Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 00:49
Static task
static1
Behavioral task
behavioral1
Sample
31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe
Resource
win10v2004-20230220-en
General
-
Target
31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe
-
Size
1.2MB
-
MD5
fb003ac2830aedc93b133f3ae48b930a
-
SHA1
fd7ee217ba9ab7a477fef95eb8c45376660b23ad
-
SHA256
31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c
-
SHA512
e8b4619ee009fe173b17adb20b0629939677fc4aba18b7486167e4594e07da28a92a541a6dc1699f762289bfdf0d94ac3e447713f9975497a49346de6559c41c
-
SSDEEP
24576:MyxyI5FUYqGm1LL4ohTS3DHNg9O3XKrGA3YxaKZCPeOVmECGjL:7B5FU+6fHhTcDHmQ3XtAIx62EN
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/3444-2331-0x000000000A9D0000-0x000000000AFE8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s09707141.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation s09707141.exe -
Executes dropped EXE 6 IoCs
Processes:
z40566039.exez49116799.exez85267264.exes09707141.exe1.exet34519220.exepid process 4972 z40566039.exe 1936 z49116799.exe 2140 z85267264.exe 4900 s09707141.exe 3444 1.exe 2656 t34519220.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z49116799.exez85267264.exe31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exez40566039.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z49116799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z49116799.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z85267264.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z85267264.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z40566039.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z40566039.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 820 4900 WerFault.exe s09707141.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s09707141.exedescription pid process Token: SeDebugPrivilege 4900 s09707141.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exez40566039.exez49116799.exez85267264.exes09707141.exedescription pid process target process PID 660 wrote to memory of 4972 660 31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe z40566039.exe PID 660 wrote to memory of 4972 660 31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe z40566039.exe PID 660 wrote to memory of 4972 660 31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe z40566039.exe PID 4972 wrote to memory of 1936 4972 z40566039.exe z49116799.exe PID 4972 wrote to memory of 1936 4972 z40566039.exe z49116799.exe PID 4972 wrote to memory of 1936 4972 z40566039.exe z49116799.exe PID 1936 wrote to memory of 2140 1936 z49116799.exe z85267264.exe PID 1936 wrote to memory of 2140 1936 z49116799.exe z85267264.exe PID 1936 wrote to memory of 2140 1936 z49116799.exe z85267264.exe PID 2140 wrote to memory of 4900 2140 z85267264.exe s09707141.exe PID 2140 wrote to memory of 4900 2140 z85267264.exe s09707141.exe PID 2140 wrote to memory of 4900 2140 z85267264.exe s09707141.exe PID 4900 wrote to memory of 3444 4900 s09707141.exe 1.exe PID 4900 wrote to memory of 3444 4900 s09707141.exe 1.exe PID 4900 wrote to memory of 3444 4900 s09707141.exe 1.exe PID 2140 wrote to memory of 2656 2140 z85267264.exe t34519220.exe PID 2140 wrote to memory of 2656 2140 z85267264.exe t34519220.exe PID 2140 wrote to memory of 2656 2140 z85267264.exe t34519220.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe"C:\Users\Admin\AppData\Local\Temp\31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z40566039.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z40566039.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z49116799.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z49116799.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z85267264.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z85267264.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s09707141.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s09707141.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:3444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 13846⤵
- Program crash
PID:820
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34519220.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34519220.exe5⤵
- Executes dropped EXE
PID:2656
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4900 -ip 49001⤵PID:3456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD520acaa83e2b4dd612122f0eef12764bf
SHA1e8b4932e26cc8d0ddef1efa43aee1cf70d73c70a
SHA25633cbe507df1cbfd0cf19f6fe8cf52081ca02b6ad15f088e2b6135861e1a4c235
SHA512756d4bbce7162c90ad9607e9124830d0b26018db8cd5a39306184f72a0b81ecaf446dbc8653d3dcbda706f17c14abbb585a226ceaad3104754477badf0d1259a
-
Filesize
1.0MB
MD520acaa83e2b4dd612122f0eef12764bf
SHA1e8b4932e26cc8d0ddef1efa43aee1cf70d73c70a
SHA25633cbe507df1cbfd0cf19f6fe8cf52081ca02b6ad15f088e2b6135861e1a4c235
SHA512756d4bbce7162c90ad9607e9124830d0b26018db8cd5a39306184f72a0b81ecaf446dbc8653d3dcbda706f17c14abbb585a226ceaad3104754477badf0d1259a
-
Filesize
760KB
MD528b759d97125f9a864e3761477690c6a
SHA108893a0f8ca87c28b65797d3a3bb190c40fba040
SHA25675a2f6628879c77f6c396ec5ee31c7bae0b84432551a844a34d6581b12beab67
SHA5128194a99bdcc6d3c1bd38a6742820e67c7aeba1735e046db3553b9ee0ab6dec31c15323917092735dfca500b9f223da3e5c7073e994e2c638edcae0a70a4acd50
-
Filesize
760KB
MD528b759d97125f9a864e3761477690c6a
SHA108893a0f8ca87c28b65797d3a3bb190c40fba040
SHA25675a2f6628879c77f6c396ec5ee31c7bae0b84432551a844a34d6581b12beab67
SHA5128194a99bdcc6d3c1bd38a6742820e67c7aeba1735e046db3553b9ee0ab6dec31c15323917092735dfca500b9f223da3e5c7073e994e2c638edcae0a70a4acd50
-
Filesize
578KB
MD5ddd4402aac5fb8119380066a4c9feb01
SHA178bc4c3da8b1ce86c0918984b267941881b8bd48
SHA256fb0a8af54855bd9a20088b14e8416fa86990ead0effe159b3c3ca78989bfd21b
SHA51210179f8fce540f975941694139d75ae20adf3ffc63c0b8e48fe06a6854f2895cbbca638ed53e695e2a0c8ae1a36b98724775f986e5d2a65959045055862f2183
-
Filesize
578KB
MD5ddd4402aac5fb8119380066a4c9feb01
SHA178bc4c3da8b1ce86c0918984b267941881b8bd48
SHA256fb0a8af54855bd9a20088b14e8416fa86990ead0effe159b3c3ca78989bfd21b
SHA51210179f8fce540f975941694139d75ae20adf3ffc63c0b8e48fe06a6854f2895cbbca638ed53e695e2a0c8ae1a36b98724775f986e5d2a65959045055862f2183
-
Filesize
575KB
MD5731a6d3c60b2a01fc4192acaf235303f
SHA1dc8db6b3a13a6a78531245a9344fa75a989e2171
SHA256344904bf79b39e8890777211b92481c002f7975efffeaac484b8b3b1a0c31fac
SHA512e3b704660d534e9a9f5f77d65e8c1a0f6cb475a6df702e362ed2bc63472b01674fd6b038433981cb8051cfafc9d6cc7b2e4b371c3bf7d098a56aa1cd7432af31
-
Filesize
575KB
MD5731a6d3c60b2a01fc4192acaf235303f
SHA1dc8db6b3a13a6a78531245a9344fa75a989e2171
SHA256344904bf79b39e8890777211b92481c002f7975efffeaac484b8b3b1a0c31fac
SHA512e3b704660d534e9a9f5f77d65e8c1a0f6cb475a6df702e362ed2bc63472b01674fd6b038433981cb8051cfafc9d6cc7b2e4b371c3bf7d098a56aa1cd7432af31
-
Filesize
169KB
MD51f920c66e5bca3814d7874f50f112d0c
SHA1c581a7a9647ae004866f1d88e13882dcce194d36
SHA25672b145286afdc2fa6206593d8e75761db4e3ee33ff88b4d617d8154210a44401
SHA51265a19d14da775318bce90865f9ce2ec5649c80186da472d003b157eb093b9a442a96c9a19d1efe4d7b2b5f94ac049f74a3987a5abc9b38d949f3611632b37bd1
-
Filesize
169KB
MD51f920c66e5bca3814d7874f50f112d0c
SHA1c581a7a9647ae004866f1d88e13882dcce194d36
SHA25672b145286afdc2fa6206593d8e75761db4e3ee33ff88b4d617d8154210a44401
SHA51265a19d14da775318bce90865f9ce2ec5649c80186da472d003b157eb093b9a442a96c9a19d1efe4d7b2b5f94ac049f74a3987a5abc9b38d949f3611632b37bd1
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf