Overview

overview

10

Static

static

3

2f0184c101...99.exe

windows7-x64

10

2f0184c101...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f0184c1013972c162b90ea399d08c1908118e4a608e24100f48d721afb6d299.exe

  • Size

    491KB

  • MD5

    3c07d743f301e377087fc16a83ea5eca

  • SHA1

    84c157463b41d899b5d8c5915bba659f21085e8f

  • SHA256

    2f0184c1013972c162b90ea399d08c1908118e4a608e24100f48d721afb6d299

  • SHA512

    af55343775fd2c0a13d2cd5918a4b378f374bfbda462bb0884020ee77c88862dc9cb99cf2e2f86e3343230a876edf790cc56d8c967dea204ab01ce9332e39568

  • SSDEEP

    12288:rMr0y90nDTzWcLBu/QFJtpj7G0OszWen/cl4J:fyI7Wc4/8vtGnsKe/cCJ

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f0184c1013972c162b90ea399d08c1908118e4a608e24100f48d721afb6d299.exe
    "C:\Users\Admin\AppData\Local\Temp\2f0184c1013972c162b90ea399d08c1908118e4a608e24100f48d721afb6d299.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1498699.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1498699.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2156166.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2156166.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1647201.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1647201.exe
        3⤵
        • Executes dropped EXE
        PID:5088

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1498699.exe
    Filesize

    308KB

    MD5

    120cb6b63ec201c65eee6ae01bf2d334

    SHA1

    9d7e90edd100b0359a9ff738c3ba2c733aada844

    SHA256

    51b9f6f5428de7c6e039306882f04124b3aaf296f7d363aae7190b6d8315a3bb

    SHA512

    7a7cf5e43706016e478707dac236bf4ce84680ad1c4f1442fcd0268fa52cb540c4cca97623ede449c43b053c19b7a2d5be5da552f67d51c152d3c75c0247d4b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1498699.exe
    Filesize

    308KB

    MD5

    120cb6b63ec201c65eee6ae01bf2d334

    SHA1

    9d7e90edd100b0359a9ff738c3ba2c733aada844

    SHA256

    51b9f6f5428de7c6e039306882f04124b3aaf296f7d363aae7190b6d8315a3bb

    SHA512

    7a7cf5e43706016e478707dac236bf4ce84680ad1c4f1442fcd0268fa52cb540c4cca97623ede449c43b053c19b7a2d5be5da552f67d51c152d3c75c0247d4b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2156166.exe
    Filesize

    175KB

    MD5

    82c821cff366ee1bee7461002ddb2197

    SHA1

    34c4c194c10cf1f154eaf623d9bb0ae49bd1b0b0

    SHA256

    1b113e613e27e64b4ab614365041edfa0e74817c0956b8ba4ef68e5acfb1e90b

    SHA512

    85cf469db62a33c1b465f236420ca7d53b969b776d4642138227e130b6521c4ce34dd5e3b71c9d36966138e9d11aa704495e78be2c8dc57600ec9161b9e23de4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2156166.exe
    Filesize

    175KB

    MD5

    82c821cff366ee1bee7461002ddb2197

    SHA1

    34c4c194c10cf1f154eaf623d9bb0ae49bd1b0b0

    SHA256

    1b113e613e27e64b4ab614365041edfa0e74817c0956b8ba4ef68e5acfb1e90b

    SHA512

    85cf469db62a33c1b465f236420ca7d53b969b776d4642138227e130b6521c4ce34dd5e3b71c9d36966138e9d11aa704495e78be2c8dc57600ec9161b9e23de4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1647201.exe
    Filesize

    136KB

    MD5

    af1ea0c7b2734c4733e37525fb5cb8bc

    SHA1

    165de7c6fe1d81c4fb3c93df87b3e62818138386

    SHA256

    93e5fc64c47913925684084d1169663de896efa952816d9d736bee59bfffc4b4

    SHA512

    abaaf76ef4834237d685e4a6b555a28b9d57770072f528ee5f2e2493eefdeeeb587b4d860287d427fe072bcae78de0ab3b9b71f436338c5cd72ebdd93a7a3086

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1647201.exe
    Filesize

    136KB

    MD5

    af1ea0c7b2734c4733e37525fb5cb8bc

    SHA1

    165de7c6fe1d81c4fb3c93df87b3e62818138386

    SHA256

    93e5fc64c47913925684084d1169663de896efa952816d9d736bee59bfffc4b4

    SHA512

    abaaf76ef4834237d685e4a6b555a28b9d57770072f528ee5f2e2493eefdeeeb587b4d860287d427fe072bcae78de0ab3b9b71f436338c5cd72ebdd93a7a3086

    Download Submit

  • memory/2232-166-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-174-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-151-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-152-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-154-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-156-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-158-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-160-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-162-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-164-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-149-0x0000000004900000-0x0000000004910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-168-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-170-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-172-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-176-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-150-0x0000000004900000-0x0000000004910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-178-0x0000000004F10000-0x0000000004F22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-179-0x0000000004900000-0x0000000004910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-180-0x0000000004900000-0x0000000004910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-181-0x0000000004900000-0x0000000004910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-148-0x0000000004900000-0x0000000004910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-147-0x0000000004910000-0x0000000004EB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5088-186-0x0000000000180000-0x00000000001A8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/5088-187-0x0000000007420000-0x0000000007A38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5088-188-0x0000000006EB0000-0x0000000006EC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5088-189-0x0000000006FE0000-0x00000000070EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5088-190-0x0000000006F10000-0x0000000006F4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5088-191-0x0000000007280000-0x0000000007290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5088-192-0x0000000007280000-0x0000000007290000-memory.dmp

    Filesize

    64KB

    Download