Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 08:53
Static task
static1
Behavioral task
behavioral1
Sample
fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe
Resource
win10v2004-20230220-en
General
-
Target
fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe
-
Size
1.5MB
-
MD5
42d59a8aa905c4a5def8b44ee4fc31e9
-
SHA1
ed29fc03b9d8f2ea1b8f2bb40784af1f70853ec2
-
SHA256
fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181
-
SHA512
70b51dedf41a9d0a7b8e0ff9e16fa506e2ed49638aee569afecae77aeead1a4a2fde5ba95479db2b69a607bd901757744663d19f9eecf0c57aa26a257a194edf
-
SSDEEP
24576:Fy1UFlz//dgbT2SIgRc1FazjZhc1bj051H9xIBCv6ON6maizAWXDGQcNXBlzWQ:gaFlz3aKjfihc1bSUgCM6maeuNxl
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/348-169-0x000000000AE20000-0x000000000B438000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i78278696.exei36267585.exei74214195.exei23129162.exea90305329.exepid process 1412 i78278696.exe 4572 i36267585.exe 4696 i74214195.exe 3752 i23129162.exe 348 a90305329.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exei78278696.exei36267585.exei74214195.exei23129162.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i78278696.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i78278696.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i36267585.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i74214195.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i23129162.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i36267585.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i74214195.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i23129162.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exei78278696.exei36267585.exei74214195.exei23129162.exedescription pid process target process PID 2212 wrote to memory of 1412 2212 fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe i78278696.exe PID 2212 wrote to memory of 1412 2212 fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe i78278696.exe PID 2212 wrote to memory of 1412 2212 fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe i78278696.exe PID 1412 wrote to memory of 4572 1412 i78278696.exe i36267585.exe PID 1412 wrote to memory of 4572 1412 i78278696.exe i36267585.exe PID 1412 wrote to memory of 4572 1412 i78278696.exe i36267585.exe PID 4572 wrote to memory of 4696 4572 i36267585.exe i74214195.exe PID 4572 wrote to memory of 4696 4572 i36267585.exe i74214195.exe PID 4572 wrote to memory of 4696 4572 i36267585.exe i74214195.exe PID 4696 wrote to memory of 3752 4696 i74214195.exe i23129162.exe PID 4696 wrote to memory of 3752 4696 i74214195.exe i23129162.exe PID 4696 wrote to memory of 3752 4696 i74214195.exe i23129162.exe PID 3752 wrote to memory of 348 3752 i23129162.exe a90305329.exe PID 3752 wrote to memory of 348 3752 i23129162.exe a90305329.exe PID 3752 wrote to memory of 348 3752 i23129162.exe a90305329.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe"C:\Users\Admin\AppData\Local\Temp\fd2cef82fd2f78f76f25a4b99fd1013e23a9cffffd36887f223e2915f6711181.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i78278696.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i78278696.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36267585.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36267585.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i74214195.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i74214195.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i23129162.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i23129162.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90305329.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90305329.exe6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i78278696.exeFilesize
