Overview

overview

10

Static

static

3

3c38835334...82.exe

windows7-x64

10

3c38835334...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3c3883533442009efd0c3dd708890c45e7538cc00e964ae0674a3087389c6082.exe

  • Size

    376KB

  • MD5

    6e02fd05bbe0db74f83aeccbfe9e49e9

  • SHA1

    76c1b4423f9bb38b9cc5cdb911abab3a7214871e

  • SHA256

    3c3883533442009efd0c3dd708890c45e7538cc00e964ae0674a3087389c6082

  • SHA512

    776514b8af35f6f36f6b09127d23bf9794703e123407ac8cab2887e1b94b45c880a363335dc8cba8af81bf4bc7d602f07e5ff659502508b1b8d840b3cd9d6ecf

  • SSDEEP

    6144:KHy+bnr+6p0yN90QEsU6Iv1y+EsS2FYdKrVeAqdbTF1gL5amKT0Inljq:xMr6y90UILEs8KReAq1Fu4mDInljq

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c3883533442009efd0c3dd708890c45e7538cc00e964ae0674a3087389c6082.exe
    "C:\Users\Admin\AppData\Local\Temp\3c3883533442009efd0c3dd708890c45e7538cc00e964ae0674a3087389c6082.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2523044.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2523044.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9629893.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9629893.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1172
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3642225.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3642225.exe
        3⤵
        • Executes dropped EXE
        PID:1476

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2523044.exe
          Filesize

          204KB

          MD5

          31f894990c8f0349b444c5b68d6e1db2

          SHA1

          e41bfb2067bc479ab3e43cc397ad0307c50010af

          SHA256

          8f277a2f5c0ffd6bb5b1664f37802bcf15829a23c4b95b0869b369298ce86b80

          SHA512

          eb31fe5b89aa8ece9cf387799a026cb6403801ec72a49d2196e8881f110d1f2c093752bb4cf57f585d092fcea5cbc65c986272eb6b3ecd72b2698928dc863213

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2523044.exe
          Filesize

          204KB

          MD5

          31f894990c8f0349b444c5b68d6e1db2

          SHA1

          e41bfb2067bc479ab3e43cc397ad0307c50010af

          SHA256

          8f277a2f5c0ffd6bb5b1664f37802bcf15829a23c4b95b0869b369298ce86b80

          SHA512

          eb31fe5b89aa8ece9cf387799a026cb6403801ec72a49d2196e8881f110d1f2c093752bb4cf57f585d092fcea5cbc65c986272eb6b3ecd72b2698928dc863213

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9629893.exe
          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9629893.exe
          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3642225.exe
          Filesize

          136KB

          MD5

          30d0ee0947be55272def37f502e40d83

          SHA1

          67dec087565870ddbba362f33bc909491d56f0d7

          SHA256

          876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

          SHA512

          0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3642225.exe
          Filesize

          136KB

          MD5

          30d0ee0947be55272def37f502e40d83

          SHA1

          67dec087565870ddbba362f33bc909491d56f0d7

          SHA256

          876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

          SHA512

          0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

          Download Submit

        • memory/1172-147-0x00000000000D0000-0x00000000000DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1476-152-0x0000000000EF0000-0x0000000000F18000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1476-153-0x0000000008300000-0x0000000008918000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1476-154-0x0000000007D40000-0x0000000007D52000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1476-155-0x0000000007E70000-0x0000000007F7A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1476-156-0x0000000007DA0000-0x0000000007DDC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1476-157-0x0000000007E00000-0x0000000007E10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1476-158-0x0000000007E00000-0x0000000007E10000-memory.dmp

          Filesize

          64KB

          Download