Analysis
-
max time kernel
188s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 22:42
Static task
static1
Behavioral task
behavioral1
Sample
067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe
Resource
win10v2004-20230220-en
General
-
Target
067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe
-
Size
1.2MB
-
MD5
f77bbb65f98793e1797f8cd0c39162c4
-
SHA1
76083a41520e62ce852f25194310b43d9d26b8cd
-
SHA256
067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8
-
SHA512
70f3d803b73ffdd1c9d2001f02155fbd28a99e53d8211637e386df3320425a60ca6b698aa305beafdf0737d2fd0ab2245607e0c17a60d58d1c7c9be3fed69c2c
-
SSDEEP
24576:xyankK4lvenj2GiODrsMK3mg5d651Flu3lHxs3dzuqT/zPY3JIxQ/:kanL0U2asVmg5k51FY3lRs3dhT/zPoJV
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/4548-2334-0x0000000005B10000-0x0000000006128000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s32275988.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation s32275988.exe -
Executes dropped EXE 6 IoCs
Processes:
z75520223.exez91892254.exez88896073.exes32275988.exe1.exet94383935.exepid process 3752 z75520223.exe 348 z91892254.exe 3552 z88896073.exe 3780 s32275988.exe 4548 1.exe 4688 t94383935.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z91892254.exez88896073.exe067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exez75520223.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z91892254.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z88896073.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z88896073.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z75520223.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z75520223.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z91892254.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4480 3780 WerFault.exe s32275988.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s32275988.exedescription pid process Token: SeDebugPrivilege 3780 s32275988.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exez75520223.exez91892254.exez88896073.exes32275988.exedescription pid process target process PID 4572 wrote to memory of 3752 4572 067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe z75520223.exe PID 4572 wrote to memory of 3752 4572 067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe z75520223.exe PID 4572 wrote to memory of 3752 4572 067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe z75520223.exe PID 3752 wrote to memory of 348 3752 z75520223.exe z91892254.exe PID 3752 wrote to memory of 348 3752 z75520223.exe z91892254.exe PID 3752 wrote to memory of 348 3752 z75520223.exe z91892254.exe PID 348 wrote to memory of 3552 348 z91892254.exe z88896073.exe PID 348 wrote to memory of 3552 348 z91892254.exe z88896073.exe PID 348 wrote to memory of 3552 348 z91892254.exe z88896073.exe PID 3552 wrote to memory of 3780 3552 z88896073.exe s32275988.exe PID 3552 wrote to memory of 3780 3552 z88896073.exe s32275988.exe PID 3552 wrote to memory of 3780 3552 z88896073.exe s32275988.exe PID 3780 wrote to memory of 4548 3780 s32275988.exe 1.exe PID 3780 wrote to memory of 4548 3780 s32275988.exe 1.exe PID 3780 wrote to memory of 4548 3780 s32275988.exe 1.exe PID 3552 wrote to memory of 4688 3552 z88896073.exe t94383935.exe PID 3552 wrote to memory of 4688 3552 z88896073.exe t94383935.exe PID 3552 wrote to memory of 4688 3552 z88896073.exe t94383935.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe"C:\Users\Admin\AppData\Local\Temp\067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z75520223.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z75520223.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z91892254.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z91892254.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z88896073.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z88896073.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s32275988.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s32275988.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:4548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 13846⤵
- Program crash
PID:4480
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94383935.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94383935.exe5⤵
- Executes dropped EXE
PID:4688
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3780 -ip 37801⤵PID:2796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD57c2237b7dc2edd2c83ccb460fcdf1029
SHA1e0c655b351a21bbb0014af78dda642c7483c777d
SHA2569ec496e78753178f7ed3d90ed8c9015aa4ade9a963a4d2bce87deb193123b870
SHA512ddc3e0935464fabb0ca051dafa1e7688a55cdfca1095dc9e25621f45d24149a9b30a0c8cbcbf1e8a41d430353247e8b58ea219328dbc47a2e78d34db5d9251bb
-
Filesize
1.0MB
MD57c2237b7dc2edd2c83ccb460fcdf1029
SHA1e0c655b351a21bbb0014af78dda642c7483c777d
SHA2569ec496e78753178f7ed3d90ed8c9015aa4ade9a963a4d2bce87deb193123b870
SHA512ddc3e0935464fabb0ca051dafa1e7688a55cdfca1095dc9e25621f45d24149a9b30a0c8cbcbf1e8a41d430353247e8b58ea219328dbc47a2e78d34db5d9251bb
-
Filesize
752KB
MD52f5a598d58bdc534a0d8d4d41e24e8a8
SHA1d498c6fd0aa452e0e15d9d06ffd3736f59cc4a7c
SHA256bab4cc57fed41510411e250571ee348e637972b56d9f0e80dc05130ccc4c4628
SHA512d69144be86753459e8b1ab352342b4a50ba8df15a5a96f64bdcf13b03e780bea4364767def31c0f0ec1d673e95cf7b14b1b6a3367d56ebf4e3b72a7b4b35be97
-
Filesize
752KB
MD52f5a598d58bdc534a0d8d4d41e24e8a8
SHA1d498c6fd0aa452e0e15d9d06ffd3736f59cc4a7c
SHA256bab4cc57fed41510411e250571ee348e637972b56d9f0e80dc05130ccc4c4628
SHA512d69144be86753459e8b1ab352342b4a50ba8df15a5a96f64bdcf13b03e780bea4364767def31c0f0ec1d673e95cf7b14b1b6a3367d56ebf4e3b72a7b4b35be97
-
Filesize
569KB
MD5e0c80d034a0dbcefcd9180caa881b7cf
SHA1e9c7a36868953014934740e18c7ea155abb9d3d9
SHA25695c57f12a160ac69e7f1cc5d1ac66a70e4bbefbcde2b993e9c7abaf60f27fa4f
SHA5124f3106f4120b21a95b25d5b82b3f72627a781fee7b2fecacaf545539933ea9bd3e1723ad0bece16356ce89d23c9efed73e9799436db6f5b677aaa1fb36384415
-
Filesize
569KB
MD5e0c80d034a0dbcefcd9180caa881b7cf
SHA1e9c7a36868953014934740e18c7ea155abb9d3d9
SHA25695c57f12a160ac69e7f1cc5d1ac66a70e4bbefbcde2b993e9c7abaf60f27fa4f
SHA5124f3106f4120b21a95b25d5b82b3f72627a781fee7b2fecacaf545539933ea9bd3e1723ad0bece16356ce89d23c9efed73e9799436db6f5b677aaa1fb36384415
-
Filesize
488KB
MD5c63d3d3168ba70048bc51bc8cbf846ec
SHA153331c05bf21a0ef8a7b4576dc63c01f67792423
SHA256b928ec6791cfa418273a90413a50c155a0e1a548fc6516bf32c3a841d0941cbf
SHA51244263ec3f44dbe825539a4874bc654b8e4e20ea754abd12653bfad607ce0b8c67a385dec1603269a891d15b2a15d50e46bde4472da7f18195e752e9d16244376
-
Filesize
488KB
MD5c63d3d3168ba70048bc51bc8cbf846ec
SHA153331c05bf21a0ef8a7b4576dc63c01f67792423
SHA256b928ec6791cfa418273a90413a50c155a0e1a548fc6516bf32c3a841d0941cbf
SHA51244263ec3f44dbe825539a4874bc654b8e4e20ea754abd12653bfad607ce0b8c67a385dec1603269a891d15b2a15d50e46bde4472da7f18195e752e9d16244376
-
Filesize
170KB
MD585eaa54245206d5dea98b091718fb77c
SHA1f40e782c8fc6bfcea6fa896b9159700649a7d6f3
SHA256ec4a6a5e92cadeb8fe5351258f8fa3ed21df392e71d9058915f31a9c95734a97
SHA512354e82b89d516bf34f192d77035e6a0f572497b5461f795609840b31a1bdecbeea93e73d4fcf13d3808253fd280b381cba789f8072eddba29a73ab9509fd4f5a
-
Filesize
170KB
MD585eaa54245206d5dea98b091718fb77c
SHA1f40e782c8fc6bfcea6fa896b9159700649a7d6f3
SHA256ec4a6a5e92cadeb8fe5351258f8fa3ed21df392e71d9058915f31a9c95734a97
SHA512354e82b89d516bf34f192d77035e6a0f572497b5461f795609840b31a1bdecbeea93e73d4fcf13d3808253fd280b381cba789f8072eddba29a73ab9509fd4f5a
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf