Analysis
-
max time kernel
239s -
max time network
285s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 00:12
Static task
static1
Behavioral task
behavioral1
Sample
228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe
Resource
win10v2004-20230221-en
General
-
Target
228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe
-
Size
1.2MB
-
MD5
351002a5356c211ca349803469cc2db8
-
SHA1
899a4c25e103929bc6dc52d52bc846f7a67d274d
-
SHA256
228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91
-
SHA512
93ee76197a20f6299cbd3bf83c5997b67c31b306d0f79f0fa151b58229716200ccae4608bf0277c1fc8d75f621295ebd26c4b314121d98aa9c58210c84d2ab18
-
SSDEEP
24576:zyuagOOsMp/6wtYdzFxYVegJkKgjJd0/aQRQynCORwZC4fanb4TY13GQ8:GHgOQRY7SDkZjb0/aQRQy5IakTcR
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/3352-2343-0x0000000005250000-0x0000000005868000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
s60287253.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation s60287253.exe -
Executes dropped EXE 5 IoCs
Processes:
z93885290.exez60111306.exez05876546.exes60287253.exe1.exepid process 2828 z93885290.exe 1700 z60111306.exe 2520 z05876546.exe 3736 s60287253.exe 3352 1.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exez93885290.exez60111306.exez05876546.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z93885290.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z93885290.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z60111306.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z60111306.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z05876546.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z05876546.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4884 3736 WerFault.exe s60287253.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s60287253.exedescription pid process Token: SeDebugPrivilege 3736 s60287253.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exez93885290.exez60111306.exez05876546.exes60287253.exedescription pid process target process PID 3184 wrote to memory of 2828 3184 228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe z93885290.exe PID 3184 wrote to memory of 2828 3184 228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe z93885290.exe PID 3184 wrote to memory of 2828 3184 228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe z93885290.exe PID 2828 wrote to memory of 1700 2828 z93885290.exe z60111306.exe PID 2828 wrote to memory of 1700 2828 z93885290.exe z60111306.exe PID 2828 wrote to memory of 1700 2828 z93885290.exe z60111306.exe PID 1700 wrote to memory of 2520 1700 z60111306.exe z05876546.exe PID 1700 wrote to memory of 2520 1700 z60111306.exe z05876546.exe PID 1700 wrote to memory of 2520 1700 z60111306.exe z05876546.exe PID 2520 wrote to memory of 3736 2520 z05876546.exe s60287253.exe PID 2520 wrote to memory of 3736 2520 z05876546.exe s60287253.exe PID 2520 wrote to memory of 3736 2520 z05876546.exe s60287253.exe PID 3736 wrote to memory of 3352 3736 s60287253.exe 1.exe PID 3736 wrote to memory of 3352 3736 s60287253.exe 1.exe PID 3736 wrote to memory of 3352 3736 s60287253.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe"C:\Users\Admin\AppData\Local\Temp\228a1ee38972aa00bb341be7e40b285ed7e9023fbeb8837412c3339c2e16df91.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z93885290.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z93885290.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z60111306.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z60111306.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z05876546.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z05876546.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s60287253.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s60287253.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
PID:3352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 13326⤵
- Program crash
PID:4884
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3736 -ip 37361⤵PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD54552beeaccb738690e8c21eb80f7c3a0
SHA194b97f98e81a78aa2cece677b8c00724debe5b05
SHA25619d74d323fcee2214dec120ac29afd367bab5aea47343747c1fd7ff5d5f07dd2
SHA512d985274e193e553439647fd79782c66efd6403117278fc31ef1346aa1cacf1ef45e05a94ab178c7c7876429c457fab378e537712936ecfa3ef34e6fe1e9926e8
-
Filesize
1.0MB
MD54552beeaccb738690e8c21eb80f7c3a0
SHA194b97f98e81a78aa2cece677b8c00724debe5b05
SHA25619d74d323fcee2214dec120ac29afd367bab5aea47343747c1fd7ff5d5f07dd2
SHA512d985274e193e553439647fd79782c66efd6403117278fc31ef1346aa1cacf1ef45e05a94ab178c7c7876429c457fab378e537712936ecfa3ef34e6fe1e9926e8
-
Filesize
761KB
MD5000db8176a1dd587735d91bd218b9c7b
SHA1985146100b4659ec3090ca3b29ba18eba8a527b5
SHA256b5401506934142bc979c78d96950a083b3b7c5dd15c41a15e118f656ff531348
SHA512e1ce37f39fa4a0881ec12975207c7e540b865341397e2bd25d679cf28d1c5f578014ba9eeea66bd7f49f030813f22f72311620a848f6eb050fb002e224ad4929
-
Filesize
761KB
MD5000db8176a1dd587735d91bd218b9c7b
SHA1985146100b4659ec3090ca3b29ba18eba8a527b5
SHA256b5401506934142bc979c78d96950a083b3b7c5dd15c41a15e118f656ff531348
SHA512e1ce37f39fa4a0881ec12975207c7e540b865341397e2bd25d679cf28d1c5f578014ba9eeea66bd7f49f030813f22f72311620a848f6eb050fb002e224ad4929
-
Filesize
578KB
MD563482db6acda55eaebcbbe06c992cba0
SHA1f86fc3c351a40f7cbf642351623bb566ea1d1aaa
SHA2565f27cd0e610b499301fc37080e26adf0103363f8250f2284b052401feddb5d7f
SHA512283f7e4953d31666f54aedf6c6a2deaaacd5f60c7e4f78f9857af1dd1fde8f708dc81e073bed8375349aefd10b35e8503fe4feefb75be4214a62176268e88b9c
-
Filesize
578KB
MD563482db6acda55eaebcbbe06c992cba0
SHA1f86fc3c351a40f7cbf642351623bb566ea1d1aaa
SHA2565f27cd0e610b499301fc37080e26adf0103363f8250f2284b052401feddb5d7f
SHA512283f7e4953d31666f54aedf6c6a2deaaacd5f60c7e4f78f9857af1dd1fde8f708dc81e073bed8375349aefd10b35e8503fe4feefb75be4214a62176268e88b9c
-
Filesize
502KB
MD55bb4cfe0bde062a644756f6b09cee374
SHA149fd5bef2d81a9c42f650bac812bbe2e882a8c55
SHA2564fdfdeff97df9e68adb976af40c512cd1188bdf397d8381dbadc5e809be19364
SHA512378fb8be51120aa33a33220fc5adf45f5f0e9a28bd60892b17253b874cf96046de36eea159734fce2de90d72270ba948fa625752c364ade04ef97d86d9cefb98
-
Filesize
502KB
MD55bb4cfe0bde062a644756f6b09cee374
SHA149fd5bef2d81a9c42f650bac812bbe2e882a8c55
SHA2564fdfdeff97df9e68adb976af40c512cd1188bdf397d8381dbadc5e809be19364
SHA512378fb8be51120aa33a33220fc5adf45f5f0e9a28bd60892b17253b874cf96046de36eea159734fce2de90d72270ba948fa625752c364ade04ef97d86d9cefb98
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf