Analysis
-
max time kernel
180s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 21:19
Static task
static1
Behavioral task
behavioral1
Sample
35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe
Resource
win10v2004-20230220-en
General
-
Target
35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe
-
Size
1.2MB
-
MD5
c3991ae252ccccd395df7aaa3a828f68
-
SHA1
2fd77033b2343854de76d68914f4863d72da84df
-
SHA256
35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91
-
SHA512
4b4e770d4011cc981fc7e8665f727e48168b5abceba28bab7969cba33d576865b91deb5a9a035da8007caf9a1071bdbcefc8b74862cb795f6e80f98be060122a
-
SSDEEP
24576:DymrUXL2hkC1LFyBTQeaVpgChcwGoNaSUHhf35H/pwgfALnx:Wm82hN1LYBTQ1biRogSULhwNL
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/4824-2334-0x00000000056D0000-0x0000000005CE8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s40728379.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation s40728379.exe -
Executes dropped EXE 6 IoCs
Processes:
z33597068.exez27334138.exez37619894.exes40728379.exe1.exet77026415.exepid process 636 z33597068.exe 4512 z27334138.exe 3548 z37619894.exe 2064 s40728379.exe 4824 1.exe 5044 t77026415.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z27334138.exez37619894.exe35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exez33597068.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z27334138.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z27334138.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z37619894.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z37619894.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z33597068.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z33597068.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2532 2064 WerFault.exe s40728379.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s40728379.exedescription pid process Token: SeDebugPrivilege 2064 s40728379.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exez33597068.exez27334138.exez37619894.exes40728379.exedescription pid process target process PID 1416 wrote to memory of 636 1416 35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe z33597068.exe PID 1416 wrote to memory of 636 1416 35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe z33597068.exe PID 1416 wrote to memory of 636 1416 35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe z33597068.exe PID 636 wrote to memory of 4512 636 z33597068.exe z27334138.exe PID 636 wrote to memory of 4512 636 z33597068.exe z27334138.exe PID 636 wrote to memory of 4512 636 z33597068.exe z27334138.exe PID 4512 wrote to memory of 3548 4512 z27334138.exe z37619894.exe PID 4512 wrote to memory of 3548 4512 z27334138.exe z37619894.exe PID 4512 wrote to memory of 3548 4512 z27334138.exe z37619894.exe PID 3548 wrote to memory of 2064 3548 z37619894.exe s40728379.exe PID 3548 wrote to memory of 2064 3548 z37619894.exe s40728379.exe PID 3548 wrote to memory of 2064 3548 z37619894.exe s40728379.exe PID 2064 wrote to memory of 4824 2064 s40728379.exe 1.exe PID 2064 wrote to memory of 4824 2064 s40728379.exe 1.exe PID 2064 wrote to memory of 4824 2064 s40728379.exe 1.exe PID 3548 wrote to memory of 5044 3548 z37619894.exe t77026415.exe PID 3548 wrote to memory of 5044 3548 z37619894.exe t77026415.exe PID 3548 wrote to memory of 5044 3548 z37619894.exe t77026415.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe"C:\Users\Admin\AppData\Local\Temp\35f2a91490a3e69881adc3817b30ec0058bb5ee66cc37451628a05d5169cdf91.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z33597068.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z33597068.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z27334138.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z27334138.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37619894.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37619894.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40728379.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40728379.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 15046⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77026415.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77026415.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2064 -ip 20641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z33597068.exeFilesize
1.0MB
MD50fcee36c7eb310c57ef289b95b87092d
SHA110b220fe1b1703388a6255ffa141c16b7ab01894
SHA256f50fa5dbddfdbbcef210376cd6bdd1549b2b5a93ce1bc3d6ea9adb71fd6672cf
SHA512c7521067b49a423ff079f543069feb5d2eced54767529096a8b05c40a9a399fb1f5078bb8feeaef1913fca233702913d1637386e1a8a38db57b3825561272301
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z33597068.exeFilesize
1.0MB
MD50fcee36c7eb310c57ef289b95b87092d
SHA110b220fe1b1703388a6255ffa141c16b7ab01894
SHA256f50fa5dbddfdbbcef210376cd6bdd1549b2b5a93ce1bc3d6ea9adb71fd6672cf
SHA512c7521067b49a423ff079f543069feb5d2eced54767529096a8b05c40a9a399fb1f5078bb8feeaef1913fca233702913d1637386e1a8a38db57b3825561272301
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z27334138.exeFilesize
764KB
MD52698cbb5a9377365325e0da36773d5cd
SHA1658854ceb78f914c212324780b2bc8d72a74ce26
SHA2566bb8b0cff9d946cf545d1737f553944d69c7993b0ee33e5a961eb52e2a957669
SHA512b08883c851248c58d77560284cbf1d72406bd299b83742d3dc1d7188294e7e195dd8a7de09267dcca4fe1b16560dcfb430fa254bd93874920ec6f949b33d2c91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z27334138.exeFilesize
764KB
MD52698cbb5a9377365325e0da36773d5cd
SHA1658854ceb78f914c212324780b2bc8d72a74ce26
SHA2566bb8b0cff9d946cf545d1737f553944d69c7993b0ee33e5a961eb52e2a957669
SHA512b08883c851248c58d77560284cbf1d72406bd299b83742d3dc1d7188294e7e195dd8a7de09267dcca4fe1b16560dcfb430fa254bd93874920ec6f949b33d2c91
