Overview

overview

10

Static

static

3

0c83d34866...44.exe

windows7-x64

10

0c83d34866...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2023 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c83d34866f2e054f9a3ea83a151c7690912c7f4c23456b19f823731e792e644.exe

  • Size

    479KB

  • MD5

    140b9e67950841c067eb2a8f8fe02202

  • SHA1

    cf178a7343d98a11fc295259e0425f94abe34623

  • SHA256

    0c83d34866f2e054f9a3ea83a151c7690912c7f4c23456b19f823731e792e644

  • SHA512

    264c8591aec72531d268463ccf353c9402cf019f32c8cdbdc39645be93f5ac948bfe9cde2f5ff08762479e69a0f707c85cb8571d02dd7a8e42659e931005525f

  • SSDEEP

    12288:nMr1y90pQ0iBaYdVuUi0jSz7krY3lfG793LkoNn:iy+xwVuDz3krYfo1Nn

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c83d34866f2e054f9a3ea83a151c7690912c7f4c23456b19f823731e792e644.exe
    "C:\Users\Admin\AppData\Local\Temp\0c83d34866f2e054f9a3ea83a151c7690912c7f4c23456b19f823731e792e644.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632185.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632185.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7246049.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7246049.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8064723.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8064723.exe
        3⤵
        • Executes dropped EXE
        PID:728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632185.exe
    Filesize

    307KB

    MD5

    4008520dcfd72d8702b37b1bb7b315e2

    SHA1

    678e58514f491ffdbfc19f05b40b9e37f0ccdb37

    SHA256

    4ce94f69982c5e74853264b37cb5fd8dd5be396b4d3d8cf83615328227a67abc

    SHA512

    bf3134116bf2c36a64f07f25a390cd8c2230b40620df829c0b5d7fa5b4ea56e9ee2f2234843dcd6f9bd4f1d6d5899b03ea919061db4094727de3f1a8cddeae72

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2632185.exe
    Filesize

    307KB

    MD5

    4008520dcfd72d8702b37b1bb7b315e2

    SHA1

    678e58514f491ffdbfc19f05b40b9e37f0ccdb37

    SHA256

    4ce94f69982c5e74853264b37cb5fd8dd5be396b4d3d8cf83615328227a67abc

    SHA512

    bf3134116bf2c36a64f07f25a390cd8c2230b40620df829c0b5d7fa5b4ea56e9ee2f2234843dcd6f9bd4f1d6d5899b03ea919061db4094727de3f1a8cddeae72

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7246049.exe
    Filesize

    175KB

    MD5

    9ea43a43f05412e93846db9dfce88ece

    SHA1

    c38ed27bedb056a3bff94c72d781c9ff73e5d0e2

    SHA256

    1bf268f59657e57973763ae7ef37b5ce310b808200782de92bf10933cb081f29

    SHA512

    4f821e5ee7bc92dbc7f9fd74dfcdab09905baaff561702cac134d091711beab78a2b741f865cdae157e546963a102b65b6528f2e4b62e7e5c95b9a2070fd329f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7246049.exe
    Filesize

    175KB

    MD5

    9ea43a43f05412e93846db9dfce88ece

    SHA1

    c38ed27bedb056a3bff94c72d781c9ff73e5d0e2

    SHA256

    1bf268f59657e57973763ae7ef37b5ce310b808200782de92bf10933cb081f29

    SHA512

    4f821e5ee7bc92dbc7f9fd74dfcdab09905baaff561702cac134d091711beab78a2b741f865cdae157e546963a102b65b6528f2e4b62e7e5c95b9a2070fd329f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8064723.exe
    Filesize

    136KB

    MD5

    b1bb33212306a82fed180c6e3ee9d6a3

    SHA1

    7ad6e0c0a37014754fab46ed8f82f43824913d3c

    SHA256

    d98b098c5bdcf8011bd44182d92249e6787fadc598216f96a8a0ad9cf84c81a9

    SHA512

    f1786fff7fe68948bed9f1735511517c935051cba5372b79694a12476dfa711de3a10b15ed1cc2eaf2a2b0bb2d76b407a9eeaf692e8e47ce95aaea4a574317e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8064723.exe
    Filesize

    136KB

    MD5

    b1bb33212306a82fed180c6e3ee9d6a3

    SHA1

    7ad6e0c0a37014754fab46ed8f82f43824913d3c

    SHA256

    d98b098c5bdcf8011bd44182d92249e6787fadc598216f96a8a0ad9cf84c81a9

    SHA512

    f1786fff7fe68948bed9f1735511517c935051cba5372b79694a12476dfa711de3a10b15ed1cc2eaf2a2b0bb2d76b407a9eeaf692e8e47ce95aaea4a574317e2

    Download Submit

  • memory/728-187-0x0000000007060000-0x000000000709C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/728-186-0x0000000007130000-0x000000000723A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/728-188-0x00000000070B0000-0x00000000070C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/728-185-0x0000000007000000-0x0000000007012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/728-184-0x00000000075E0000-0x0000000007BF8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/728-183-0x00000000002C0000-0x00000000002E8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/728-189-0x00000000070B0000-0x00000000070C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-151-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-178-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-164-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-166-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-168-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-170-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-172-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-174-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-176-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-162-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-160-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-158-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-156-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-154-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-152-0x0000000004950000-0x0000000004962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2204-150-0x0000000004970000-0x0000000004980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-149-0x0000000004980000-0x0000000004F24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2204-148-0x0000000004970000-0x0000000004980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-147-0x0000000004970000-0x0000000004980000-memory.dmp

    Filesize

    64KB

    Download