Overview

overview

10

Static

static

3

1abcef69b3...d4.exe

windows7-x64

10

1abcef69b3...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe

  • Size

    766KB

  • MD5

    6fbb2e12ddec8b4a865a8404bf98c69c

  • SHA1

    8fa8dfebc50df0f6431a973695e882e8745c6186

  • SHA256

    1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4

  • SHA512

    a5f67603a83a269b91560c9baa34ecf5ef14dc19f780ca46056263e06fbb7c7b9ca02ef0fe736450b267c311249ae4ea57321283dbe10c1a828aad36a97791d2

  • SSDEEP

    12288:lMrcy90OtFEH422ARICDXyvYMDrYke9MCWzrEVNs1mHo0+9KMKzYSvHw:Ry7tg3IGXQYyYCPErs1mHoWnQ

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe
    "C:\Users\Admin\AppData\Local\Temp\1abcef69b34388c12a3ad59d193e5d17b6c3ed94cd4491affc5986272324b9d4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4428
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe
          4⤵
          • Executes dropped EXE
          PID:1444

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe
    Filesize

    376KB

    MD5

    bb6c79c6e676ee45e56944fd91a7abf4

    SHA1

    df41f28990dad82d28a15c0a94b21302afdbc916

    SHA256

    2a99a46e6fd41e4418afc66f9138e9fdec10133cc237fa54697f7d0c95f89ac0

    SHA512

    d4b4e621d2f021b524c60100e0aa051c01fdad92a097059fa26443b1b248b95b48ae52f0dae8f09db514c573c3c257dbf730e74c81644c6cb2faec791b92ea12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2268163.exe
    Filesize

    376KB

    MD5

    bb6c79c6e676ee45e56944fd91a7abf4

    SHA1

    df41f28990dad82d28a15c0a94b21302afdbc916

    SHA256

    2a99a46e6fd41e4418afc66f9138e9fdec10133cc237fa54697f7d0c95f89ac0

    SHA512

    d4b4e621d2f021b524c60100e0aa051c01fdad92a097059fa26443b1b248b95b48ae52f0dae8f09db514c573c3c257dbf730e74c81644c6cb2faec791b92ea12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe
    Filesize

    204KB

    MD5

    fd5e3bbc3b0bebd190db9b28f7daf991

    SHA1

    0a473b6c4cf1757ddee9ff73c16283fc37075cfa

    SHA256

    dd03e44a5bc269e9e2e789fc57e444aec6d0b9108d31d63ee513dc04e68e6b7a

    SHA512

    135a76dc0d9938747379b0c0ae310dbb857aa28409e0255204a9950c28030de0225e046fc901a0c36600cd59a67d22ce645c0a187d33a33bb4e9a0b1c1566105

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9629166.exe
    Filesize

    204KB

    MD5

    fd5e3bbc3b0bebd190db9b28f7daf991

    SHA1

    0a473b6c4cf1757ddee9ff73c16283fc37075cfa

    SHA256

    dd03e44a5bc269e9e2e789fc57e444aec6d0b9108d31d63ee513dc04e68e6b7a

    SHA512

    135a76dc0d9938747379b0c0ae310dbb857aa28409e0255204a9950c28030de0225e046fc901a0c36600cd59a67d22ce645c0a187d33a33bb4e9a0b1c1566105

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9494448.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe
    Filesize

    136KB

    MD5

    30d0ee0947be55272def37f502e40d83

    SHA1

    67dec087565870ddbba362f33bc909491d56f0d7

    SHA256

    876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

    SHA512

    0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6092337.exe
    Filesize

    136KB

    MD5

    30d0ee0947be55272def37f502e40d83

    SHA1

    67dec087565870ddbba362f33bc909491d56f0d7

    SHA256

    876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

    SHA512

    0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

    Download Submit

  • memory/1444-159-0x0000000000990000-0x00000000009B8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1444-160-0x0000000007C30000-0x0000000008248000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1444-161-0x00000000076C0000-0x00000000076D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1444-162-0x00000000077F0000-0x00000000078FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1444-163-0x0000000007720000-0x000000000775C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1444-164-0x00000000077D0000-0x00000000077E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1444-165-0x00000000077D0000-0x00000000077E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4428-154-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

    Filesize

    40KB

    Download