Analysis
-
max time kernel
261s -
max time network
283s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 02:32
Static task
static1
Behavioral task
behavioral1
Sample
5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe
Resource
win10v2004-20230221-en
General
-
Target
5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe
-
Size
1.5MB
-
MD5
0da28ecad645ea9080b3ede74fc5554a
-
SHA1
395d8f237f92f4e4e18990d58415d4560d1cd018
-
SHA256
5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162
-
SHA512
f9447bcfa04b2935f86141509b07fe898d166a1a2ae1ff47db3f3aac686e23bf06489529c48e293df969a2eb72e3ec8d155b8ba4da75478c8c0141bf1c955c29
-
SSDEEP
24576:Oyg69qrO9hYZZeMtwVB8KgtHdIgfHcm/TqNfkOR5va/pO5lih:dg7iTmXwr87tHdvfH3bAMORipOz
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/3468-169-0x000000000AA70000-0x000000000B088000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i10670569.exei17111921.exei70922345.exei87507826.exea14355044.exepid process 4884 i10670569.exe 2724 i17111921.exe 1092 i70922345.exe 1696 i87507826.exe 3468 a14355044.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
i87507826.exe5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exei17111921.exei10670569.exei70922345.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i87507826.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i17111921.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i10670569.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i17111921.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i70922345.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i70922345.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i87507826.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i10670569.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exei10670569.exei17111921.exei70922345.exei87507826.exedescription pid process target process PID 2012 wrote to memory of 4884 2012 5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe i10670569.exe PID 2012 wrote to memory of 4884 2012 5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe i10670569.exe PID 2012 wrote to memory of 4884 2012 5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe i10670569.exe PID 4884 wrote to memory of 2724 4884 i10670569.exe i17111921.exe PID 4884 wrote to memory of 2724 4884 i10670569.exe i17111921.exe PID 4884 wrote to memory of 2724 4884 i10670569.exe i17111921.exe PID 2724 wrote to memory of 1092 2724 i17111921.exe i70922345.exe PID 2724 wrote to memory of 1092 2724 i17111921.exe i70922345.exe PID 2724 wrote to memory of 1092 2724 i17111921.exe i70922345.exe PID 1092 wrote to memory of 1696 1092 i70922345.exe i87507826.exe PID 1092 wrote to memory of 1696 1092 i70922345.exe i87507826.exe PID 1092 wrote to memory of 1696 1092 i70922345.exe i87507826.exe PID 1696 wrote to memory of 3468 1696 i87507826.exe a14355044.exe PID 1696 wrote to memory of 3468 1696 i87507826.exe a14355044.exe PID 1696 wrote to memory of 3468 1696 i87507826.exe a14355044.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe"C:\Users\Admin\AppData\Local\Temp\5e5c3d71262fc5994191464aa09a9a2b5cd3eb3eb87b27a7cad8fd605567f162.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10670569.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10670569.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17111921.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17111921.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i70922345.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i70922345.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i87507826.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i87507826.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14355044.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14355044.exe6⤵
- Executes dropped EXE
PID:3468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10670569.exeFilesize
1.3MB
MD569a71baf226b2e443eb4911db83f9131
SHA10f2ab813760cfafe1748bbab920252648b05c367
SHA2564fa26fe9daf01dc646cd4c39fd636082c4881871fc0df3005c7b9526233c4e29
