Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 02:37
Static task
static1
Behavioral task
behavioral1
Sample
6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
Resource
win10v2004-20230220-en
General
-
Target
6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
-
Size
1.5MB
-
MD5
294c68f78d021215839d4d47e1831417
-
SHA1
524c82f41d84b902744af28b3838e841b5d9f47e
-
SHA256
6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199
-
SHA512
8921a6ea1d52678eef7a1a0c4cf98993a985986fd4bf4a68ee44e74066baf2cd3a3c5e7108525dad11aae4feed17a98575acbdc12d356a5594d54899317a5c6e
-
SSDEEP
24576:EyY7GOUei+Rr2DEQL0UTNC4BlbU9V/Hf1yeqWw4OI+8C88AGjc:TpT4BYE6q9V/f1yeSbIR8f
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/1336-169-0x000000000AAA0000-0x000000000B0B8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i68450354.exei04512922.exei00774195.exei64224404.exea34985584.exepid process 584 i68450354.exe 2468 i04512922.exe 1364 i00774195.exe 1528 i64224404.exe 1336 a34985584.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
i04512922.exei00774195.exei68450354.exei64224404.exe6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i04512922.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i04512922.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i00774195.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i68450354.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i68450354.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i00774195.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i64224404.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i64224404.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exei68450354.exei04512922.exei00774195.exei64224404.exedescription pid process target process PID 632 wrote to memory of 584 632 6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe i68450354.exe PID 632 wrote to memory of 584 632 6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe i68450354.exe PID 632 wrote to memory of 584 632 6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe i68450354.exe PID 584 wrote to memory of 2468 584 i68450354.exe i04512922.exe PID 584 wrote to memory of 2468 584 i68450354.exe i04512922.exe PID 584 wrote to memory of 2468 584 i68450354.exe i04512922.exe PID 2468 wrote to memory of 1364 2468 i04512922.exe i00774195.exe PID 2468 wrote to memory of 1364 2468 i04512922.exe i00774195.exe PID 2468 wrote to memory of 1364 2468 i04512922.exe i00774195.exe PID 1364 wrote to memory of 1528 1364 i00774195.exe i64224404.exe PID 1364 wrote to memory of 1528 1364 i00774195.exe i64224404.exe PID 1364 wrote to memory of 1528 1364 i00774195.exe i64224404.exe PID 1528 wrote to memory of 1336 1528 i64224404.exe a34985584.exe PID 1528 wrote to memory of 1336 1528 i64224404.exe a34985584.exe PID 1528 wrote to memory of 1336 1528 i64224404.exe a34985584.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe"C:\Users\Admin\AppData\Local\Temp\6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exe6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exeFilesize
1.3MB
MD560196df2a8e2b30c3884d88f409ffc5a
SHA1a9a5df703ce83a4d5b646d5dde4040770c2b0024
SHA25621ca774c7887cb5849cd199eb4892d10f02b5e9c7d58f8c80850c7245607518f
SHA512e795bc71dc89253e92fe83445a209fea6afc2ef59c30ffb8ccb4a180c9ad5773c4a072bba7d1434f76eddf67eea281377b2a27827cc1fb7041a2fb462bcc1401
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exeFilesize
1.3MB
MD560196df2a8e2b30c3884d88f409ffc5a
SHA1a9a5df703ce83a4d5b646d5dde4040770c2b0024
SHA25621ca774c7887cb5849cd199eb4892d10f02b5e9c7d58f8c80850c7245607518f
