Analysis
-
max time kernel
158s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 21:44
Static task
static1
Behavioral task
behavioral1
Sample
49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe
Resource
win10v2004-20230220-en
General
-
Target
49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe
-
Size
1.2MB
-
MD5
d31ed39b0feeca988cb199c60349cc3f
-
SHA1
23337854ee01717a75aa509fde69d5d72d334d0a
-
SHA256
49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53
-
SHA512
08c50628e44a0cb8a0e6ee9a23fd7b89497e7dd76eb1f87bb3f3ee49b5d7e84d4c5a1cde14fb86a2b7e58235a3d960e61e3e09e38eaefb90a928b4145f4e56e3
-
SSDEEP
24576:3yg5OfWDQBIbIl0F8lN3Bhl9076awMtS6BlnCxQpkNc7LZOdS/TOkkN:CgsfWDxbIOGljS+jMtSGYxQ6Nc3Ad0T5
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/4336-2333-0x000000000B260000-0x000000000B878000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s98246284.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation s98246284.exe -
Executes dropped EXE 6 IoCs
Processes:
z82588226.exez14105471.exez37525293.exes98246284.exe1.exet48027947.exepid process 3680 z82588226.exe 4500 z14105471.exe 744 z37525293.exe 2208 s98246284.exe 4336 1.exe 372 t48027947.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exez82588226.exez14105471.exez37525293.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z82588226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z82588226.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z14105471.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z14105471.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z37525293.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z37525293.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1100 2208 WerFault.exe s98246284.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s98246284.exedescription pid process Token: SeDebugPrivilege 2208 s98246284.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exez82588226.exez14105471.exez37525293.exes98246284.exedescription pid process target process PID 2056 wrote to memory of 3680 2056 49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe z82588226.exe PID 2056 wrote to memory of 3680 2056 49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe z82588226.exe PID 2056 wrote to memory of 3680 2056 49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe z82588226.exe PID 3680 wrote to memory of 4500 3680 z82588226.exe z14105471.exe PID 3680 wrote to memory of 4500 3680 z82588226.exe z14105471.exe PID 3680 wrote to memory of 4500 3680 z82588226.exe z14105471.exe PID 4500 wrote to memory of 744 4500 z14105471.exe z37525293.exe PID 4500 wrote to memory of 744 4500 z14105471.exe z37525293.exe PID 4500 wrote to memory of 744 4500 z14105471.exe z37525293.exe PID 744 wrote to memory of 2208 744 z37525293.exe s98246284.exe PID 744 wrote to memory of 2208 744 z37525293.exe s98246284.exe PID 744 wrote to memory of 2208 744 z37525293.exe s98246284.exe PID 2208 wrote to memory of 4336 2208 s98246284.exe 1.exe PID 2208 wrote to memory of 4336 2208 s98246284.exe 1.exe PID 2208 wrote to memory of 4336 2208 s98246284.exe 1.exe PID 744 wrote to memory of 372 744 z37525293.exe t48027947.exe PID 744 wrote to memory of 372 744 z37525293.exe t48027947.exe PID 744 wrote to memory of 372 744 z37525293.exe t48027947.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe"C:\Users\Admin\AppData\Local\Temp\49bd955e7a32eafec0bbacb7767cfb14cfca37edcb094bbc71ddf9c2e2b0ce53.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z82588226.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z82588226.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z14105471.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z14105471.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37525293.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37525293.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s98246284.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s98246284.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:4336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 13766⤵
- Program crash
PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t48027947.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t48027947.exe5⤵
- Executes dropped EXE
PID:372
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2208 -ip 22081⤵PID:4232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bc20095760b0bfa83736f9d3ce92dbaf
SHA1d8f00720d54b9ef9b6ddae77608f8e7b2470b2dd
SHA2565161256c0f4483ae26654f1f9dcf62f9235f84ecd2febd2cacdf521e4506e612
SHA512c8ed38b230ccc1c5007b8e26ec66890a03f9b7f3c832d1e9f746e05b1e0bde002e52efcbb1baf9d380ffc49f12faa48b57d10874778fb1b40aab2caa64098b1d
-
Filesize
1.0MB
MD5bc20095760b0bfa83736f9d3ce92dbaf
SHA1d8f00720d54b9ef9b6ddae77608f8e7b2470b2dd
SHA2565161256c0f4483ae26654f1f9dcf62f9235f84ecd2febd2cacdf521e4506e612
SHA512c8ed38b230ccc1c5007b8e26ec66890a03f9b7f3c832d1e9f746e05b1e0bde002e52efcbb1baf9d380ffc49f12faa48b57d10874778fb1b40aab2caa64098b1d
-
Filesize
759KB
MD5f17ab5eb2636df2ba0d3c1f994cf0557
SHA1ee82c8a0f43d0034c231a9cabcffefa6bdd8f5bd
SHA2569371769915191aec29fb75083091b53f85d208bfae2927f43fb64bc8f3cc9f85
SHA5129837d60793471eff4d674c1b191b66b7610601fac0a29fb12e56564b9715f42c027a2e43f8ecd52e746dc058d6114247def1b964a49aeba911d6e3b32d48fae7
-
Filesize
759KB
MD5f17ab5eb2636df2ba0d3c1f994cf0557
SHA1ee82c8a0f43d0034c231a9cabcffefa6bdd8f5bd
SHA2569371769915191aec29fb75083091b53f85d208bfae2927f43fb64bc8f3cc9f85
SHA5129837d60793471eff4d674c1b191b66b7610601fac0a29fb12e56564b9715f42c027a2e43f8ecd52e746dc058d6114247def1b964a49aeba911d6e3b32d48fae7
-
Filesize
577KB
MD5e566dd597b5ebab452bbc1de51502453
SHA18acc3f44ace4b79b30074640f6533a1a5a5661dc
SHA256f2824764b41678ede3d7ef62dff4b0d0af6e1c7b419dfe86a2ecdd7cd9a9b132
SHA5124323099c48c3c2f2c2aa1e3efeaab5fd0c36e0c6916cddd906ffcab9f4d71fb5daeae650a7fa76553cb9099dc522fc6ed14229db03bf07f4e016da84c7e949c1
-
Filesize
577KB
MD5e566dd597b5ebab452bbc1de51502453
SHA18acc3f44ace4b79b30074640f6533a1a5a5661dc
SHA256f2824764b41678ede3d7ef62dff4b0d0af6e1c7b419dfe86a2ecdd7cd9a9b132
SHA5124323099c48c3c2f2c2aa1e3efeaab5fd0c36e0c6916cddd906ffcab9f4d71fb5daeae650a7fa76553cb9099dc522fc6ed14229db03bf07f4e016da84c7e949c1
-
Filesize
574KB
MD5f14cdf9e733e44dbb7b2344e65d7e618
SHA1622847548f6d0d5ddf4a32bb467f197cd982ffe4
SHA256b345299aba07aa2827da5b50b236301e0d128b296213f1bccc78310500c61dc2
SHA512bc8a8c27a16eec98b5fdf0d7f00eb057e11cac4fc0cb5f8b976d308b8edece0ccdcd09aac85121bf1241c572deddde52c5076fadc54f59c780437462616cc70d
-
Filesize
574KB
MD5f14cdf9e733e44dbb7b2344e65d7e618
SHA1622847548f6d0d5ddf4a32bb467f197cd982ffe4
SHA256b345299aba07aa2827da5b50b236301e0d128b296213f1bccc78310500c61dc2
SHA512bc8a8c27a16eec98b5fdf0d7f00eb057e11cac4fc0cb5f8b976d308b8edece0ccdcd09aac85121bf1241c572deddde52c5076fadc54f59c780437462616cc70d
-
Filesize
169KB
MD550725fa2821ac67ed43ad099a9d1d1f9
SHA1aff74792699314c2d523a4152c3e9bbca978d9dd
SHA256cd8238485b9853ae72f159f6a8029a619a9151c99b2a9ccb24d59a1d5267c9e9
SHA512d41b6837b15a3e20c6cf1d3035935069c6e6940d05c7007672bc5c64e59abfa8f4dc32b886a63386652de450905fab93cffa5f345e165b7e62ee914cecb002c0
-
Filesize
169KB
MD550725fa2821ac67ed43ad099a9d1d1f9
SHA1aff74792699314c2d523a4152c3e9bbca978d9dd
SHA256cd8238485b9853ae72f159f6a8029a619a9151c99b2a9ccb24d59a1d5267c9e9
SHA512d41b6837b15a3e20c6cf1d3035935069c6e6940d05c7007672bc5c64e59abfa8f4dc32b886a63386652de450905fab93cffa5f345e165b7e62ee914cecb002c0
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf