Analysis
-
max time kernel
168s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 20:38
General
-
Target
fda62ef2a98557836db4a15e4daf783300da40f3287f49f565942737ff18842e.exe
-
Size
566KB
-
MD5
d9d8138409bbbb7d09d9ddb6a60202e9
-
SHA1
9a1e909a951f39e08a33dd54a656d47e2b8877b8
-
SHA256
fda62ef2a98557836db4a15e4daf783300da40f3287f49f565942737ff18842e
-
SHA512
51915c2b8763eaa167a4117d16cca00f9593698392714a50576be2f66a3154223d01313f169878805076a84dcfa5ba630cbb1d705569e8eeccfd07a0300445ef
-
SSDEEP
12288:YMrRy90hkU9zXHHigTyXE47QpYsaVXgPzjeC:pyvU9Xi7XApYzVQ/
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fda62ef2a98557836db4a15e4daf783300da40f3287f49f565942737ff18842e.exe"C:\Users\Admin\AppData\Local\Temp\fda62ef2a98557836db4a15e4daf783300da40f3287f49f565942737ff18842e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2592787.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2592787.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1364942.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1364942.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2951539.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2951539.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8196275.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8196275.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 6963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 7803⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 8003⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 9763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 10083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 10083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 12163⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 11523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 11923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 13523⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 8083⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4804 -ip 48041⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5b32c037ee28210ef31f32a00d0239255
SHA1219b74dced609655a7f60d7c70e80b78f5fabc26
SHA2568a2efe15e2bf6d634913ce13e372eebc141fcd5898e7d7c0d1b3dac5dc9e8f12
SHA51242ee360f1aa9dd91bd7bd30aed320bb7b019622f54105359aff00298d7f8d59dee903396f90b00e0636a3955344c75ce22389c714c10769758c1382520bbbbaf
-
Filesize
268KB
MD5b32c037ee28210ef31f32a00d0239255
SHA1219b74dced609655a7f60d7c70e80b78f5fabc26
SHA2568a2efe15e2bf6d634913ce13e372eebc141fcd5898e7d7c0d1b3dac5dc9e8f12
SHA51242ee360f1aa9dd91bd7bd30aed320bb7b019622f54105359aff00298d7f8d59dee903396f90b00e0636a3955344c75ce22389c714c10769758c1382520bbbbaf
-
Filesize
307KB
MD57be36e0fcef9d9404ddb79f6713a2d18
SHA1fd07e4e183ad0838b7e672cde877274cc2e3a7aa
SHA2563cda3cc6da3eb9ff257255160a85a1f2a4f50aa79f557e397083e3e34e05efe4
SHA512ac9e295c94bdfa9d56c327df2f98d2b55b4184ad4cb6c91672e9fe9d71d1c90e402e79f7119cd345e02f1361072679818c079964d22164a66a65fce7199075ea
-
Filesize
307KB
MD57be36e0fcef9d9404ddb79f6713a2d18
SHA1fd07e4e183ad0838b7e672cde877274cc2e3a7aa
SHA2563cda3cc6da3eb9ff257255160a85a1f2a4f50aa79f557e397083e3e34e05efe4
SHA512ac9e295c94bdfa9d56c327df2f98d2b55b4184ad4cb6c91672e9fe9d71d1c90e402e79f7119cd345e02f1361072679818c079964d22164a66a65fce7199075ea
-
Filesize
168KB
MD5cab1e6da9e6da4513e78605f43a770b2
SHA102891ce606606566c3d193a039fe5750d5c087ef
SHA256bf101611b40586cfd6723bdaf4f9c06e7fdfb8bb1fd15c04bfbf6ecbf7a3fb9a
SHA512265886a7a90e8d673f4dc58f61e237f8ce8fef65bc6c52793b544456835e6217426b603cb4bae0d42de9fcc82768c82938ba261870f8b7968dc0ffb5d581f7f9
-
Filesize
168KB
MD5cab1e6da9e6da4513e78605f43a770b2
SHA102891ce606606566c3d193a039fe5750d5c087ef
SHA256bf101611b40586cfd6723bdaf4f9c06e7fdfb8bb1fd15c04bfbf6ecbf7a3fb9a
SHA512265886a7a90e8d673f4dc58f61e237f8ce8fef65bc6c52793b544456835e6217426b603cb4bae0d42de9fcc82768c82938ba261870f8b7968dc0ffb5d581f7f9
-
Filesize
178KB
MD5dea34e51eada03e5f6d2121c2b5a24f4
SHA146cbbe9a8be7fab1ca500700ac772fc60080a81a
SHA256f92a712e4b5b909e9da568f74a77f25b03b3cd6b647262f50dfbb56b705e2a75
SHA512b056cb763aa769393fe001bd62bbb1fd3a454be95f5d88e8da322076a89ec4220b67afff338871a593b3c60f15bebdd483f78459993cfb1885f726ebd41c5dae
-
Filesize
178KB
MD5dea34e51eada03e5f6d2121c2b5a24f4
SHA146cbbe9a8be7fab1ca500700ac772fc60080a81a
SHA256f92a712e4b5b909e9da568f74a77f25b03b3cd6b647262f50dfbb56b705e2a75
SHA512b056cb763aa769393fe001bd62bbb1fd3a454be95f5d88e8da322076a89ec4220b67afff338871a593b3c60f15bebdd483f78459993cfb1885f726ebd41c5dae
-
Filesize
268KB
MD5b32c037ee28210ef31f32a00d0239255
SHA1219b74dced609655a7f60d7c70e80b78f5fabc26
SHA2568a2efe15e2bf6d634913ce13e372eebc141fcd5898e7d7c0d1b3dac5dc9e8f12
SHA51242ee360f1aa9dd91bd7bd30aed320bb7b019622f54105359aff00298d7f8d59dee903396f90b00e0636a3955344c75ce22389c714c10769758c1382520bbbbaf
-
Filesize
268KB
MD5b32c037ee28210ef31f32a00d0239255
SHA1219b74dced609655a7f60d7c70e80b78f5fabc26
SHA2568a2efe15e2bf6d634913ce13e372eebc141fcd5898e7d7c0d1b3dac5dc9e8f12
SHA51242ee360f1aa9dd91bd7bd30aed320bb7b019622f54105359aff00298d7f8d59dee903396f90b00e0636a3955344c75ce22389c714c10769758c1382520bbbbaf
-
Filesize
268KB
MD5b32c037ee28210ef31f32a00d0239255
SHA1219b74dced609655a7f60d7c70e80b78f5fabc26
SHA2568a2efe15e2bf6d634913ce13e372eebc141fcd5898e7d7c0d1b3dac5dc9e8f12
SHA51242ee360f1aa9dd91bd7bd30aed320bb7b019622f54105359aff00298d7f8d59dee903396f90b00e0636a3955344c75ce22389c714c10769758c1382520bbbbaf
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
212KB
-
Filesize
2.8MB
-
Filesize
212KB