Analysis
-
max time kernel
147s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe
Resource
win10v2004-20230220-en
General
-
Target
270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe
-
Size
612KB
-
MD5
9304e2435e2e65302adf82d2fd2542c8
-
SHA1
259862d477e94eccabbd2766fdf67c6511877787
-
SHA256
270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be
-
SHA512
cba7e6438faa439b03c9b6ac83bd736c8359e03fd0dfc50c3042a96c9e16bfc14d9d24f712da824ed778615485ad3d05594a6cd47b0ca8d07661ea5dcc7f7837
-
SSDEEP
12288:ey90bZLWyflpyE6P4Gbtf1lfnTWQLki6Wtxzwuv62x0oS38KHBQ:eyKLbtpyE6/fPTtkD+0uS2MhQ
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3536-950-0x00000000078B0000-0x0000000007EC8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 80648290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 80648290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 80648290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 80648290.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 80648290.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 80648290.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 1692 st672172.exe 1724 80648290.exe 3536 kp902492.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 80648290.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st672172.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st672172.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1724 80648290.exe 1724 80648290.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1724 80648290.exe Token: SeDebugPrivilege 3536 kp902492.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 388 wrote to memory of 1692 388 270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe 82 PID 388 wrote to memory of 1692 388 270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe 82 PID 388 wrote to memory of 1692 388 270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe 82 PID 1692 wrote to memory of 1724 1692 st672172.exe 83 PID 1692 wrote to memory of 1724 1692 st672172.exe 83 PID 1692 wrote to memory of 3536 1692 st672172.exe 84 PID 1692 wrote to memory of 3536 1692 st672172.exe 84 PID 1692 wrote to memory of 3536 1692 st672172.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe"C:\Users\Admin\AppData\Local\Temp\270a27490464c7612d4599d8165047480b54640d22f846c775b1aaf8b1b4d7be.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st672172.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st672172.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\80648290.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\80648290.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp902492.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp902492.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
458KB
MD5ce141d4b7883a20bf4613bae8cdf2586
SHA13ed623951e10f4cb4885978c15415f0fc0d5996f
SHA256d073379f5175cabe1245d72715a2d9d191792d8b253e5712b986918d4e3e968a
SHA5120b6bf142105d47cc71a0f0e35aa526cd61f681bc00b20376716980c147afafd4279d3a14fb7f5398f89bdaff961a2d698ba22c853efcc055087f6d2f2494b658
-
Filesize
458KB
MD5ce141d4b7883a20bf4613bae8cdf2586
SHA13ed623951e10f4cb4885978c15415f0fc0d5996f
SHA256d073379f5175cabe1245d72715a2d9d191792d8b253e5712b986918d4e3e968a
SHA5120b6bf142105d47cc71a0f0e35aa526cd61f681bc00b20376716980c147afafd4279d3a14fb7f5398f89bdaff961a2d698ba22c853efcc055087f6d2f2494b658
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
460KB
MD581feb04824185a4230b25976702f42ed
SHA17c94f5fb1ad39e05404c82177d806b3f3aceae70
SHA256d88abcd9b1e851a442963742663e6134dc151884797cf81635e6786c23a3ae2d
SHA5129f659f279abb369bffe289e758449a890135da973e25e00f4d8c738a3e75b9245cdb4f895842c84d5e9a7ba6a372ce26aa3bde91d1dab9234ff4982808600b22
-
Filesize
460KB
MD581feb04824185a4230b25976702f42ed
SHA17c94f5fb1ad39e05404c82177d806b3f3aceae70
SHA256d88abcd9b1e851a442963742663e6134dc151884797cf81635e6786c23a3ae2d
SHA5129f659f279abb369bffe289e758449a890135da973e25e00f4d8c738a3e75b9245cdb4f895842c84d5e9a7ba6a372ce26aa3bde91d1dab9234ff4982808600b22