Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 22:48
Static task
static1
Behavioral task
behavioral1
Sample
0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe
Resource
win10v2004-20230220-en
General
-
Target
0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe
-
Size
1.2MB
-
MD5
021e6b3f607c727ba08ee988206c4567
-
SHA1
0bd4f98586dfb251d9744e49aa50110e626889b1
-
SHA256
0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118
-
SHA512
447d3f72c12db4ec4c80526a8692e66c6e557eb24cbdae6595ce386b8c49c7733de1438ee5dcfcb638fab4e099024bcdab8b8ff97357585cf614323df5dc9bb3
-
SSDEEP
24576:Oyxu92jx9/Kcy3yOIEXuHFDTPrSkGXs77+Fu7BgF3MWIYwu5/xVF8UwyCQ:dw2WcI1zXOvEW7+U9gF3WYwu5KBy
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/4000-2337-0x00000000055B0000-0x0000000005BC8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s69671186.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation s69671186.exe -
Executes dropped EXE 6 IoCs
Processes:
z39739129.exez41836049.exez33335380.exes69671186.exe1.exet71629403.exepid process 4280 z39739129.exe 2704 z41836049.exe 4580 z33335380.exe 2580 s69671186.exe 2172 1.exe 4000 t71629403.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z33335380.exe0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exez39739129.exez41836049.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z33335380.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z33335380.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z39739129.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z39739129.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z41836049.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z41836049.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s69671186.exedescription pid process Token: SeDebugPrivilege 2580 s69671186.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exez39739129.exez41836049.exez33335380.exes69671186.exedescription pid process target process PID 1988 wrote to memory of 4280 1988 0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe z39739129.exe PID 1988 wrote to memory of 4280 1988 0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe z39739129.exe PID 1988 wrote to memory of 4280 1988 0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe z39739129.exe PID 4280 wrote to memory of 2704 4280 z39739129.exe z41836049.exe PID 4280 wrote to memory of 2704 4280 z39739129.exe z41836049.exe PID 4280 wrote to memory of 2704 4280 z39739129.exe z41836049.exe PID 2704 wrote to memory of 4580 2704 z41836049.exe z33335380.exe PID 2704 wrote to memory of 4580 2704 z41836049.exe z33335380.exe PID 2704 wrote to memory of 4580 2704 z41836049.exe z33335380.exe PID 4580 wrote to memory of 2580 4580 z33335380.exe s69671186.exe PID 4580 wrote to memory of 2580 4580 z33335380.exe s69671186.exe PID 4580 wrote to memory of 2580 4580 z33335380.exe s69671186.exe PID 2580 wrote to memory of 2172 2580 s69671186.exe 1.exe PID 2580 wrote to memory of 2172 2580 s69671186.exe 1.exe PID 2580 wrote to memory of 2172 2580 s69671186.exe 1.exe PID 4580 wrote to memory of 4000 4580 z33335380.exe t71629403.exe PID 4580 wrote to memory of 4000 4580 z33335380.exe t71629403.exe PID 4580 wrote to memory of 4000 4580 z33335380.exe t71629403.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe"C:\Users\Admin\AppData\Local\Temp\0872311eba59f44fe5232d52968dabc93992a79552c42ffc5c4e6336ed409118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z39739129.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z39739129.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z41836049.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z41836049.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z33335380.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z33335380.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69671186.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69671186.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71629403.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71629403.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z39739129.exeFilesize
1.0MB
MD5efd9b1c7975bc7491ce75de32975d7ed
SHA18514288b134169f8ccbe8d6d39f577fb99da2be3
SHA25632b8da0dddccf37a2360f859e4a8cdf3a5b9405412819fb6374c36a75b4dc35e
SHA512f1cd1c852c0d93b59a133b9a3b6efc5d46ab1a2a6d68244c3866a9d4bb83b4c19ac955ed825cca9c9b645389e6c5bce9f2c4ceeaadb1a5ccd29cd762bee4e421
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z39739129.exeFilesize
1.0MB
MD5efd9b1c7975bc7491ce75de32975d7ed
SHA18514288b134169f8ccbe8d6d39f577fb99da2be3
SHA25632b8da0dddccf37a2360f859e4a8cdf3a5b9405412819fb6374c36a75b4dc35e
SHA512f1cd1c852c0d93b59a133b9a3b6efc5d46ab1a2a6d68244c3866a9d4bb83b4c19ac955ed825cca9c9b645389e6c5bce9f2c4ceeaadb1a5ccd29cd762bee4e421
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z41836049.exeFilesize
764KB
MD5c4bd3c6b808b5dbfede5a0a9881878ab
SHA18e716c01ddb6f8ed17e21c0fe8db279cf9e0c66c
SHA256684c6af080124e841b27b28dc2b6ed628fd1be63adf1a88b31054a33b2967743
SHA5128b7f067fd09be91be3699f7c946595de848969a442ca33389224c6076aca4d42fb2a2e94e34cce7e9d43761c85dda259d75db9ac43c26769cb5c9176255696a0
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z41836049.exeFilesize
764KB
MD5c4bd3c6b808b5dbfede5a0a9881878ab
SHA18e716c01ddb6f8ed17e21c0fe8db279cf9e0c66c
SHA256684c6af080124e841b27b28dc2b6ed628fd1be63adf1a88b31054a33b2967743
SHA5128b7f067fd09be91be3699f7c946595de848969a442ca33389224c6076aca4d42fb2a2e94e34cce7e9d43761c85dda259d75db9ac43c26769cb5c9176255696a0
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z33335380.exeFilesize
