Analysis
-
max time kernel
183s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 22:23
Static task
static1
Behavioral task
behavioral1
Sample
6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
Resource
win10v2004-20230220-en
General
-
Target
6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
-
Size
599KB
-
MD5
f9c4f59cc3034acec0079ccc1f951de5
-
SHA1
307ded1af15fa207749141ac113e61cf54127867
-
SHA256
6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946
-
SHA512
7b872ef3ef9e77ec03f3badfc0ccda854985abf07aa50b1218f599426bd9502a468d78201b7a0fab5ecc211a09fd20da5d300720ad14c2445be0d4fd46466f52
-
SSDEEP
12288:RMrSy90XAKQcuXPSoX1IVSjo+PL2rdAoyTAFqyLVCaA:nybcuagas12rdAi4yJCaA
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/1204-148-0x0000000008000000-0x0000000008618000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 2 IoCs
pid Process 2804 y4153654.exe 1204 k3040335.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y4153654.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4153654.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4768 wrote to memory of 2804 4768 6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe 81 PID 4768 wrote to memory of 2804 4768 6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe 81 PID 4768 wrote to memory of 2804 4768 6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe 81 PID 2804 wrote to memory of 1204 2804 y4153654.exe 82 PID 2804 wrote to memory of 1204 2804 y4153654.exe 82 PID 2804 wrote to memory of 1204 2804 y4153654.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe"C:\Users\Admin\AppData\Local\Temp\6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exe3⤵
- Executes dropped EXE
PID:1204
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD50cf32d7bfdc4cd051602a48d4bc0afd2
SHA11cc6dd89c0b437d5c15fcb014990ac53a2769b8f
SHA256b73d144854f0a6c067c0fd5a7fdc8033feb42d9e65a874913a81aa6e61eb9808
SHA512fe0782218800e83b1ac89aab8680de09e8be7e817abc4865b10c5001134675fb5c2d00abbf7e3e80500e205a5fe90789901c8c493ce85fae91e7333fc2b7438f
-
Filesize
307KB
MD50cf32d7bfdc4cd051602a48d4bc0afd2
SHA11cc6dd89c0b437d5c15fcb014990ac53a2769b8f
SHA256b73d144854f0a6c067c0fd5a7fdc8033feb42d9e65a874913a81aa6e61eb9808
SHA512fe0782218800e83b1ac89aab8680de09e8be7e817abc4865b10c5001134675fb5c2d00abbf7e3e80500e205a5fe90789901c8c493ce85fae91e7333fc2b7438f
-
Filesize
136KB
MD53b1bbea931ba12fb6b21ba5ac2b3bb49
SHA1b467c8c888978b515513df42e2c510df6c1dfc70
SHA25618a5a4abccb59f7209784d821509200eece702db17c448b23834de9d95d0938d
SHA5127ffb694a675c6975cbe1cdddd9fd005de62449ab5f032479610183e6fe3c22f4f74f7c21d6eb6cbc6e89069bf04906025d2b5b7e984769152d8b435811b9e358
-
Filesize
136KB
MD53b1bbea931ba12fb6b21ba5ac2b3bb49
SHA1b467c8c888978b515513df42e2c510df6c1dfc70
SHA25618a5a4abccb59f7209784d821509200eece702db17c448b23834de9d95d0938d
SHA5127ffb694a675c6975cbe1cdddd9fd005de62449ab5f032479610183e6fe3c22f4f74f7c21d6eb6cbc6e89069bf04906025d2b5b7e984769152d8b435811b9e358