SHA512e795bc71dc89253e92fe83445a209fea6afc2ef59c30ffb8ccb4a180c9ad5773c4a072bba7d1434f76eddf67eea281377b2a27827cc1fb7041a2fb462bcc1401
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exeFilesize
1001KB
MD5984f9303104dcb330f509888e57e824f
SHA11e3e30faa193d4cd39136cb9934b34f560bcd2ff
SHA256df745342821e09279ccd4047212e3fb1558bd0ea730256d8b7174d2af4d9e126
SHA51232248aec404f9d1e23d8e5472f42d9b2e1fbc408ad2841db87f95e9effbdaa799b8fb1c3a901fc8b26770387739f9c0a79d95c99ac1bffa3faa01ad699dae8a8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exeFilesize
1001KB
MD5984f9303104dcb330f509888e57e824f
SHA11e3e30faa193d4cd39136cb9934b34f560bcd2ff
SHA256df745342821e09279ccd4047212e3fb1558bd0ea730256d8b7174d2af4d9e126
SHA51232248aec404f9d1e23d8e5472f42d9b2e1fbc408ad2841db87f95e9effbdaa799b8fb1c3a901fc8b26770387739f9c0a79d95c99ac1bffa3faa01ad699dae8a8
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exeFilesize
829KB
MD57130a31366ba78df04b87a2700fd57bb
SHA108bcebafa2204e4fc0de95b8458b4ede267af12a
SHA256226a402a8587a4aaf0bdb024558ca95f22cb1a80f1ec68d1ff73941d577702a0
SHA51230e16c5fc01b022858138a76792b6c8d12f34979591bb809908bcdb78477b72dde14ca2801a3632febae8e7a91f8da74f0fc777cb779a7034fd82490d1646f63
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exeFilesize
829KB
MD57130a31366ba78df04b87a2700fd57bb
SHA108bcebafa2204e4fc0de95b8458b4ede267af12a
SHA256226a402a8587a4aaf0bdb024558ca95f22cb1a80f1ec68d1ff73941d577702a0
SHA51230e16c5fc01b022858138a76792b6c8d12f34979591bb809908bcdb78477b72dde14ca2801a3632febae8e7a91f8da74f0fc777cb779a7034fd82490d1646f63
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exeFilesize
364KB
MD557eb4b5f5dcb6485fb9dff901f1f1404
SHA1d1328434d74782ef4755b9f7c2646c28c4124956
SHA2560382fc257049e74b8cf85e3d4001b4df2cdf4ae359c064f6a3dcc866a5205d8e
SHA5125148c378b62cf6d8370423f41441b2409a0f14deba440809d0797754955b45b563eeff5d226ac43e006f31a4f863b77c694c9c3377da015b64b5dcfd2faf3a5b
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exeFilesize
364KB
MD557eb4b5f5dcb6485fb9dff901f1f1404
SHA1d1328434d74782ef4755b9f7c2646c28c4124956
SHA2560382fc257049e74b8cf85e3d4001b4df2cdf4ae359c064f6a3dcc866a5205d8e
SHA5125148c378b62cf6d8370423f41441b2409a0f14deba440809d0797754955b45b563eeff5d226ac43e006f31a4f863b77c694c9c3377da015b64b5dcfd2faf3a5b
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exeFilesize
170KB
MD5b6a96f6ffeec0723101dcfa47ceb5463
SHA1e2b71f363ada04e2c4cd08d125ff749273707d4b
SHA2566fc9f60c32437c6fe41bb417601d3730f42c214ba10e9e385da8b7775db1656e
SHA512337619495ab491f17e0a54c4c6ff7f4c6110d0f59d2546f144e14512b8d68ff1fdf1a6ad2e0ed7dbaea44315114d9a40bfbd3ab6410c7ec8d13d66b45a4f599c
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exeFilesize
170KB
MD5b6a96f6ffeec0723101dcfa47ceb5463
SHA1e2b71f363ada04e2c4cd08d125ff749273707d4b
SHA2566fc9f60c32437c6fe41bb417601d3730f42c214ba10e9e385da8b7775db1656e
SHA512337619495ab491f17e0a54c4c6ff7f4c6110d0f59d2546f144e14512b8d68ff1fdf1a6ad2e0ed7dbaea44315114d9a40bfbd3ab6410c7ec8d13d66b45a4f599c
-
memory/1336-168-0x00000000006A0000-0x00000000006D0000-memory.dmpFilesize
192KB
-
memory/1336-169-0x000000000AAA0000-0x000000000B0B8000-memory.dmpFilesize
6.1MB
-
memory/1336-170-0x000000000A620000-0x000000000A72A000-memory.dmpFilesize
1.0MB
-
memory/1336-171-0x000000000A550000-0x000000000A562000-memory.dmpFilesize
72KB
-
memory/1336-172-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB
-
memory/1336-173-0x000000000A5B0000-0x000000000A5EC000-memory.dmpFilesize
240KB
-
memory/1336-174-0x0000000004FD0000-0x0000000004FE0000-memory.dmpFilesize
64KB