Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 22:41
Static task
static1
Behavioral task
behavioral1
Sample
05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe
Resource
win10v2004-20230220-en
General
-
Target
05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe
-
Size
1.2MB
-
MD5
f1ce68048ca3eb6db7c572e1cff99deb
-
SHA1
b834f00374a965c18b32562bd1a48abc097ca606
-
SHA256
05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8
-
SHA512
51202095441630c6c8ee6119804e14951ee87a233bd006b2480dd80f7d96293e4b3e2e91ba080d7294646ee5b83e65860e1942623e6a5bf75b7ac075145386c5
-
SSDEEP
24576:NyQAMgxtsHeAOXGIsXqrOs3HQJzKaAWUGRRyRgV5JDGIANc:oQ/ot2XO2TXX8QJzqWUil5JDGI
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/4320-2337-0x000000000AF20000-0x000000000B538000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s14342626.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation s14342626.exe -
Executes dropped EXE 6 IoCs
Processes:
z68398999.exez05062584.exez51704119.exes14342626.exe1.exet09613204.exepid process 372 z68398999.exe 2128 z05062584.exe 1740 z51704119.exe 1992 s14342626.exe 4320 1.exe 4944 t09613204.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z05062584.exez51704119.exe05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exez68398999.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z05062584.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z51704119.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z51704119.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z68398999.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z68398999.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z05062584.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s14342626.exedescription pid process Token: SeDebugPrivilege 1992 s14342626.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exez68398999.exez05062584.exez51704119.exes14342626.exedescription pid process target process PID 4640 wrote to memory of 372 4640 05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe z68398999.exe PID 4640 wrote to memory of 372 4640 05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe z68398999.exe PID 4640 wrote to memory of 372 4640 05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe z68398999.exe PID 372 wrote to memory of 2128 372 z68398999.exe z05062584.exe PID 372 wrote to memory of 2128 372 z68398999.exe z05062584.exe PID 372 wrote to memory of 2128 372 z68398999.exe z05062584.exe PID 2128 wrote to memory of 1740 2128 z05062584.exe z51704119.exe PID 2128 wrote to memory of 1740 2128 z05062584.exe z51704119.exe PID 2128 wrote to memory of 1740 2128 z05062584.exe z51704119.exe PID 1740 wrote to memory of 1992 1740 z51704119.exe s14342626.exe PID 1740 wrote to memory of 1992 1740 z51704119.exe s14342626.exe PID 1740 wrote to memory of 1992 1740 z51704119.exe s14342626.exe PID 1992 wrote to memory of 4320 1992 s14342626.exe 1.exe PID 1992 wrote to memory of 4320 1992 s14342626.exe 1.exe PID 1992 wrote to memory of 4320 1992 s14342626.exe 1.exe PID 1740 wrote to memory of 4944 1740 z51704119.exe t09613204.exe PID 1740 wrote to memory of 4944 1740 z51704119.exe t09613204.exe PID 1740 wrote to memory of 4944 1740 z51704119.exe t09613204.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe"C:\Users\Admin\AppData\Local\Temp\05c6d58e57ca0c03f52bc53a24359a6ed653be12e1477d083c842bb60fd7dcd8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z68398999.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z68398999.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z05062584.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z05062584.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z51704119.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z51704119.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s14342626.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s14342626.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:4320
