Overview

overview

10

Static

static

1

4e142631fd...1d.exe

windows7-x64

10

4e142631fd...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e142631fd236d5b297398de6975fcbe88558c7437cd8317677b23da9d57391d.exe

  • Size

    4.2MB

  • MD5

    14a19fbe60eee1f4be4ab217dea3c3a1

  • SHA1

    8905f06351f643552e6dad5530e82607bafb9ec6

  • SHA256

    4e142631fd236d5b297398de6975fcbe88558c7437cd8317677b23da9d57391d

  • SHA512

    233ca82e15d6e23217596440a52edfefaf65a1cb27bc5222a752e58a56a30c9a48837080ec86c86aec63da71099df70482d66884acf519b9aad1e55d7d2ee2d0

  • SSDEEP

    98304:4BmFEIOppHcoFTuDffITsn+p7qMDSQjvwxnfpKYDBcI6M2e:jZMdcETuDoYmqMDSQj4ZpKcZ

Score
10/10
gluptebaredlinedropperevasioninfostealerloaderpersistencestealer

Malware Config

Signatures

  • Detects Redline Stealer samples 2 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Detects any file with a triage score of 10 7 IoCs

    This file has been assigned a triage score of 10, indicating a high likelihood of malicious behavior.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 10 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e142631fd236d5b297398de6975fcbe88558c7437cd8317677b23da9d57391d.exe
    "C:\Users\Admin\AppData\Local\Temp\4e142631fd236d5b297398de6975fcbe88558c7437cd8317677b23da9d57391d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\4e142631fd236d5b297398de6975fcbe88558c7437cd8317677b23da9d57391d.exe
      "C:\Users\Admin\AppData\Local\Temp\4e142631fd236d5b297398de6975fcbe88558c7437cd8317677b23da9d57391d.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2692
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 832
      2⤵
      • Program crash
      PID:2888
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4456 -ip 4456
    1⤵
      PID:3324

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2age0h3e.q04.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      35KB

      MD5

      c0c4404d7fa40cfc426fa66648e532c2

      SHA1

      d60dcafc42c6cca766a81d5bfdd8e86978940db0

      SHA256

      ca8746b989ce25d54f1b7fa117f804f162d842228b7f6e9422aeaf0cc6a017f3

      SHA512

      c84bb02966316ee10a38f35516964e4b2730a4a36ede9e13e8b3cf8669756dc7ed44fa5d06e30347050b854e6f82219a38db13dce3b16138354aa331c73d02b9

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      5b2ee7b5323d9e654a6fd89831ac784a

      SHA1

      60cd032aad1b116880adefb828e6d2b7cdd0af24

      SHA256

      21b8b89bf60d241639096ecdce683b14bf8fcbd99c4b330c91f4e7b6bb8c27c0

      SHA512

      6504b9f865bff774fe47c035bfb21ef61f8f552fc1c6ea63e04aaef5eea103717a8abc76d099f4389d7e1feb89759b07d7e45412346a6a2a021d68146a2ea177

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      36c5017bdf693d4f03cf12148b6c8490

      SHA1

      3fc40d11f2fc1104dc99dd651030496e61bf77c1

      SHA256

      e45cf691af69143fa2f1fd4f81fd1c06d2674f6dbb056ffbc93ba20bfd588102

      SHA512

      71552d0be811fd2964ba1729a3806e1ea433e48d54ab518eb732670338f5eaf189b8b000dd1639e1ea5ee9cc382c3aa9714acd84b23b51f7aee3282a7e3d06ac

      Download Submit

    • memory/1692-222-0x0000000003410000-0x0000000003420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1692-205-0x0000000003410000-0x0000000003420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1692-206-0x0000000003410000-0x0000000003420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1692-208-0x0000000003410000-0x0000000003420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1692-210-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1692-211-0x0000000070520000-0x0000000070874000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1692-227-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1692-212-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1692-224-0x0000000003410000-0x0000000003420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1692-223-0x0000000003410000-0x0000000003420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2284-274-0x0000000070580000-0x00000000708D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2284-285-0x000000007FC00000-0x000000007FC10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2284-284-0x0000000004830000-0x0000000004840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2284-271-0x0000000004830000-0x0000000004840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2284-273-0x00000000703D0000-0x000000007041C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2284-272-0x0000000004830000-0x0000000004840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-158-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-159-0x00000000077B0000-0x0000000007E2A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2744-165-0x00000000702D0000-0x000000007031C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2744-166-0x0000000070470000-0x00000000707C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2744-176-0x0000000007360000-0x000000000737E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2744-177-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-178-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-179-0x00000000074B0000-0x00000000074BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2744-180-0x00000000075C0000-0x0000000007656000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2744-138-0x00000000027A0000-0x00000000027D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2744-182-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-185-0x0000000007050000-0x000000000705E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2744-188-0x0000000007170000-0x000000000718A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2744-189-0x0000000007150000-0x0000000007158000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2744-139-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-140-0x0000000005080000-0x00000000056A8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2744-163-0x0000000007130000-0x000000000714A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2744-141-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-161-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-143-0x0000000004E50000-0x0000000004E72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2744-160-0x0000000004A40000-0x0000000004A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2744-164-0x0000000007380000-0x00000000073B2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2744-144-0x0000000004FF0000-0x0000000005056000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2744-157-0x00000000070B0000-0x0000000007126000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2744-156-0x00000000062F0000-0x0000000006334000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2744-155-0x0000000005E00000-0x0000000005E1E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2744-145-0x00000000056B0000-0x0000000005716000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3132-259-0x000000007F730000-0x000000007F740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3132-243-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3132-244-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3132-247-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3132-248-0x00000000703D0000-0x000000007041C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3132-249-0x0000000070B70000-0x0000000070EC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4164-209-0x0000000000400000-0x0000000000E41000-memory.dmp

      Filesize

      10.3MB

      Download

    • memory/4164-195-0x0000000003020000-0x000000000390B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4456-142-0x0000000000400000-0x0000000000E41000-memory.dmp

      Filesize

      10.3MB

      Download

    • memory/4456-162-0x0000000000400000-0x0000000000E41000-memory.dmp

      Filesize

      10.3MB

      Download

    • memory/4456-134-0x0000000003140000-0x0000000003A2B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4456-194-0x0000000000400000-0x0000000000E41000-memory.dmp

      Filesize

      10.3MB

      Download

    • memory/4456-181-0x0000000000400000-0x0000000000E41000-memory.dmp

      Filesize

      10.3MB

      Download

    • memory/4456-137-0x0000000003140000-0x0000000003A2B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4456-136-0x0000000000400000-0x0000000000E41000-memory.dmp

      Filesize

      10.3MB

      Download

    • memory/4456-135-0x0000000000400000-0x0000000000E41000-memory.dmp

      Filesize

      10.3MB

      Download