Analysis
-
max time kernel
186s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 20:38
Static task
static1
Behavioral task
behavioral1
Sample
15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
Resource
win10v2004-20230220-en
General
-
Target
15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
-
Size
1.5MB
-
MD5
00ae6dead07ceb07981ee20cc8bed234
-
SHA1
4a004656df37e8f856664596717e961ab5c134be
-
SHA256
15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c
-
SHA512
cae633f7503bc632a64c4a7fa72fa2aa3ea30211e23bd0902b702b2abf227824b8d3c39e3e52d4d02ff2f165eeab2cb65ae43e1054b078fe7d971cfae9ca46ca
-
SSDEEP
24576:My93nDmFoGY8b4IeqvZhxOnR/AlaNE3IUeSXm8n+Oiom9yoR+SUQP7:79wVY8bteEOn19NANeKjKom9y0+fE
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4680-169-0x000000000B340000-0x000000000B958000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 2596 i06589386.exe 1144 i47189873.exe 4912 i81716811.exe 2188 i17581754.exe 4680 a55865678.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i06589386.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i47189873.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i81716811.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i81716811.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i17581754.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i06589386.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i47189873.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i17581754.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3440 wrote to memory of 2596 3440 15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe 83 PID 3440 wrote to memory of 2596 3440 15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe 83 PID 3440 wrote to memory of 2596 3440 15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe 83 PID 2596 wrote to memory of 1144 2596 i06589386.exe 84 PID 2596 wrote to memory of 1144 2596 i06589386.exe 84 PID 2596 wrote to memory of 1144 2596 i06589386.exe 84 PID 1144 wrote to memory of 4912 1144 i47189873.exe 85 PID 1144 wrote to memory of 4912 1144 i47189873.exe 85 PID 1144 wrote to memory of 4912 1144 i47189873.exe 85 PID 4912 wrote to memory of 2188 4912 i81716811.exe 86 PID 4912 wrote to memory of 2188 4912 i81716811.exe 86 PID 4912 wrote to memory of 2188 4912 i81716811.exe 86 PID 2188 wrote to memory of 4680 2188 i17581754.exe 87 PID 2188 wrote to memory of 4680 2188 i17581754.exe 87 PID 2188 wrote to memory of 4680 2188 i17581754.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe"C:\Users\Admin\AppData\Local\Temp\15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exe6⤵
- Executes dropped EXE
PID:4680
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5315d955d17708d4897c038827b6111d7
SHA1e8c73232dd39b475fb4e24a6e61ccf01a430c61e
SHA2561e08b7d3cb760841eb626d24d38558eebf367813a0c08701001d3344aca39a0f
SHA5120767a02f3943a169b79f18d289ae22e54913cbefa72df6c077c38ace7c74e10f64f99c1880c86dce95b534f71f90ab9d52813d035b1ce1c31e9cd311851df707
-
Filesize
1.3MB
MD5315d955d17708d4897c038827b6111d7
SHA1e8c73232dd39b475fb4e24a6e61ccf01a430c61e
SHA2561e08b7d3cb760841eb626d24d38558eebf367813a0c08701001d3344aca39a0f
SHA5120767a02f3943a169b79f18d289ae22e54913cbefa72df6c077c38ace7c74e10f64f99c1880c86dce95b534f71f90ab9d52813d035b1ce1c31e9cd311851df707
-
Filesize
1023KB
MD5f7c98d4cf54eef3f5fd3fa5317082788
SHA1a044d3447aa1c54c33b20bf22c33ecd279f82593
SHA256d107c02636602f1e8d8e6fd1929156f2ec0f3b24a6430e41776d753787f8b14b
SHA512d4911133a18aad2e1b55bc040274f9a974684abab0183eb13d25981c8c5ea1f12447dbe53ded93b1824ff6e9fd35bdb3671a166b3115ca79d854c1c7f9d38b77
-
Filesize
1023KB
MD5f7c98d4cf54eef3f5fd3fa5317082788
SHA1a044d3447aa1c54c33b20bf22c33ecd279f82593
SHA256d107c02636602f1e8d8e6fd1929156f2ec0f3b24a6430e41776d753787f8b14b
SHA512d4911133a18aad2e1b55bc040274f9a974684abab0183eb13d25981c8c5ea1f12447dbe53ded93b1824ff6e9fd35bdb3671a166b3115ca79d854c1c7f9d38b77
-
Filesize
852KB
MD5220c63931af67fd6a2585bfd4662c3c5
SHA111684de4b2454d24fa7c7bb1a28b6a7b502bc4cf
SHA2562ca7858590a723c763dbdfc6216911b815bec0a6f87067bbb72e749a65c10dcd
SHA5129242d7b30eaaa63d5698c611fb3d63b55274494116e748a83dc1031265ef6d94359bb05a53aa1204975b3d6108a3e48c0ee556ff518e157b05e2921b7466098d
-
Filesize
852KB
MD5220c63931af67fd6a2585bfd4662c3c5
SHA111684de4b2454d24fa7c7bb1a28b6a7b502bc4cf
SHA2562ca7858590a723c763dbdfc6216911b815bec0a6f87067bbb72e749a65c10dcd
SHA5129242d7b30eaaa63d5698c611fb3d63b55274494116e748a83dc1031265ef6d94359bb05a53aa1204975b3d6108a3e48c0ee556ff518e157b05e2921b7466098d
-
Filesize
375KB
MD544360cfbb346e5ad17b58c3bf4c0440e
SHA10e4134f73776b3fbf84f46f240f5ff111b3e9cce
SHA256e8746187fd2922fb35a06b8ddd6e26dacdf3483cedd043147cedb98ab4189e8e
SHA5120b79a26f31beadfecba0bacea4363b015a4535228fecad7db1a80fb25532bab31ceaf09fb51aae4555907b0822ba1ed00a7f482cd07a7960cf8399cd89b1b65c
-
Filesize
375KB
MD544360cfbb346e5ad17b58c3bf4c0440e
SHA10e4134f73776b3fbf84f46f240f5ff111b3e9cce
SHA256e8746187fd2922fb35a06b8ddd6e26dacdf3483cedd043147cedb98ab4189e8e
SHA5120b79a26f31beadfecba0bacea4363b015a4535228fecad7db1a80fb25532bab31ceaf09fb51aae4555907b0822ba1ed00a7f482cd07a7960cf8399cd89b1b65c
-
Filesize
169KB
MD55cdd55d16bf31601244c756ec5463e6b
SHA11862568ef8a0b281f14fb5f5457eade8c8888222
SHA25611f631599345230f387df3b006d521c8875e699e224fcbcdaeaeb0bdcc72c06e
SHA512d0c7f18fe52ee2b90198134e8e93635ea9d6280e4da3d28d94775647fa6a56d595693ee1499684963f0429ab3e7bbcd7855efb68014dbbb58795902bf47068f4
-
Filesize
169KB
MD55cdd55d16bf31601244c756ec5463e6b
SHA11862568ef8a0b281f14fb5f5457eade8c8888222
SHA25611f631599345230f387df3b006d521c8875e699e224fcbcdaeaeb0bdcc72c06e
SHA512d0c7f18fe52ee2b90198134e8e93635ea9d6280e4da3d28d94775647fa6a56d595693ee1499684963f0429ab3e7bbcd7855efb68014dbbb58795902bf47068f4