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t09613204.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t09613204.exe5⤵
- Executes dropped EXE
PID:4944
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD582cf535953d37308b564fac38989748d
SHA16ee8d4fbe68c7e1bd3d3c4279933e4da09e5b806
SHA25676c6ade0c5b7e74cf50a8997d253ae0e4e913543b103cd9c94b4d84d328c15df
SHA512ec0a71bcb79c885a56e293a391d127ef10506e09e04416879cb127301bfb0ef06204abd613c603cf84540e93d2a8420761240892bbc0acea96f547679fd93132
-
Filesize
1.0MB
MD582cf535953d37308b564fac38989748d
SHA16ee8d4fbe68c7e1bd3d3c4279933e4da09e5b806
SHA25676c6ade0c5b7e74cf50a8997d253ae0e4e913543b103cd9c94b4d84d328c15df
SHA512ec0a71bcb79c885a56e293a391d127ef10506e09e04416879cb127301bfb0ef06204abd613c603cf84540e93d2a8420761240892bbc0acea96f547679fd93132
-
Filesize
764KB
MD580cb17aee4360ab91b51bdc670810e2e
SHA180695f176819f129e9298d350b8df2bc3ffa5659
SHA2562aba067152837731e48bce809015962774ed129c84a87cf4b01b1807d0798890
SHA5125511dc0bbd2eb260c3edeef4b3f1c0f56c542274ccdac4882382b10daf2be0032f099bfda51938670a0bb78d73bd0a534126361f3c321768f824fffff175a59a
-
Filesize
764KB
MD580cb17aee4360ab91b51bdc670810e2e
SHA180695f176819f129e9298d350b8df2bc3ffa5659
SHA2562aba067152837731e48bce809015962774ed129c84a87cf4b01b1807d0798890
SHA5125511dc0bbd2eb260c3edeef4b3f1c0f56c542274ccdac4882382b10daf2be0032f099bfda51938670a0bb78d73bd0a534126361f3c321768f824fffff175a59a
-
Filesize
582KB
MD5d7158851b9e1900fec2af64a98e087b8
SHA180425c700ed3a5268ae5e334d955a74cbd5f41cf
SHA2569ea4e14db96d63b426f6fbd99f6dc66e67df761a616507e935930d0b14032a6e
SHA5126ab3bf4bca05bed75ece5a7864aafcfc67cff25295eac328a080e67bebb8bfa2358a1f96b4ed20a3ecdbdf6c7b57b3f6110489d1ce7f39dd1d7aee3b79e1200f
-
Filesize
582KB
MD5d7158851b9e1900fec2af64a98e087b8
SHA180425c700ed3a5268ae5e334d955a74cbd5f41cf
SHA2569ea4e14db96d63b426f6fbd99f6dc66e67df761a616507e935930d0b14032a6e
SHA5126ab3bf4bca05bed75ece5a7864aafcfc67cff25295eac328a080e67bebb8bfa2358a1f96b4ed20a3ecdbdf6c7b57b3f6110489d1ce7f39dd1d7aee3b79e1200f
-
Filesize
582KB
MD5d60649ee0d6de2bbafe4a69110225aa3
SHA145f5b83081621b4fa1140070b8d06fbea38ec1d2
SHA256be6eebf3c44a077b4c6114009e41e4094bdc6e8c512984833e6476c7ebdcfc81
SHA51278413881e48f7fb17b6df9f4c339a1fe92a8c9cb0bcd5df38a60780d5cbd0f7d6af37daa23dc359f1d7027f8faccd0fa31e962fec22bcb250c1efba82672e7a7
-
Filesize
582KB
MD5d60649ee0d6de2bbafe4a69110225aa3
SHA145f5b83081621b4fa1140070b8d06fbea38ec1d2
SHA256be6eebf3c44a077b4c6114009e41e4094bdc6e8c512984833e6476c7ebdcfc81
SHA51278413881e48f7fb17b6df9f4c339a1fe92a8c9cb0bcd5df38a60780d5cbd0f7d6af37daa23dc359f1d7027f8faccd0fa31e962fec22bcb250c1efba82672e7a7
-
Filesize
169KB
MD5e13ebd7cd905fb692310eebe2edd2404
SHA15a066658781ab8584ae805ccea27646afc91aa48
SHA25647d04c1a981fc6a9799811b4eba93ecab4df931ac6d674e7749970d231704653
SHA512b394da4721ce82267ee45e3aaf37abdc09fe19b3fb184705f283229ac035faa77da64ae1214354d4042ef117c646243a693ba0c801241102c65e4fc2f9b1bd7f
-
Filesize
169KB
MD5e13ebd7cd905fb692310eebe2edd2404
SHA15a066658781ab8584ae805ccea27646afc91aa48
SHA25647d04c1a981fc6a9799811b4eba93ecab4df931ac6d674e7749970d231704653
SHA512b394da4721ce82267ee45e3aaf37abdc09fe19b3fb184705f283229ac035faa77da64ae1214354d4042ef117c646243a693ba0c801241102c65e4fc2f9b1bd7f
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf