Overview

overview

10

Static

static

3

075447ce64...82.exe

windows7-x64

10

075447ce64...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2023 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe

  • Size

    479KB

  • MD5

    5577147c5b1aa1dd66b5b84982cf3ac8

  • SHA1

    e4ab9506f13992d220905a63757b9e2c8b620cff

  • SHA256

    075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82

  • SHA512

    b1b9d057d9ea4a45fb7f27a6ac0a6450f9f4ddfbcfbeb47e4b46a8b4e81add0236b10f128af19d7b15094834eb959691dfc71a53e01f007c4ca4b85cd0a588ab

  • SSDEEP

    12288:GMrfy90tmBpUQZuTzDMoDYmO6aW81OGDXGmRvJURd0uO+i:ByxpZZuIIWTh1OUWrdli

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
    "C:\Users\Admin\AppData\Local\Temp\075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
        3⤵
        • Executes dropped EXE
        PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
    Filesize

    307KB

    MD5

    d16fa6e85dfb4ae46405453c71b75694

    SHA1

    20b06617901676d15ff5a3bed81ee196ff82e166

    SHA256

    c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

    SHA512

    9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
    Filesize

    307KB

    MD5

    d16fa6e85dfb4ae46405453c71b75694

    SHA1

    20b06617901676d15ff5a3bed81ee196ff82e166

    SHA256

    c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

    SHA512

    9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
    Filesize

    175KB

    MD5

    53103813f9b185c5775d4351c5c97e25

    SHA1

    9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

    SHA256

    2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

    SHA512

    d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
    Filesize

    175KB

    MD5

    53103813f9b185c5775d4351c5c97e25

    SHA1

    9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

    SHA256

    2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

    SHA512

    d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
    Filesize

    136KB

    MD5

    b1d06b88514d2e393201805baee9f188

    SHA1

    38147f086ba49868921d3f506cc3bae4e7b388f0

    SHA256

    c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

    SHA512

    b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
    Filesize

    136KB

    MD5

    b1d06b88514d2e393201805baee9f188

    SHA1

    38147f086ba49868921d3f506cc3bae4e7b388f0

    SHA256

    c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

    SHA512

    b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

    Download Submit

  • memory/1608-190-0x0000000007180000-0x00000000071BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1608-187-0x00000000076B0000-0x0000000007CC8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1608-189-0x0000000007250000-0x000000000735A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1608-188-0x0000000007120000-0x0000000007132000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1608-191-0x0000000007530000-0x0000000007540000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1608-186-0x00000000003F0000-0x0000000000418000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1608-192-0x0000000007530000-0x0000000007540000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2664-165-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-180-0x00000000022A0000-0x00000000022B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2664-169-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-157-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-173-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-171-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-175-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-176-0x00000000022A0000-0x00000000022B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2664-177-0x00000000022A0000-0x00000000022B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2664-178-0x00000000022A0000-0x00000000022B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2664-181-0x00000000022A0000-0x00000000022B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2664-167-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-179-0x00000000022A0000-0x00000000022B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2664-163-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-159-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-161-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-155-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-153-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-151-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-148-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-149-0x0000000002510000-0x0000000002522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2664-147-0x0000000004A10000-0x0000000004FB4000-memory.dmp

    Filesize

    5.6MB

    Download