Analysis
-
max time kernel
201s -
max time network
227s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 23:57
Static task
static1
Behavioral task
behavioral1
Sample
1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe
Resource
win10v2004-20230220-en
General
-
Target
1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe
-
Size
1.2MB
-
MD5
15502e935321906eb2a416943cbad8d7
-
SHA1
5162480c8d16d1b270ac94b9e50cb18a80932ef0
-
SHA256
1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265
-
SHA512
c908bcb22d2646f30d6db2a82d13b6a39ccc1feae29945401db3e898060d4ad3386167ca4bcbbf04390bf94e90c349dc986acec486d20f5f31544b020abd3fdb
-
SSDEEP
24576:XypxXSAF4UOhYYHKT/8/gmtW3oHn550eke9y7dOmdbQvLoxoJTd3ii:iDSMihYcKT/84mtgoH5tkSy0md5+JTdy
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/4364-2339-0x0000000005D00000-0x0000000006318000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s03226909.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation s03226909.exe -
Executes dropped EXE 6 IoCs
Processes:
z64971320.exez46301186.exez01083958.exes03226909.exe1.exet15900642.exepid process 2332 z64971320.exe 3952 z46301186.exe 2416 z01083958.exe 4544 s03226909.exe 4364 1.exe 4252 t15900642.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exez64971320.exez46301186.exez01083958.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z64971320.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z64971320.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z46301186.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z46301186.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z01083958.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z01083958.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2556 4544 WerFault.exe s03226909.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s03226909.exedescription pid process Token: SeDebugPrivilege 4544 s03226909.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exez64971320.exez46301186.exez01083958.exes03226909.exedescription pid process target process PID 4392 wrote to memory of 2332 4392 1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe z64971320.exe PID 4392 wrote to memory of 2332 4392 1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe z64971320.exe PID 4392 wrote to memory of 2332 4392 1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe z64971320.exe PID 2332 wrote to memory of 3952 2332 z64971320.exe z46301186.exe PID 2332 wrote to memory of 3952 2332 z64971320.exe z46301186.exe PID 2332 wrote to memory of 3952 2332 z64971320.exe z46301186.exe PID 3952 wrote to memory of 2416 3952 z46301186.exe z01083958.exe PID 3952 wrote to memory of 2416 3952 z46301186.exe z01083958.exe PID 3952 wrote to memory of 2416 3952 z46301186.exe z01083958.exe PID 2416 wrote to memory of 4544 2416 z01083958.exe s03226909.exe PID 2416 wrote to memory of 4544 2416 z01083958.exe s03226909.exe PID 2416 wrote to memory of 4544 2416 z01083958.exe s03226909.exe PID 4544 wrote to memory of 4364 4544 s03226909.exe 1.exe PID 4544 wrote to memory of 4364 4544 s03226909.exe 1.exe PID 4544 wrote to memory of 4364 4544 s03226909.exe 1.exe PID 2416 wrote to memory of 4252 2416 z01083958.exe t15900642.exe PID 2416 wrote to memory of 4252 2416 z01083958.exe t15900642.exe PID 2416 wrote to memory of 4252 2416 z01083958.exe t15900642.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe"C:\Users\Admin\AppData\Local\Temp\1f76c49b8f6cb9fc7625659012061fe90b46c242936adf39fae3e77ec0f39265.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64971320.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64971320.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46301186.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46301186.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z01083958.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z01083958.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s03226909.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s03226909.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 15446⤵
- Program crash
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t15900642.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t15900642.exe5⤵
- Executes dropped EXE
PID:4252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4544 -ip 45441⤵PID:5036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64971320.exeFilesize
1.0MB
MD59a5644fa5cbaf4e1d48419ebcb90f683
SHA1dd7dcf691fcc3139f5fc4fb97a70532a0185afb2
SHA256122990f27d8798c366efc86642ad32321ca2409be3ce8f463e5b2f8c635a5c5a
SHA512950092bc995bc8adc3e8899b2cb4a40f851e7643e5a0771581d229fd811f9d191c6de4a2b3ac0a32db8dc9abd657c6f51bdd84ebce2b14873a45899d54a3a39f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64971320.exeFilesize
1.0MB
MD59a5644fa5cbaf4e1d48419ebcb90f683
SHA1dd7dcf691fcc3139f5fc4fb97a70532a0185afb2
SHA256122990f27d8798c366efc86642ad32321ca2409be3ce8f463e5b2f8c635a5c5a
SHA512950092bc995bc8adc3e8899b2cb4a40f851e7643e5a0771581d229fd811f9d191c6de4a2b3ac0a32db8dc9abd657c6f51bdd84ebce2b14873a45899d54a3a39f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46301186.exeFilesize
760KB
MD5526936faea0aa672386e6b8d69cab40b
SHA1c3e269403b2dbddac106004b3be26091f898ba43
SHA2564db5552c2205439d4796b90ca48d2d0b00334a6af5f4f00068615dd1c7d4b9a1
SHA5123ab26799983fa5487adcb25771364172126e2126a19e18b68e1ae9256919b8ca5e49ef9f2746da6da488600ddcf766f7c4244fe9ba20619cb71ab40597563e3c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46301186.exeFilesize
760KB
MD5526936faea0aa672386e6b8d69cab40b
SHA1c3e269403b2dbddac106004b3be26091f898ba43
SHA2564db5552c2205439d4796b90ca48d2d0b00334a6af5f4f00068615dd1c7d4b9a1