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37619894.exeFilesize
581KB
MD5d7b44cc3b16bb4edee0080a6d4f3a403
SHA14251997c832df4de33679a415937f89ba9737c8e
SHA25674d1f7e3ccf61e5d4e873f97b2039b1533427fd07dcc3d0a0d811d2d86b455ce
SHA512d60c908fa29af8304c790e75851f149742502ad391d46742b7b04d7bef646e9c6573031d0ba3b0c90bd7cc49a3f99973dc514c4f9e2ad996387c60c165d15c29
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37619894.exeFilesize
581KB
MD5d7b44cc3b16bb4edee0080a6d4f3a403
SHA14251997c832df4de33679a415937f89ba9737c8e
SHA25674d1f7e3ccf61e5d4e873f97b2039b1533427fd07dcc3d0a0d811d2d86b455ce
SHA512d60c908fa29af8304c790e75851f149742502ad391d46742b7b04d7bef646e9c6573031d0ba3b0c90bd7cc49a3f99973dc514c4f9e2ad996387c60c165d15c29
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40728379.exeFilesize
580KB
MD5eb8206a551c079289729f5dabe3f126a
SHA14c449077ddf42f1fec1aeab1462fe59771f70c39
SHA256c043d39bdcd1706aaab300f60171d0e3c9d5ffb1fd453e2563b1d44eb68a86ed
SHA512cbbddea5eaba44bcfaefdbacde795d4d34d9a8229f35a10fb34856ec7623f4074dedd248c3dcaa2f603e31fc09da7a11d1257744d342554aa448932a21876953
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40728379.exeFilesize
580KB
MD5eb8206a551c079289729f5dabe3f126a
SHA14c449077ddf42f1fec1aeab1462fe59771f70c39
SHA256c043d39bdcd1706aaab300f60171d0e3c9d5ffb1fd453e2563b1d44eb68a86ed
SHA512cbbddea5eaba44bcfaefdbacde795d4d34d9a8229f35a10fb34856ec7623f4074dedd248c3dcaa2f603e31fc09da7a11d1257744d342554aa448932a21876953
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77026415.exeFilesize
169KB
MD55e91816d6975c3dff0cf0a1c59fab727
SHA1ece39f872bbbfe4f33726b89be38a0ba080d9993
SHA2562518afe57786dfd43038d9bec2b5907e7e51f9270bd8341ad0d95f8828807275
SHA512cce0d69b559bcebcb5150cf182643028c657f8ffb977d4a42db11cd796c7db2b7eb24f4ab6a7868c7861c27604e6f89f8393d13b7fb7c7bcbf15b5b4260d90cb
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77026415.exeFilesize
169KB
MD55e91816d6975c3dff0cf0a1c59fab727
SHA1ece39f872bbbfe4f33726b89be38a0ba080d9993
SHA2562518afe57786dfd43038d9bec2b5907e7e51f9270bd8341ad0d95f8828807275
SHA512cce0d69b559bcebcb5150cf182643028c657f8ffb977d4a42db11cd796c7db2b7eb24f4ab6a7868c7861c27604e6f89f8393d13b7fb7c7bcbf15b5b4260d90cb
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
memory/2064-196-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-212-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-166-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-165-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-167-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-170-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-168-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-172-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-174-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-176-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-178-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-180-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-182-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-184-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-186-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-188-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-190-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-192-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-194-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-163-0x0000000004EF0000-0x0000000005494000-memory.dmpFilesize
5.6MB
-
memory/2064-198-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-200-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-202-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-204-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-206-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-208-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-210-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-164-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-214-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-216-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-218-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-220-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-222-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-224-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-228-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-226-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-230-0x00000000054E0000-0x0000000005540000-memory.dmpFilesize
384KB
-
memory/2064-2314-0x0000000000840000-0x000000000089B000-memory.dmpFilesize
364KB
-
memory/2064-2315-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-2316-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-2317-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-2320-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-2338-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2064-162-0x0000000000840000-0x000000000089B000-memory.dmpFilesize
364KB
-
memory/4824-2334-0x00000000056D0000-0x0000000005CE8000-memory.dmpFilesize
6.1MB
-
memory/4824-2335-0x00000000051C0000-0x00000000052CA000-memory.dmpFilesize
1.0MB
-
memory/4824-2332-0x00000000006F0000-0x000000000071E000-memory.dmpFilesize
184KB
-
memory/4824-2336-0x0000000004F30000-0x0000000004F42000-memory.dmpFilesize
72KB
-
memory/4824-2337-0x00000000050B0000-0x00000000050EC000-memory.dmpFilesize
240KB
-
memory/4824-2345-0x0000000004FA0000-0x0000000004FB0000-memory.dmpFilesize
64KB
-
memory/5044-2343-0x0000000000870000-0x000000000089E000-memory.dmpFilesize
184KB
-
memory/5044-2344-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/5044-2346-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB