Overview

overview

10

Static

static

3

54c625cb5c...6d.exe

windows7-x64

10

54c625cb5c...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2023 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54c625cb5cf2f413567f44dd52422943dfa393a4382968db8ad6b3a1b10a196d.exe

  • Size

    611KB

  • MD5

    23b1984db98a385a8c939eac3dcd4263

  • SHA1

    e8959f2ea8e53906570342ba32dfd44bb341adaf

  • SHA256

    54c625cb5cf2f413567f44dd52422943dfa393a4382968db8ad6b3a1b10a196d

  • SHA512

    c78373737b148b249c19d8efd4d9c82a5e854939f37b3a7291851853bd0a56fb9a57b01c2342bc703df43c316a770bfe7c4b468a02ad1d446c44fc7c3ded60fa

  • SSDEEP

    12288:7y90UhD9XfR5E4YuEDFj22qXfS/NhUJCB7a074U:7yBd9vR5QuEDFj22qXfeB7/4U

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54c625cb5cf2f413567f44dd52422943dfa393a4382968db8ad6b3a1b10a196d.exe
    "C:\Users\Admin\AppData\Local\Temp\54c625cb5cf2f413567f44dd52422943dfa393a4382968db8ad6b3a1b10a196d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st060246.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st060246.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93203102.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93203102.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp164366.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp164366.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st060246.exe
    Filesize

    457KB

    MD5

    96babf04f3e88aaab55891abc607e0f2

    SHA1

    25ed740b7fb4a7726d4d1d81bf577cc02a5636f9

    SHA256

    4dc89d502d6a9021d8f8eb29317d49d7b787527bec1299a558f9448f9644b2d2

    SHA512

    9e423938163946865c40549735464dae869d59d73beb4739bd931b749888b54dfe7fac717a38b54a27cf2d9b178a28e237c333d46f42940b347b4972191f9a97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st060246.exe
    Filesize

    457KB

    MD5

    96babf04f3e88aaab55891abc607e0f2

    SHA1

    25ed740b7fb4a7726d4d1d81bf577cc02a5636f9

    SHA256

    4dc89d502d6a9021d8f8eb29317d49d7b787527bec1299a558f9448f9644b2d2

    SHA512

    9e423938163946865c40549735464dae869d59d73beb4739bd931b749888b54dfe7fac717a38b54a27cf2d9b178a28e237c333d46f42940b347b4972191f9a97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93203102.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\93203102.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp164366.exe
    Filesize

    459KB

    MD5

    d934c1e545fb82aabadc3f0f1eddf935

    SHA1

    be11adf7acaeef31f800c61a9366c96c4afba871

    SHA256

    555394b9ed4bbedfac775b121dcb8222a8956fefe484646f0914107af25adbef

    SHA512

    84cf744db80f2a2f73ef322dbc682be8da37fddeecf6d2f7a7bc97348af807529ff6c6e41d59c898d815811bb728c595880cda87c529cf07528c96f3ab769fe9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp164366.exe
    Filesize

    459KB

    MD5

    d934c1e545fb82aabadc3f0f1eddf935

    SHA1

    be11adf7acaeef31f800c61a9366c96c4afba871

    SHA256

    555394b9ed4bbedfac775b121dcb8222a8956fefe484646f0914107af25adbef

    SHA512

    84cf744db80f2a2f73ef322dbc682be8da37fddeecf6d2f7a7bc97348af807529ff6c6e41d59c898d815811bb728c595880cda87c529cf07528c96f3ab769fe9

    Download Submit

  • memory/1508-147-0x0000000000460000-0x000000000046A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3924-153-0x0000000000820000-0x0000000000866000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3924-154-0x0000000004DE0000-0x0000000005384000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3924-155-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-158-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-156-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-160-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-162-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-164-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-166-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-170-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-168-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-172-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-174-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-176-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-180-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-178-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-182-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-184-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-186-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-189-0x0000000002490000-0x00000000024A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-188-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-191-0x0000000002490000-0x00000000024A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-193-0x0000000002490000-0x00000000024A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-192-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-195-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-197-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-199-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-201-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-203-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-205-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-207-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-209-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-211-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-213-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-215-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-217-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-221-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-219-0x00000000053D0000-0x0000000005405000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3924-950-0x00000000078D0000-0x0000000007EE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3924-951-0x0000000007F70000-0x0000000007F82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3924-952-0x0000000007F90000-0x000000000809A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3924-953-0x00000000080B0000-0x00000000080EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3924-954-0x0000000002490000-0x00000000024A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-956-0x0000000002490000-0x00000000024A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-957-0x0000000002490000-0x00000000024A0000-memory.dmp

    Filesize

    64KB

    Download