SHA5123ab26799983fa5487adcb25771364172126e2126a19e18b68e1ae9256919b8ca5e49ef9f2746da6da488600ddcf766f7c4244fe9ba20619cb71ab40597563e3c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z01083958.exeFilesize
578KB
MD5b9645d853b17bbdedab3b84d23de13e5
SHA14ade005fe766f7671c0948a93cda1a55e196c6cd
SHA256b92364cf3c97b2f5507d2819057b0f709995097c467c40db1a374d6d1dcdb6f2
SHA51249a330fe28d3c49c6f7f2723c8a2aba900439ae0759bdfd2ad21d0d8ce9d4df9709aeb2a7be53561e7152a433da746c1b184d013e191a02d1e02cf0cb0d9e7b4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z01083958.exeFilesize
578KB
MD5b9645d853b17bbdedab3b84d23de13e5
SHA14ade005fe766f7671c0948a93cda1a55e196c6cd
SHA256b92364cf3c97b2f5507d2819057b0f709995097c467c40db1a374d6d1dcdb6f2
SHA51249a330fe28d3c49c6f7f2723c8a2aba900439ae0759bdfd2ad21d0d8ce9d4df9709aeb2a7be53561e7152a433da746c1b184d013e191a02d1e02cf0cb0d9e7b4
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s03226909.exeFilesize
575KB
MD500e276368abe8ab10878271467b91af3
SHA17390f16aa575b4da773e33bec1d7652dec36474f
SHA256df5a2a15c9de7f9500e0873a9b3511c88707656efb67a29165b14e91b534b1fd
SHA512c6fdef66cb9502e5cffd9a67128c4eef142b56caae2f7217a4c088bc6d100bc45aef9d8d30093ba314285283280ccd0dea4cb2eeceb8cda9d9332d5b83a881e3
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s03226909.exeFilesize
575KB
MD500e276368abe8ab10878271467b91af3
SHA17390f16aa575b4da773e33bec1d7652dec36474f
SHA256df5a2a15c9de7f9500e0873a9b3511c88707656efb67a29165b14e91b534b1fd
SHA512c6fdef66cb9502e5cffd9a67128c4eef142b56caae2f7217a4c088bc6d100bc45aef9d8d30093ba314285283280ccd0dea4cb2eeceb8cda9d9332d5b83a881e3
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t15900642.exeFilesize
169KB
MD5d0b9aea8971b2ded818e2be2f859f733
SHA116588b076d916545c4e0c6bd7d08242b2cd6155f
SHA25642faa2f42851505068159ec08f185dbf40914fc30eb49562d0e764d386234ac3
SHA512e41c8bf4a85b24ded97416ccbc6c14542ed8263fe3cffbe0b48e04c7444c447e24063f14c047cdc8d9a1eb1108301b8e83d06916418dab1bf7b291e753cd7508
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t15900642.exeFilesize
169KB
MD5d0b9aea8971b2ded818e2be2f859f733
SHA116588b076d916545c4e0c6bd7d08242b2cd6155f
SHA25642faa2f42851505068159ec08f185dbf40914fc30eb49562d0e764d386234ac3
SHA512e41c8bf4a85b24ded97416ccbc6c14542ed8263fe3cffbe0b48e04c7444c447e24063f14c047cdc8d9a1eb1108301b8e83d06916418dab1bf7b291e753cd7508
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
memory/4252-2350-0x00000000008E0000-0x000000000090E000-memory.dmpFilesize
184KB
-
memory/4252-2351-0x00000000050E0000-0x00000000050F0000-memory.dmpFilesize
64KB
-
memory/4252-2352-0x00000000050E0000-0x00000000050F0000-memory.dmpFilesize
64KB
-
memory/4364-2343-0x0000000005760000-0x000000000579C000-memory.dmpFilesize
240KB
-
memory/4364-2342-0x00000000055D0000-0x00000000055E0000-memory.dmpFilesize
64KB
-
memory/4364-2341-0x0000000005700000-0x0000000005712000-memory.dmpFilesize
72KB
-
memory/4364-2340-0x00000000057F0000-0x00000000058FA000-memory.dmpFilesize
1.0MB
-
memory/4364-2339-0x0000000005D00000-0x0000000006318000-memory.dmpFilesize
6.1MB
-
memory/4364-2335-0x0000000000C60000-0x0000000000C8E000-memory.dmpFilesize
184KB
-
memory/4364-2345-0x00000000055D0000-0x00000000055E0000-memory.dmpFilesize
64KB
-
memory/4544-204-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-228-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-191-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-194-0x0000000000400000-0x0000000000835000-memory.dmpFilesize
4.2MB
-
memory/4544-193-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-196-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-198-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-200-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-202-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-187-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-206-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-208-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-210-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-212-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-214-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-216-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-220-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-218-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-222-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-226-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-224-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-189-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-2313-0x0000000004E20000-0x0000000004E30000-memory.dmpFilesize
64KB
-
memory/4544-2314-0x0000000004E20000-0x0000000004E30000-memory.dmpFilesize
64KB
-
memory/4544-2319-0x0000000004E20000-0x0000000004E30000-memory.dmpFilesize
64KB
-
memory/4544-2321-0x0000000004E20000-0x0000000004E30000-memory.dmpFilesize
64KB
-
memory/4544-185-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-183-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-181-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-179-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-177-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-175-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-173-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-171-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-169-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-167-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-166-0x0000000005550000-0x00000000055B0000-memory.dmpFilesize
384KB
-
memory/4544-165-0x0000000004FA0000-0x0000000005544000-memory.dmpFilesize
5.6MB
-
memory/4544-164-0x0000000004E20000-0x0000000004E30000-memory.dmpFilesize
64KB
-
memory/4544-163-0x0000000004E20000-0x0000000004E30000-memory.dmpFilesize
64KB
-
memory/4544-162-0x0000000000840000-0x000000000089B000-memory.dmpFilesize
364KB