Overview

overview

10

Static

static

3

2224d6cbc1...5f.exe

windows7-x64

10

2224d6cbc1...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2023 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2224d6cbc1233e0be24153d7b212d81ebdf3eee819a9ea8e09d602e09a260d5f.exe

  • Size

    480KB

  • MD5

    519301c745b78a9b27c3620839c4dc25

  • SHA1

    54d1688440863627f00cf2b8d620068af8ff6bb5

  • SHA256

    2224d6cbc1233e0be24153d7b212d81ebdf3eee819a9ea8e09d602e09a260d5f

  • SHA512

    1154cda79c5301e45ece1f0d05ae7ff4f0e59635dd9583e109e1e44f3217d7c7c82aa07c069d5b9d69a34e752a87e49c203d85fd33d534931aabbffb9bc514a6

  • SSDEEP

    12288:eMruy90k4sAbC+WwRzoNPrXYDSOqTd1e7BryIx:EyzECSRmDXYDIqd

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2224d6cbc1233e0be24153d7b212d81ebdf3eee819a9ea8e09d602e09a260d5f.exe
    "C:\Users\Admin\AppData\Local\Temp\2224d6cbc1233e0be24153d7b212d81ebdf3eee819a9ea8e09d602e09a260d5f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0607496.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0607496.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2248148.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2248148.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6672654.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6672654.exe
        3⤵
        • Executes dropped EXE
        PID:2904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0607496.exe
    Filesize

    308KB

    MD5

    f1b1006f1e04a34e7e510ad6b6441c21

    SHA1

    c2f6118bfc5e7c823459bcdc31c82e7d14a70705

    SHA256

    bb1be270c22eba30602226986794ab110169566be7b269a43532e83a1a02f9e3

    SHA512

    59cd45474957ab9a27a5b3e250b839fb42f51f74758a721980448d026428efc7a4c63a3d0cb4e4b42871576a3769efdc2e8bb7432e9e46d2e552f1f7a0487622

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0607496.exe
    Filesize

    308KB

    MD5

    f1b1006f1e04a34e7e510ad6b6441c21

    SHA1

    c2f6118bfc5e7c823459bcdc31c82e7d14a70705

    SHA256

    bb1be270c22eba30602226986794ab110169566be7b269a43532e83a1a02f9e3

    SHA512

    59cd45474957ab9a27a5b3e250b839fb42f51f74758a721980448d026428efc7a4c63a3d0cb4e4b42871576a3769efdc2e8bb7432e9e46d2e552f1f7a0487622

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2248148.exe
    Filesize

    175KB

    MD5

    1dbc3d6a2ef324246e320b33123836a7

    SHA1

    287c814ce172fc1a68eb32e180d6ff0c89f0177d

    SHA256

    8679d35e35d01f95411418601f142fda63495b8cbe166ddccaa93d8d35720982

    SHA512

    3a2a446df0196fbd1a26fe95aba6e5a6c02c214656ec808bf5f458fe30f7e30d0c81c25dae0a242d9c688ce5f07aa0c584d7e56af8b366fef9671b6eeee7dcbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2248148.exe
    Filesize

    175KB

    MD5

    1dbc3d6a2ef324246e320b33123836a7

    SHA1

    287c814ce172fc1a68eb32e180d6ff0c89f0177d

    SHA256

    8679d35e35d01f95411418601f142fda63495b8cbe166ddccaa93d8d35720982

    SHA512

    3a2a446df0196fbd1a26fe95aba6e5a6c02c214656ec808bf5f458fe30f7e30d0c81c25dae0a242d9c688ce5f07aa0c584d7e56af8b366fef9671b6eeee7dcbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6672654.exe
    Filesize

    136KB

    MD5

    4d3d7ecfecb99f35ea7f03bfeae9f012

    SHA1

    2a72d5acc5c959f39e51a853b1e7963783029050

    SHA256

    d1b390062d5418aa0afcd8fe161a66e3cca12d8417f52e02b7b6ee4ef819b1de

    SHA512

    fdbb96196e72f004f76983a00ec37a4d76902a7d30bcc7b2f8b60791c82d674506e0ded63da1ee09295b68a1fb29947e38a876bfc4d1554a8b4acbd7f4c8f148

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6672654.exe
    Filesize

    136KB

    MD5

    4d3d7ecfecb99f35ea7f03bfeae9f012

    SHA1

    2a72d5acc5c959f39e51a853b1e7963783029050

    SHA256

    d1b390062d5418aa0afcd8fe161a66e3cca12d8417f52e02b7b6ee4ef819b1de

    SHA512

    fdbb96196e72f004f76983a00ec37a4d76902a7d30bcc7b2f8b60791c82d674506e0ded63da1ee09295b68a1fb29947e38a876bfc4d1554a8b4acbd7f4c8f148

    Download Submit

  • memory/2904-190-0x00000000071E0000-0x00000000071F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2904-189-0x0000000006F90000-0x000000000709A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2904-188-0x0000000006E60000-0x0000000006E72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2904-187-0x00000000073D0000-0x00000000079E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2904-186-0x0000000000150000-0x0000000000178000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2904-191-0x0000000006EC0000-0x0000000006EFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2904-192-0x00000000071E0000-0x00000000071F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-166-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-180-0x0000000004A50000-0x0000000004A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-164-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-160-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-168-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-170-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-172-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-174-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-176-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-178-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-179-0x0000000004A50000-0x0000000004A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-162-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-181-0x0000000004A50000-0x0000000004A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-158-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-156-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-154-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-152-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-151-0x0000000005050000-0x0000000005062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-150-0x0000000004A60000-0x0000000005004000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3240-149-0x0000000004A50000-0x0000000004A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-148-0x0000000004A50000-0x0000000004A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-147-0x0000000004A50000-0x0000000004A60000-memory.dmp

    Filesize

    64KB

    Download