Overview

overview

10

Static

static

3

42e697d8a6...ee.exe

windows7-x64

10

42e697d8a6...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee.exe

  • Size

    479KB

  • MD5

    8fa03ba8d6cf5b72d02080a57c6cd1e2

  • SHA1

    f23aff55bd0b99dd493f8d94a8369aeda50d5515

  • SHA256

    42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee

  • SHA512

    cf64ceabf769f1949948a3f064a12eee30d158f421607befa3252e3ff187f673853556a2ab66b43e1c9f7a7860dfcf14551348c8c8925fb986d7cf61432e4a92

  • SSDEEP

    6144:KRy+bnr+Ip0yN90QEnWrRQVPIF0+1YqkyJZlEYnzbPs5qJpjl9iobv6dp3yYWn3V:DMrky90QGVPIFrKPyJZbnzSUERpjv0

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee.exe
    "C:\Users\Admin\AppData\Local\Temp\42e697d8a6f6510a0ca0926b985d0a77f3ac53a8ba5f96c930cff8966d6391ee.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
        3⤵
        • Executes dropped EXE
        PID:3504

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
          Filesize

          308KB

          MD5

          71049c4bc5ab36dc073cf7d8ddfc7648

          SHA1

          60d686b93cedb076e2d275441bd4a0eec20853d5

          SHA256

          a72842a24243d60b2cbf4bea83f8193b582f02e2f40f19b38bb79b81dfd13ef5

          SHA512

          2a925f78d2209ad202146d6a5a12eca0d2917edb697805f9fb72a30e15f5e923defd6ed727cdf0efea6d93592d6ef3cfddce0c00d2d83c64bcf466faee3593a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844578.exe
          Filesize

          308KB

          MD5

          71049c4bc5ab36dc073cf7d8ddfc7648

          SHA1

          60d686b93cedb076e2d275441bd4a0eec20853d5

          SHA256

          a72842a24243d60b2cbf4bea83f8193b582f02e2f40f19b38bb79b81dfd13ef5

          SHA512

          2a925f78d2209ad202146d6a5a12eca0d2917edb697805f9fb72a30e15f5e923defd6ed727cdf0efea6d93592d6ef3cfddce0c00d2d83c64bcf466faee3593a1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
          Filesize

          176KB

          MD5

          c84ba20ff49929fab6cd9b23e9e742a6

          SHA1

          d1325e3b07eccf4a1a2acbf030341493586aa76f

          SHA256

          ecc667cc08f5d444328e7fa1c04485dbbe79d553e85a12036b078c1319d0c3e7

          SHA512

          62988e40787bf41b43fc82c90f715d79206cc98f6e6a0b2318fbecfc73b4b07004b8a40f9c31bab374a57dbcbd26654d6ed98498264d588ca029ad276cbdedba

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0290891.exe
          Filesize

          176KB

          MD5

          c84ba20ff49929fab6cd9b23e9e742a6

          SHA1

          d1325e3b07eccf4a1a2acbf030341493586aa76f

          SHA256

          ecc667cc08f5d444328e7fa1c04485dbbe79d553e85a12036b078c1319d0c3e7

          SHA512

          62988e40787bf41b43fc82c90f715d79206cc98f6e6a0b2318fbecfc73b4b07004b8a40f9c31bab374a57dbcbd26654d6ed98498264d588ca029ad276cbdedba

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
          Filesize

          136KB

          MD5

          9a5f3a1f4992096ff6972577177ec5b2

          SHA1

          34018bea2cca77008975b86b601280e753782280

          SHA256

          2cece02c68cf8f7220d30614ffa7f4f8f30548511acd6bef8f4a4bbf1e6bf725

          SHA512

          247ed5a518d67dbded2440a409c76320a45364662ed6ae3bab1810f1b56e8f901ef6bbceb33d05ded118f9e68841c096cfb06969f4f06bc88d8fd0fc1cb68ff9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6355288.exe
          Filesize

          136KB

          MD5

          9a5f3a1f4992096ff6972577177ec5b2

          SHA1

          34018bea2cca77008975b86b601280e753782280

          SHA256

          2cece02c68cf8f7220d30614ffa7f4f8f30548511acd6bef8f4a4bbf1e6bf725

          SHA512

          247ed5a518d67dbded2440a409c76320a45364662ed6ae3bab1810f1b56e8f901ef6bbceb33d05ded118f9e68841c096cfb06969f4f06bc88d8fd0fc1cb68ff9

          Download Submit

        • memory/1912-169-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-177-0x0000000004A00000-0x0000000004A10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1912-149-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-155-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-159-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-157-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-161-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-163-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-165-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-167-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-153-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-173-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-171-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-175-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-176-0x0000000004A00000-0x0000000004A10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1912-151-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-178-0x0000000004A00000-0x0000000004A10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1912-179-0x0000000004A00000-0x0000000004A10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1912-180-0x0000000004A00000-0x0000000004A10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1912-181-0x0000000004A00000-0x0000000004A10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1912-148-0x0000000004950000-0x0000000004962000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1912-147-0x0000000004A10000-0x0000000004FB4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3504-186-0x00000000003A0000-0x00000000003C8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3504-187-0x0000000007610000-0x0000000007C28000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3504-188-0x00000000070B0000-0x00000000070C2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3504-189-0x00000000071E0000-0x00000000072EA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3504-190-0x0000000007140000-0x000000000717C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3504-191-0x00000000070F0000-0x0000000007100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-192-0x00000000070F0000-0x0000000007100000-memory.dmp

          Filesize

          64KB

          Download