SHA51204b37d4eb29d7b4bf768740e0279cb549f4e8ee85edd7fd44b0a7fc83af641c164663de13a09efc530d865c69c53eb8e307df16dc63a53544a6519285223b524
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10670569.exeFilesize
1.3MB
MD569a71baf226b2e443eb4911db83f9131
SHA10f2ab813760cfafe1748bbab920252648b05c367
SHA2564fa26fe9daf01dc646cd4c39fd636082c4881871fc0df3005c7b9526233c4e29
SHA51204b37d4eb29d7b4bf768740e0279cb549f4e8ee85edd7fd44b0a7fc83af641c164663de13a09efc530d865c69c53eb8e307df16dc63a53544a6519285223b524
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17111921.exeFilesize
1013KB
MD549d8ff6aa5e01a8ef23f93a5a87c772c
SHA12332cf1431ae94ea3e7d9daa3447bf5f721e2e98
SHA256edecf2134ae47dd0007cbef38f8d8fc9afce7732a2430005e21f59ff59ff3bda
SHA512887614792b96ae85153f919831372a9108ae6553a979137a597da6c49db9671c339bdbe0d73bc07ce590552a68aafe25cb98f05ae1ceb4c2f110d6af9bb70b01
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17111921.exeFilesize
1013KB
MD549d8ff6aa5e01a8ef23f93a5a87c772c
SHA12332cf1431ae94ea3e7d9daa3447bf5f721e2e98
SHA256edecf2134ae47dd0007cbef38f8d8fc9afce7732a2430005e21f59ff59ff3bda
SHA512887614792b96ae85153f919831372a9108ae6553a979137a597da6c49db9671c339bdbe0d73bc07ce590552a68aafe25cb98f05ae1ceb4c2f110d6af9bb70b01
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i70922345.exeFilesize
842KB
MD501e4f82e1634bd01ab9af5b3aea706f8
SHA143d185aebcf017eb11345419e8c283afea7ddad2
SHA256c6650a0e7ef7e343965548f80db9c4082555591950f9a3d7c2936c2815e0f0c1
SHA512a942b339bd3a7c96a85eca0d3f054574c46b198c32962e43b1b9738f4d9ec560d429ee2a480444d8b027fbd9544046153f46fd2c1eb906c2844b25f1e01c6698
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i70922345.exeFilesize
842KB
MD501e4f82e1634bd01ab9af5b3aea706f8
SHA143d185aebcf017eb11345419e8c283afea7ddad2
SHA256c6650a0e7ef7e343965548f80db9c4082555591950f9a3d7c2936c2815e0f0c1
SHA512a942b339bd3a7c96a85eca0d3f054574c46b198c32962e43b1b9738f4d9ec560d429ee2a480444d8b027fbd9544046153f46fd2c1eb906c2844b25f1e01c6698
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i87507826.exeFilesize
370KB
MD518bfcc99133ace2ed51b9e0d9117c5a2
SHA1c2ea6ff761c1750336df450e4546822ba7bea6e4
SHA2560ca985a2a1f14c010a785a187b1b7010e2e9d448a9c70077b1f47b02a9e95030
SHA51213ed761222d836d7b5ae83e671183c5b42bd95cca594ac608d4cac0f2914bdc9042cf33b38ac81cb9fa8ea17b2eb20b3981fdd446a0f019260bd4ea2234c50d2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i87507826.exeFilesize
370KB
MD518bfcc99133ace2ed51b9e0d9117c5a2
SHA1c2ea6ff761c1750336df450e4546822ba7bea6e4
SHA2560ca985a2a1f14c010a785a187b1b7010e2e9d448a9c70077b1f47b02a9e95030
SHA51213ed761222d836d7b5ae83e671183c5b42bd95cca594ac608d4cac0f2914bdc9042cf33b38ac81cb9fa8ea17b2eb20b3981fdd446a0f019260bd4ea2234c50d2
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14355044.exeFilesize
169KB
MD59e69bd80818bb1a2beb394bf64d03e0a
SHA1823c71c7123c582b08ca3da6abac7dbdf37d2e56
SHA256c230333da7db922c8daff4c76bd0b6fd5b4499a03918d45ab446b3b674ea2eb8
SHA512be7c705f40ff55526f33c7e0b6cd6cd060f6bbce1e1fba04282513d96a5036162024adc33c361898f2a53b0f41ecb7506c3f2624cf9ec52ce1a468cb8f7661c4
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14355044.exeFilesize
169KB
MD59e69bd80818bb1a2beb394bf64d03e0a
SHA1823c71c7123c582b08ca3da6abac7dbdf37d2e56
SHA256c230333da7db922c8daff4c76bd0b6fd5b4499a03918d45ab446b3b674ea2eb8
SHA512be7c705f40ff55526f33c7e0b6cd6cd060f6bbce1e1fba04282513d96a5036162024adc33c361898f2a53b0f41ecb7506c3f2624cf9ec52ce1a468cb8f7661c4
-
memory/3468-168-0x0000000000670000-0x00000000006A0000-memory.dmpFilesize
192KB
-
memory/3468-169-0x000000000AA70000-0x000000000B088000-memory.dmpFilesize
6.1MB
-
memory/3468-170-0x000000000A5F0000-0x000000000A6FA000-memory.dmpFilesize
1.0MB
-
memory/3468-171-0x000000000A520000-0x000000000A532000-memory.dmpFilesize
72KB
-
memory/3468-172-0x00000000050B0000-0x00000000050C0000-memory.dmpFilesize
64KB
-
memory/3468-173-0x000000000A580000-0x000000000A5BC000-memory.dmpFilesize
240KB
-
memory/3468-174-0x00000000050B0000-0x00000000050C0000-memory.dmpFilesize
64KB