Overview

overview

10

Static

static

3

5a02caf613...47.exe

windows7-x64

10

5a02caf613...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a02caf613425091ee8dd246ac8a48bfa306b6f2267a86348bd9136ec0dc2847.exe

  • Size

    376KB

  • MD5

    6d3e38c933013175e445af356a01016b

  • SHA1

    0bd85650846a2a2fc97a9cbb96c867d92010c7ae

  • SHA256

    5a02caf613425091ee8dd246ac8a48bfa306b6f2267a86348bd9136ec0dc2847

  • SHA512

    1e4e33c7a94f5c57b0908aa17906b58fef6100a65e60ce5efafa837dc779d4c782ad836fe5d709cda4d56c2ff1b64bed06a54fcaa67d8a01cdfaee9e333b23d6

  • SSDEEP

    6144:KEy+bnr+Kp0yN90QESlvHLLWbJoubXaVIyDtAPlYvRheAH8OnAZXwtpY:wMriy90kxHLS1lbXamyuCcGhtpY

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a02caf613425091ee8dd246ac8a48bfa306b6f2267a86348bd9136ec0dc2847.exe
    "C:\Users\Admin\AppData\Local\Temp\5a02caf613425091ee8dd246ac8a48bfa306b6f2267a86348bd9136ec0dc2847.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7290078.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7290078.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5853859.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5853859.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1093575.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1093575.exe
        3⤵
        • Executes dropped EXE
        PID:1492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7290078.exe
    Filesize

    204KB

    MD5

    79f0a310d35d4cf1b28c77c18bf7529f

    SHA1

    63ced638781cb8e9c039f85abe3692ac2ae1223b

    SHA256

    45cf27562aa96aa7bf6e028b1b70b4676128d351b1390e2acf4932d20ba7cfc1

    SHA512

    ffa449b9879ed102ab3453e30e8e583f2311198ee767965d4ea5d3ef3651fb31efa801280a60c897e8e6720f9c9ecc549ea3479636f9f7627d754a8458750dc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7290078.exe
    Filesize

    204KB

    MD5

    79f0a310d35d4cf1b28c77c18bf7529f

    SHA1

    63ced638781cb8e9c039f85abe3692ac2ae1223b

    SHA256

    45cf27562aa96aa7bf6e028b1b70b4676128d351b1390e2acf4932d20ba7cfc1

    SHA512

    ffa449b9879ed102ab3453e30e8e583f2311198ee767965d4ea5d3ef3651fb31efa801280a60c897e8e6720f9c9ecc549ea3479636f9f7627d754a8458750dc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5853859.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5853859.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1093575.exe
    Filesize

    136KB

    MD5

    30d0ee0947be55272def37f502e40d83

    SHA1

    67dec087565870ddbba362f33bc909491d56f0d7

    SHA256

    876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

    SHA512

    0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1093575.exe
    Filesize

    136KB

    MD5

    30d0ee0947be55272def37f502e40d83

    SHA1

    67dec087565870ddbba362f33bc909491d56f0d7

    SHA256

    876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

    SHA512

    0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

    Download Submit

  • memory/1492-152-0x0000000000950000-0x0000000000978000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1492-153-0x0000000007D80000-0x0000000008398000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1492-154-0x00000000077C0000-0x00000000077D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1492-155-0x00000000078F0000-0x00000000079FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1492-156-0x0000000007800000-0x0000000007810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1492-157-0x0000000007850000-0x000000000788C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1492-158-0x0000000007800000-0x0000000007810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3984-147-0x0000000000510000-0x000000000051A000-memory.dmp

    Filesize

    40KB

    Download