Overview

overview

10

Static

static

3

4329e76219...42.exe

windows7-x64

10

4329e76219...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe

  • Size

    480KB

  • MD5

    aa4d92d7e29127412ab7b815c9e188d5

  • SHA1

    5c85d479e8fa55843246b294eb4133b28645b8f8

  • SHA256

    4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42

  • SHA512

    a203fa76fad8291b056bad6a8d3b2cdf8995d339e570a5eeb4865b167975a83a73e8fa09ecdf5bf1e1513f7d3be6a1c2dc54115328ee694750b1a8cfb9513958

  • SSDEEP

    12288:CMr5y90gX2BLOJxHnV64GvdrtYTq9pGtfGCiy+Nl+B:TyLeODnlEdh7u3iuB

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe
    "C:\Users\Admin\AppData\Local\Temp\4329e7621926a7be0b5425095cdb44ff4e7f55911fb5a514e4d13eafc2b5db42.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe
        3⤵
        • Executes dropped EXE
        PID:396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe
    Filesize

    308KB

    MD5

    08dbcc9196cde1876eb96e92e9573fee

    SHA1

    8e271b455722fef13e63b2b24e8ef8d5fc2edd92

    SHA256

    f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605

    SHA512

    7459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4829590.exe
    Filesize

    308KB

    MD5

    08dbcc9196cde1876eb96e92e9573fee

    SHA1

    8e271b455722fef13e63b2b24e8ef8d5fc2edd92

    SHA256

    f5de245313e59cd462c6219aa7b176575e45dfd3453fa0d02051fafc385a3605

    SHA512

    7459fc72b3d6879330e8646f1179fb7d5db2103de364d30dfabe1d9a721bb6f58e02fd3e73b7aa3f53ba7dcb6509e530aa626ec02cb2fe794f56635db1ed8963

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe
    Filesize

    176KB

    MD5

    767489e8edf5f9f601cee1211e4914be

    SHA1

    5cf597ac8311b8e2e8c5137a929f73e960297cfa

    SHA256

    3b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8

    SHA512

    46e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8253627.exe
    Filesize

    176KB

    MD5

    767489e8edf5f9f601cee1211e4914be

    SHA1

    5cf597ac8311b8e2e8c5137a929f73e960297cfa

    SHA256

    3b543bc2e433554c28c0b9e7c95f45c011dd4a3a2138412a45208d60a558a2f8

    SHA512

    46e6de2468e585feb6c05cf65e20a220ebc5abc962d2e955dc90ea3c33a43527ee175846c4a692e105533814fdccda62a1b1539faeb624062a7b48c6efe156f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe
    Filesize

    136KB

    MD5

    7dfc4202db1c9a6ea03e10c58eadd6df

    SHA1

    62a1aedd2daf734e121222129a190d40b4dbb2b3

    SHA256

    d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6

    SHA512

    daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0246952.exe
    Filesize

    136KB

    MD5

    7dfc4202db1c9a6ea03e10c58eadd6df

    SHA1

    62a1aedd2daf734e121222129a190d40b4dbb2b3

    SHA256

    d48bbedbbc8e06b3c085ec8aadad5ffa778639513870dc65840b2bbe28685bd6

    SHA512

    daa8f27d83adc66f76f7f7a2058feebfa8ca18d9459c05bc8780771a2eb4a228a2172a6ea903d98104d61fece82ba2e7e620487a78aa3117f9b0eb8fb255a3a8

    Download Submit

  • memory/396-190-0x0000000007730000-0x000000000776C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/396-189-0x0000000007800000-0x000000000790A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/396-188-0x00000000076D0000-0x00000000076E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/396-187-0x0000000007C40000-0x0000000008258000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/396-186-0x00000000009C0000-0x00000000009E8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/396-191-0x0000000007AF0000-0x0000000007B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/396-192-0x0000000007AF0000-0x0000000007B00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-166-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-180-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-164-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-160-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-168-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-170-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-172-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-174-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-176-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-178-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-179-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-162-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-181-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-158-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-152-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-154-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-156-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-151-0x00000000023F0000-0x0000000002402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-150-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-149-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-148-0x0000000004BF0000-0x0000000004C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-147-0x0000000004C00000-0x00000000051A4000-memory.dmp

    Filesize

    5.6MB

    Download