSvuH:3yrOc7+QdIZk2ycO//H
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1080-983-0x00000000075E0000-0x0000000007BF8000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 94857262.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 94857262.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 94857262.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 94857262.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 94857262.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 94857262.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 2344 un302444.exe 1172 94857262.exe 1080 rk139230.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 94857262.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 94857262.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un302444.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un302444.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1620 1172 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1172 94857262.exe 1172 94857262.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1172 94857262.exe Token: SeDebugPrivilege 1080 rk139230.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 740 wrote to memory of 2344 740 fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe 83 PID 740 wrote to memory of 2344 740 fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe 83 PID 740 wrote to memory of 2344 740 fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe 83 PID 2344 wrote to memory of 1172 2344 un302444.exe 84 PID 2344 wrote to memory of 1172 2344 un302444.exe 84 PID 2344 wrote to memory of 1172 2344 un302444.exe 84 PID 2344 wrote to memory of 1080 2344 un302444.exe 87 PID 2344 wrote to memory of 1080 2344 un302444.exe 87 PID 2344 wrote to memory of 1080 2344 un302444.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe"C:\Users\Admin\AppData\Local\Temp\fcf6613a3454512e24632047ce20c9ad3098ac76511b2f2abc68d42c4667b0e9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un302444.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un302444.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94857262.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94857262.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 10804⤵
- Program crash
PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk139230.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk139230.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1172 -ip 11721⤵PID:760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD55b573a4889bcbb8b0ad137a2fd9ec438
SHA14ea6de70e2655e92864e229e5aa6c833d214a907
SHA256efec0406db2fe14f8c3e976c0ff96a7acd01cfb7b7ccf5bba8e26498659e81ea
SHA5121c9ff76d42095f0c2951643e01edf91d27290c69c6b55fae6f08cdd7bbc6c92929fb81f4e881c543de0ecc46765a9d16dc27fa01ecb9e8e6026dd111ae782231
-
Filesize
536KB
MD55b573a4889bcbb8b0ad137a2fd9ec438
SHA14ea6de70e2655e92864e229e5aa6c833d214a907
SHA256efec0406db2fe14f8c3e976c0ff96a7acd01cfb7b7ccf5bba8e26498659e81ea
SHA5121c9ff76d42095f0c2951643e01edf91d27290c69c6b55fae6f08cdd7bbc6c92929fb81f4e881c543de0ecc46765a9d16dc27fa01ecb9e8e6026dd111ae782231
-
Filesize
259KB
MD5086fdf0ed9298523e0e464c697a83d9b
SHA1f01b5e2a786ee2dd6d9c4b5b6d0e4eabe97d87c1
SHA256c6f2cc98fa6815449d730618fa1ef41a81a0fe7bdebcc5f41b11a22d1ce5839a
SHA512c4849d796beb812eeddbb984976c6bf9350ac0822c0ed49fb332909fb094943c9485d4147eedbc2ab95e9ded09f9dc91c0233a88a5d6baa813eb3988704b2091
-
Filesize
259KB
MD5086fdf0ed9298523e0e464c697a83d9b
SHA1f01b5e2a786ee2dd6d9c4b5b6d0e4eabe97d87c1
SHA256c6f2cc98fa6815449d730618fa1ef41a81a0fe7bdebcc5f41b11a22d1ce5839a
SHA512c4849d796beb812eeddbb984976c6bf9350ac0822c0ed49fb332909fb094943c9485d4147eedbc2ab95e9ded09f9dc91c0233a88a5d6baa813eb3988704b2091
-
Filesize
341KB
MD5661c757d3f34b1ada0fef0b536f263fc
SHA166d9cc199fe247540d730db57eaeab7fea3c6cc2
SHA25602d5a4364bb851f2688b58b60d56b009f0b2c50c3cdce9be505842a11dcce7c0
SHA512acb6f126a66d2aa7abaf65cecf5c3e29c1ff9b4f7f6c49e0a2794123383fc0fe55374d848ae522d6a0212318020f08bf962ba894ab3dd5e36e78a32ddd6ff5f2
-
Filesize
341KB
MD5661c757d3f34b1ada0fef0b536f263fc
SHA166d9cc199fe247540d730db57eaeab7fea3c6cc2
SHA25602d5a4364bb851f2688b58b60d56b009f0b2c50c3cdce9be505842a11dcce7c0
SHA512acb6f126a66d2aa7abaf65cecf5c3e29c1ff9b4f7f6c49e0a2794123383fc0fe55374d848ae522d6a0212318020f08bf962ba894ab3dd5e36e78a32ddd6ff5f2