Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 20:40
Static task
static1
Behavioral task
behavioral1
Sample
17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe
Resource
win10v2004-20230220-en
General
-
Target
17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe
-
Size
1.2MB
-
MD5
89671b02829517398f50f298b77e7b48
-
SHA1
9c3f944ce808bf259f204e1167f1fee549610318
-
SHA256
17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b
-
SHA512
c3eafd063914c773ac4920ead0cda82cff5f0d6404f619d03b2ac2031348ace96092f61834a717b6559f9f4699a235ec5393bf0709d4c0e49a629209dc916002
-
SSDEEP
24576:3yNwwpFJfUY2rZjSPa6IAm72VVGQs6cBMDKrtzCFGD:CrJeMLId72Vq68oj
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/408-2334-0x0000000005B60000-0x0000000006178000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s94861212.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation s94861212.exe -
Executes dropped EXE 6 IoCs
Processes:
z58596077.exez06047833.exez04042869.exes94861212.exe1.exet42810816.exepid process 952 z58596077.exe 4692 z06047833.exe 4936 z04042869.exe 4216 s94861212.exe 408 1.exe 4304 t42810816.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z58596077.exez06047833.exez04042869.exe17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z58596077.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z06047833.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z06047833.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z04042869.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z04042869.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z58596077.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1920 4216 WerFault.exe s94861212.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s94861212.exedescription pid process Token: SeDebugPrivilege 4216 s94861212.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exez58596077.exez06047833.exez04042869.exes94861212.exedescription pid process target process PID 1100 wrote to memory of 952 1100 17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe z58596077.exe PID 1100 wrote to memory of 952 1100 17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe z58596077.exe PID 1100 wrote to memory of 952 1100 17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe z58596077.exe PID 952 wrote to memory of 4692 952 z58596077.exe z06047833.exe PID 952 wrote to memory of 4692 952 z58596077.exe z06047833.exe PID 952 wrote to memory of 4692 952 z58596077.exe z06047833.exe PID 4692 wrote to memory of 4936 4692 z06047833.exe z04042869.exe PID 4692 wrote to memory of 4936 4692 z06047833.exe z04042869.exe PID 4692 wrote to memory of 4936 4692 z06047833.exe z04042869.exe PID 4936 wrote to memory of 4216 4936 z04042869.exe s94861212.exe PID 4936 wrote to memory of 4216 4936 z04042869.exe s94861212.exe PID 4936 wrote to memory of 4216 4936 z04042869.exe s94861212.exe PID 4216 wrote to memory of 408 4216 s94861212.exe 1.exe PID 4216 wrote to memory of 408 4216 s94861212.exe 1.exe PID 4216 wrote to memory of 408 4216 s94861212.exe 1.exe PID 4936 wrote to memory of 4304 4936 z04042869.exe t42810816.exe PID 4936 wrote to memory of 4304 4936 z04042869.exe t42810816.exe PID 4936 wrote to memory of 4304 4936 z04042869.exe t42810816.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe"C:\Users\Admin\AppData\Local\Temp\17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58596077.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58596077.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z06047833.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z06047833.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z04042869.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z04042869.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s94861212.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s94861212.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 15246⤵
