Overview

overview

10

Static

static

3

2ff0b84762...be.exe

windows7-x64

10

2ff0b84762...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 21:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2ff0b8476258c1254d2e258652dafdd5f9d90d227d4bed0dbf9928f732bafcbe.exe

  • Size

    618KB

  • MD5

    6033314b1eacc6b4edfbefb65cc04517

  • SHA1

    fb3fc1c8472b34e3ae2e2e14a6618ec10d422064

  • SHA256

    2ff0b8476258c1254d2e258652dafdd5f9d90d227d4bed0dbf9928f732bafcbe

  • SHA512

    b9ec3742bc2d1d0d6cb28e9cd3e1c05cb8ebb010bb189093db3acf23a4d8157d96580541a308d916b1701f616d951ae17177c3b1bc5d2ffee9e4e02fd8ca4ebc

  • SSDEEP

    12288:Iy90JVlRbbaGVfaIBMsWBeRVcsNPSJyG4gYNdWT/eLW:IyQRHzVCITKyGyTaiW

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ff0b8476258c1254d2e258652dafdd5f9d90d227d4bed0dbf9928f732bafcbe.exe
    "C:\Users\Admin\AppData\Local\Temp\2ff0b8476258c1254d2e258652dafdd5f9d90d227d4bed0dbf9928f732bafcbe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st546739.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st546739.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62947334.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62947334.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562181.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562181.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1464

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st546739.exe
          Filesize

          464KB

          MD5

          da98cc38843f85cdfaa6dbd6d33f51e4

          SHA1

          407a09e8624a16b98c8206e1763cb2175d389b8f

          SHA256

          cd9d2bf17dcaa374298db5c6af2de9c31893b344673730ce96dc44c8f30128d4

          SHA512

          e09c59c9143365ec2241761f6c1010eebdbe723166542bb7da7e3cf4aaf826eaae52daad48e9d9632de388a77171481ca6f4194890e557fd652caf0e6cf8f616

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st546739.exe
          Filesize

          464KB

          MD5

          da98cc38843f85cdfaa6dbd6d33f51e4

          SHA1

          407a09e8624a16b98c8206e1763cb2175d389b8f

          SHA256

          cd9d2bf17dcaa374298db5c6af2de9c31893b344673730ce96dc44c8f30128d4

          SHA512

          e09c59c9143365ec2241761f6c1010eebdbe723166542bb7da7e3cf4aaf826eaae52daad48e9d9632de388a77171481ca6f4194890e557fd652caf0e6cf8f616

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62947334.exe
          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62947334.exe
          Filesize

          11KB

          MD5

          7e93bacbbc33e6652e147e7fe07572a0

          SHA1

          421a7167da01c8da4dc4d5234ca3dd84e319e762

          SHA256

          850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

          SHA512

          250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562181.exe
          Filesize

          478KB

          MD5

          b71981f06a469847ea69243a7117a89c

          SHA1

          9bcf9787188d51d9934c8b44b37f5a4004b9cdcc

          SHA256

          37422c7b3290edd3bef332175e4374fffdc281ac3dac4f4a215dd8cca1c456be

          SHA512

          e1b9f156576d52c774de9c21ea9b43cb30174c7fd7c681a03ecd06b7d6ba36af7c6d78b48f037b48a586b58e28114e6fe43dd7f85b478265201d308af220df9e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp562181.exe
          Filesize

          478KB

          MD5

          b71981f06a469847ea69243a7117a89c

          SHA1

          9bcf9787188d51d9934c8b44b37f5a4004b9cdcc

          SHA256

          37422c7b3290edd3bef332175e4374fffdc281ac3dac4f4a215dd8cca1c456be

          SHA512

          e1b9f156576d52c774de9c21ea9b43cb30174c7fd7c681a03ecd06b7d6ba36af7c6d78b48f037b48a586b58e28114e6fe43dd7f85b478265201d308af220df9e

          Download Submit

        • memory/716-147-0x0000000000600000-0x000000000060A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1464-153-0x00000000009B0000-0x00000000009F6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1464-154-0x0000000002B90000-0x0000000002BA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1464-155-0x0000000002B90000-0x0000000002BA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1464-156-0x0000000004F10000-0x00000000054B4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1464-157-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-158-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-160-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-162-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-164-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-166-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-168-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-170-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-172-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-174-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-176-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-178-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-180-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-188-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-186-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-190-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-192-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-194-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-196-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-198-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-202-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-204-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-200-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-184-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-206-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-182-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-208-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-210-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-220-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-218-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-216-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-214-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-212-0x0000000002970000-0x00000000029A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1464-949-0x0000000007940000-0x0000000007F58000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1464-950-0x0000000007F70000-0x0000000007F82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1464-951-0x0000000007F90000-0x000000000809A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1464-952-0x00000000080B0000-0x00000000080EC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1464-953-0x0000000002B90000-0x0000000002BA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1464-955-0x0000000002B90000-0x0000000002BA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1464-956-0x0000000002B90000-0x0000000002BA0000-memory.dmp

          Filesize

          64KB

          Download