Analysis
-
max time kernel
186s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe
Resource
win10v2004-20230220-en
General
-
Target
52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe
-
Size
587KB
-
MD5
08fe701adcd51f0fc850c5a8ad0bdeea
-
SHA1
beded60d590d4f4b737127dda2e9d6c034f82fed
-
SHA256
52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9
-
SHA512
72e6666c3e361aa1eac920b5ff27cab033f303433b71890bd8f635be8beb86a58a76c17220025ec541b83f16487a76491a44bc87bcbd532e372f9ebecfe9b89b
-
SSDEEP
12288:5MrXy90BGCYgSJGQY1BApUBTBy/xWoXrWbPVisPqqpPL4ZuQe6d2c:myDg65aBFBTBy/xWXDdpPLxQ/dT
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4400-149-0x000000000A420000-0x000000000AA38000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 916 x3755299.exe 4400 g1978789.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x3755299.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x3755299.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2680 wrote to memory of 916 2680 52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe 81 PID 2680 wrote to memory of 916 2680 52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe 81 PID 2680 wrote to memory of 916 2680 52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe 81 PID 916 wrote to memory of 4400 916 x3755299.exe 82 PID 916 wrote to memory of 4400 916 x3755299.exe 82 PID 916 wrote to memory of 4400 916 x3755299.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe"C:\Users\Admin\AppData\Local\Temp\52fe387f2a61b46e337a863669d80d34d343f4f46f2b41167cee09a3759604a9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3755299.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3755299.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1978789.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1978789.exe3⤵
- Executes dropped EXE
PID:4400
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD5a3880680f21ce2d3552dba6f7868385c
SHA170ebb8ee630c0abe71acc1183288dfcc80c962ea
SHA2560bd9737d5d185bf0c211c90cf2c93160ecf5de91d8ee32097c21519b8a52e296
SHA512680fb46504532611ea0fd31729822b7ae906f5e65005e887ff70019de63bec1345b1dc99bc5a3a698a0c9e989758551839328170c877dc7af40d85c732dabe0c
-
Filesize
416KB
MD5a3880680f21ce2d3552dba6f7868385c
SHA170ebb8ee630c0abe71acc1183288dfcc80c962ea
SHA2560bd9737d5d185bf0c211c90cf2c93160ecf5de91d8ee32097c21519b8a52e296
SHA512680fb46504532611ea0fd31729822b7ae906f5e65005e887ff70019de63bec1345b1dc99bc5a3a698a0c9e989758551839328170c877dc7af40d85c732dabe0c
-
Filesize
168KB
MD52d4a90923aef12b646f39f621dfc2ed0
SHA1b5e7efce80b1d023f386ec4bb5db13e80168338f
SHA256c7c380167153e25ae7b1ecb88c87b89898d51e7a9db5dc6e2d9a46399c600a48
SHA512a9f779731397f5f3ac704999eb32e8989789e577d62a06ab125cb4d2a4e3444496be4ee9dcc3c6a71ebd6618fa04473d55d2c2250a98760ab35138b5beba2a7a
-
Filesize
168KB
MD52d4a90923aef12b646f39f621dfc2ed0
SHA1b5e7efce80b1d023f386ec4bb5db13e80168338f
SHA256c7c380167153e25ae7b1ecb88c87b89898d51e7a9db5dc6e2d9a46399c600a48
SHA512a9f779731397f5f3ac704999eb32e8989789e577d62a06ab125cb4d2a4e3444496be4ee9dcc3c6a71ebd6618fa04473d55d2c2250a98760ab35138b5beba2a7a