- Program crash
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t42810816.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t42810816.exe5⤵
- Executes dropped EXE
PID:4304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4216 -ip 42161⤵PID:4688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5fdc2c16a149afaffba006988a63c563f
SHA19fedb234adc0935472d857ee43138798280d63ad
SHA256ac0d547dfaed9d24da719123a5badbf8bf78476e9a6249e45ff7de8628750b05
SHA51208869912a6c6bea2b92f736876a394da86d3a9069983c32985a1094e121d5ed867e76d818e3d1d433a0a1f857b6c0587d8a6dbdcd8030b21f9247422958beffc
-
Filesize
1.0MB
MD5fdc2c16a149afaffba006988a63c563f
SHA19fedb234adc0935472d857ee43138798280d63ad
SHA256ac0d547dfaed9d24da719123a5badbf8bf78476e9a6249e45ff7de8628750b05
SHA51208869912a6c6bea2b92f736876a394da86d3a9069983c32985a1094e121d5ed867e76d818e3d1d433a0a1f857b6c0587d8a6dbdcd8030b21f9247422958beffc
-
Filesize
761KB
MD5b1ae819d826d2f5954eaf1fe45225aec
SHA18fad113f39aff864390b2dfb01f3cbde00dfc15c
SHA256bbffc2df8b06c8fd8bb5e30d764580ca7ed8960453405f1074b6dd0e174f4c1d
SHA5123a5b66f76b35588d1a60302f519b0ba98c85cac726cac07064f49fe5b8850d3d7ad2095aef0c0d54d057dabc68fe6eeff0a20847405c1bf6d7d9c25095ba3010
-
Filesize
761KB
MD5b1ae819d826d2f5954eaf1fe45225aec
SHA18fad113f39aff864390b2dfb01f3cbde00dfc15c
SHA256bbffc2df8b06c8fd8bb5e30d764580ca7ed8960453405f1074b6dd0e174f4c1d
SHA5123a5b66f76b35588d1a60302f519b0ba98c85cac726cac07064f49fe5b8850d3d7ad2095aef0c0d54d057dabc68fe6eeff0a20847405c1bf6d7d9c25095ba3010
-
Filesize
578KB
MD56e9a8169989824c860fa4df8aa781457
SHA184d39238051f81c13989257515864d1b1fd4437e
SHA256aacade2fd12c0f8492982bddbacb57ede2916c83f4b5564192ae4586fdde62c2
SHA5122ff51a0e36ad033c19691fed0494a2ea27042f593f14e88fb013225c5c53d3d0b8e811608534b6d7c852fbe7b1e7af2351af4425aa02670072da807a4f939394
-
Filesize
578KB
MD56e9a8169989824c860fa4df8aa781457
SHA184d39238051f81c13989257515864d1b1fd4437e
SHA256aacade2fd12c0f8492982bddbacb57ede2916c83f4b5564192ae4586fdde62c2
SHA5122ff51a0e36ad033c19691fed0494a2ea27042f593f14e88fb013225c5c53d3d0b8e811608534b6d7c852fbe7b1e7af2351af4425aa02670072da807a4f939394
-
Filesize
502KB
MD519a1e7ee7d198e28855d626680c91c7c
SHA102e317d79376d732b0f0890f461337fb3e319bac
SHA2561a0ed2b29ca1e19b4b334f302913b58d59530bf7db48d468e3445055847e01cd
SHA5129a5fa1f2f56b42ed19d8189a05500c55249d74f3c5125f12d1371e2cf4b20ad97f774e668e97710827d693bb38ab7e3856a65db2e8c12b734780e11af50eeaf0
-
Filesize
502KB
MD519a1e7ee7d198e28855d626680c91c7c
SHA102e317d79376d732b0f0890f461337fb3e319bac
SHA2561a0ed2b29ca1e19b4b334f302913b58d59530bf7db48d468e3445055847e01cd
SHA5129a5fa1f2f56b42ed19d8189a05500c55249d74f3c5125f12d1371e2cf4b20ad97f774e668e97710827d693bb38ab7e3856a65db2e8c12b734780e11af50eeaf0
-
Filesize
169KB
MD585796814ac86b641872a2e5e84c967c1
SHA1591ee2aa4b40d9c021b2e4788470a778a1bcadec
SHA256d48d3503e048d6725486cef2ecd1e39b37e84940ae47a0ca32ae426025894cab
SHA512244f2041d49a6456421432b9106c0dc4dcd237b28ff815aa3fd9d59c3f01e525cd7461a8371b31dde3f53fff95f6cdbd65a5e0605ef36f6150e2c4413b3a2024
-
Filesize
169KB
MD585796814ac86b641872a2e5e84c967c1
SHA1591ee2aa4b40d9c021b2e4788470a778a1bcadec
SHA256d48d3503e048d6725486cef2ecd1e39b37e84940ae47a0ca32ae426025894cab
SHA512244f2041d49a6456421432b9106c0dc4dcd237b28ff815aa3fd9d59c3f01e525cd7461a8371b31dde3f53fff95f6cdbd65a5e0605ef36f6150e2c4413b3a2024
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf