Overview

overview

10

Static

static

3

9b7ba8dd01...66.exe

windows7-x64

10

9b7ba8dd01...66.exe

windows10-2004-x64

10

Resubmissions

29-10-2024 14:06

241029-regnlawcqp 10

29-10-2024 12:53

241029-p4zvcsvhqp 10

07-05-2023 04:57

230507-fldpqshh67 10

Analysis

  • max time kernel
    146s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2023 04:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe

  • Size

    746KB

  • MD5

    7c3dda2c9904ba420260b3489e2ef165

  • SHA1

    c5ce5096c8d8175ff522ee68d1a68b8cea926c2d

  • SHA256

    9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66

  • SHA512

    2f10af6e5d497478f47813322d039012467c43d4bba12fe30b5a42a472379c9daa62529c73657d77886c5b8fcaab9cae959e5264124cec750091b0d9a237febd

  • SSDEEP

    12288:Sy90N8arEZ38DLXqXNNsbiuQ4sbrXfUcXfSqXtXVtCX3b73xzR:Sy48arEJYLa9eenX8cXfVSb7/

Score
10/10
redlineevasioninfostealerpersistencestealertrojan

Malware Config

Signatures

  • Detects Redline Stealer samples 1 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
    "C:\Users\Admin\AppData\Local\Temp\9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1084
          4⤵
          • Program crash
          PID:4972
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1836 -ip 1836
    1⤵
      PID:412

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
      Filesize

      591KB

      MD5

      f39e96db71b850be0e8113dff1c58e96

      SHA1

      23a5a923212d5dba4e79a32d29a53e981ab15b21

      SHA256

      512a02378458eb8745bf6bdbc1eee575b557651072d935c96746f01c3eb30f7f

      SHA512

      2be9713d582dd079188c08ca9ec60c596e55f70ede81893d0a30add859687aae7e522fde85ea005c24eab6bc8587a31b57fd1b5a7fc8303a904406b8f15ea31f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
      Filesize

      591KB

      MD5

      f39e96db71b850be0e8113dff1c58e96

      SHA1

      23a5a923212d5dba4e79a32d29a53e981ab15b21

      SHA256

      512a02378458eb8745bf6bdbc1eee575b557651072d935c96746f01c3eb30f7f

      SHA512

      2be9713d582dd079188c08ca9ec60c596e55f70ede81893d0a30add859687aae7e522fde85ea005c24eab6bc8587a31b57fd1b5a7fc8303a904406b8f15ea31f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
      Filesize

      376KB

      MD5

      bfe8737b256d0abd4bd9b86dd51cf2d2

      SHA1

      91906151c3d615497a2685a1c2dfb8398a7524cb

      SHA256

      3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

      SHA512

      b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
      Filesize

      376KB

      MD5

      bfe8737b256d0abd4bd9b86dd51cf2d2

      SHA1

      91906151c3d615497a2685a1c2dfb8398a7524cb

      SHA256

      3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

      SHA512

      b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
      Filesize

      459KB

      MD5

      d041b732253fef6c275a1f5c490447ed

      SHA1

      15caa238a29b75ea279ef08684558f89145741cf

      SHA256

      f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

      SHA512

      c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
      Filesize

      459KB

      MD5

      d041b732253fef6c275a1f5c490447ed

      SHA1

      15caa238a29b75ea279ef08684558f89145741cf

      SHA256

      f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

      SHA512

      c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

      Download Submit

    • memory/1072-220-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-224-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-998-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-997-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-196-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-995-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-993-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-992-0x0000000004F40000-0x0000000004F7C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1072-991-0x0000000008030000-0x000000000813A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1072-990-0x0000000004F20000-0x0000000004F32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1072-989-0x0000000007A10000-0x0000000008028000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1072-559-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-560-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-557-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-555-0x00000000008F0000-0x0000000000936000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1072-222-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-218-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-198-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-214-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-212-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-210-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-208-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-194-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-206-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-204-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-193-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-202-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-996-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1072-216-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1072-200-0x0000000004E60000-0x0000000004E95000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1836-149-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-183-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-187-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1836-184-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-150-0x0000000004EF0000-0x0000000005494000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1836-182-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-181-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1836-170-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-160-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-148-0x00000000008F0000-0x000000000091D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1836-164-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-152-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-168-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-166-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-153-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-172-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-174-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-176-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-178-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-180-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-162-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-154-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-158-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-156-0x0000000002820000-0x0000000002832000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1836-151-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

      Filesize

      64KB

      Download