581KB
MD5509abe7f7d2a406e26f1b3a059a9153a
SHA1624ed5e67367a8db5b6f01e6debe0da97fe08257
SHA25688e93816db25b2c4955dc92f1528d6faf8c3d04a1d0c5dc68d27f3b04e43daa0
SHA512691e8334256cf8b42fcedb2c360a795ae061e6ea820a068a9324cafb4f04a7f7205f08be4e50afd4f959f4a751871435baf1bfd95a9a7eac077ef107939b9623
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z33335380.exeFilesize
581KB
MD5509abe7f7d2a406e26f1b3a059a9153a
SHA1624ed5e67367a8db5b6f01e6debe0da97fe08257
SHA25688e93816db25b2c4955dc92f1528d6faf8c3d04a1d0c5dc68d27f3b04e43daa0
SHA512691e8334256cf8b42fcedb2c360a795ae061e6ea820a068a9324cafb4f04a7f7205f08be4e50afd4f959f4a751871435baf1bfd95a9a7eac077ef107939b9623
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69671186.exeFilesize
582KB
MD583324ec99eb7c6f0523fdf097a6e7ad7
SHA1f1d6feb3f220ec69a14b265da021d968a9083d61
SHA2566af01d4be3b3270b3d11e175309288e7fbdb12db4fb2d8f1ef100cfd61a777d6
SHA512ffd513e1518df107b45f52769d6ef8c55c6c90742c57adfffb6207458e99785066f8bfd35094b8c258ecf71b86835ce2d8315b997a608f70476b0cf7cf20e7d4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69671186.exeFilesize
582KB
MD583324ec99eb7c6f0523fdf097a6e7ad7
SHA1f1d6feb3f220ec69a14b265da021d968a9083d61
SHA2566af01d4be3b3270b3d11e175309288e7fbdb12db4fb2d8f1ef100cfd61a777d6
SHA512ffd513e1518df107b45f52769d6ef8c55c6c90742c57adfffb6207458e99785066f8bfd35094b8c258ecf71b86835ce2d8315b997a608f70476b0cf7cf20e7d4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71629403.exeFilesize
169KB
MD50f471d78632d22fa173eef2e9fc30770
SHA1256db7496f80290c1fec79a04b7bc8896be08f21
SHA256f6cb2745d0321b6fac9a5c22b5b7968f81bd845db27c200d6573934d42de6ac1
SHA5120f9315b331ba1d9317a18d28abf5f6d31966feac4101d5a493e670e4f73a2e856a97a38d48d999e8d7faccde4d1ab444e5cec203904d4c34e116045a43e8d8c5
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71629403.exeFilesize
169KB
MD50f471d78632d22fa173eef2e9fc30770
SHA1256db7496f80290c1fec79a04b7bc8896be08f21
SHA256f6cb2745d0321b6fac9a5c22b5b7968f81bd845db27c200d6573934d42de6ac1
SHA5120f9315b331ba1d9317a18d28abf5f6d31966feac4101d5a493e670e4f73a2e856a97a38d48d999e8d7faccde4d1ab444e5cec203904d4c34e116045a43e8d8c5
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
memory/2172-2332-0x0000000000A00000-0x0000000000A2E000-memory.dmpFilesize
184KB
-
memory/2172-2344-0x0000000005220000-0x000000000525C000-memory.dmpFilesize
240KB
-
memory/2172-2343-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/2172-2341-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/2580-194-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-210-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-168-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-170-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-172-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-174-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-176-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-178-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-180-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-182-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-184-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-186-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-188-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-190-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-192-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-166-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/2580-196-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-200-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-198-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-202-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-204-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-206-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-208-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-167-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-212-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-214-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-216-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-218-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-220-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-222-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-224-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-226-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-228-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-230-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/2580-2315-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/2580-2316-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/2580-2317-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/2580-2319-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/2580-162-0x00000000009C0000-0x0000000000A1B000-memory.dmpFilesize
364KB
-
memory/2580-165-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/2580-163-0x0000000004FA0000-0x0000000005544000-memory.dmpFilesize
5.6MB
-
memory/2580-164-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/4000-2339-0x0000000004DB0000-0x0000000004DC2000-memory.dmpFilesize
72KB
-
memory/4000-2340-0x0000000004E80000-0x0000000004E90000-memory.dmpFilesize
64KB
-
memory/4000-2338-0x00000000050A0000-0x00000000051AA000-memory.dmpFilesize
1.0MB
-
memory/4000-2342-0x0000000004E80000-0x0000000004E90000-memory.dmpFilesize
64KB
-
memory/4000-2337-0x00000000055B0000-0x0000000005BC8000-memory.dmpFilesize
6.1MB
-
memory/4000-2336-0x0000000000570000-0x000000000059E000-memory.dmpFilesize
184KB