1.3MB
MD540b4680900bf059e0c7c05c2f91478bf
SHA1570fa5a29c799c45c87e21433bf9719a0b817231
SHA256620707b8acd8717ae02b1d403a4286149630e0cbbd826b5fb449cb09293af7d1
SHA512f95accb3ddb4162208037303ef45ce837717a9b91efed63fbe2abc05258457eadc678096c0f024939148741f5fe0a4389ec7764b08939b927d5eb85532c19b26
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i78278696.exeFilesize
1.3MB
MD540b4680900bf059e0c7c05c2f91478bf
SHA1570fa5a29c799c45c87e21433bf9719a0b817231
SHA256620707b8acd8717ae02b1d403a4286149630e0cbbd826b5fb449cb09293af7d1
SHA512f95accb3ddb4162208037303ef45ce837717a9b91efed63fbe2abc05258457eadc678096c0f024939148741f5fe0a4389ec7764b08939b927d5eb85532c19b26
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36267585.exeFilesize
1015KB
MD52c9547ec6543dcda30ebfeac98aa8827
SHA1f22e3f93cb6a7605abc3f2253586851d99b90880
SHA256238bfb371906132855551fb74b1e946c9646ae51308cfc9d76c5dc525e5d9d0d
SHA51232de1f0bf021026d63985db0d6abb625f8dbc45adec5463e379dd422d94d278cd71d6b0b9275790f744cdc32868a45e06baafc9de1e45eddbf8f709addc5b5cd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36267585.exeFilesize
1015KB
MD52c9547ec6543dcda30ebfeac98aa8827
SHA1f22e3f93cb6a7605abc3f2253586851d99b90880
SHA256238bfb371906132855551fb74b1e946c9646ae51308cfc9d76c5dc525e5d9d0d
SHA51232de1f0bf021026d63985db0d6abb625f8dbc45adec5463e379dd422d94d278cd71d6b0b9275790f744cdc32868a45e06baafc9de1e45eddbf8f709addc5b5cd
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i74214195.exeFilesize
843KB
MD5a8c56cf5ef0d9b9c8ed4c3ec019370c6
SHA1425bef38956604327bd4018830462aa9260e1432
SHA25636516b4c824dc05f5c05969ab3e55322938cc31c3e33d98b1721f2c7c88d97f0
SHA512baffdc421debddf1804455b5e769cdb61986c78179c83a87de561550f4decc40e5c7605cb84f9401dc1189da578d88ae8e4151f0e1c1e87a9c2fbe646f6b752b
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i74214195.exeFilesize
843KB
MD5a8c56cf5ef0d9b9c8ed4c3ec019370c6
SHA1425bef38956604327bd4018830462aa9260e1432
SHA25636516b4c824dc05f5c05969ab3e55322938cc31c3e33d98b1721f2c7c88d97f0
SHA512baffdc421debddf1804455b5e769cdb61986c78179c83a87de561550f4decc40e5c7605cb84f9401dc1189da578d88ae8e4151f0e1c1e87a9c2fbe646f6b752b
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i23129162.exeFilesize
371KB
MD5cad9fd29803de9feced521c3eb9bda41
SHA1b81c1c77170901a031068baf7f216c33bec741b8
SHA256346c4bbffe89bc31f03bd8d907bbdd6710ab8c07d20d3b6d72effd69c1f14c7e
SHA5127cab88ba46678efc23ee6659c11f640fb7baa5203c3dc9be2a086958df241e20870b01df92bced27249f0ca6f16cd01e8c9e2cbaa3cb898d9346df03fe40e574
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i23129162.exeFilesize
371KB
MD5cad9fd29803de9feced521c3eb9bda41
SHA1b81c1c77170901a031068baf7f216c33bec741b8
SHA256346c4bbffe89bc31f03bd8d907bbdd6710ab8c07d20d3b6d72effd69c1f14c7e
SHA5127cab88ba46678efc23ee6659c11f640fb7baa5203c3dc9be2a086958df241e20870b01df92bced27249f0ca6f16cd01e8c9e2cbaa3cb898d9346df03fe40e574
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90305329.exeFilesize
169KB
MD576eef94c5c11cd4f1d75cc428bef0402
SHA16a6c8badb881ba064399ae902f22413a402ef6c6
SHA256a5663be99714cd2becfbd1e897d79a9330d4ec9d0adb970bf72a0cac467b919a
SHA512a7bb102ab95800ce5b942a03ffaa0092c103cee62c7bf5e0e08e63d4b3ecbd75e5e86c9ab64ba82d60132e836a74a3ecc5bd1464cf3dad873795992eeca43e04
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90305329.exeFilesize
169KB
MD576eef94c5c11cd4f1d75cc428bef0402
SHA16a6c8badb881ba064399ae902f22413a402ef6c6
SHA256a5663be99714cd2becfbd1e897d79a9330d4ec9d0adb970bf72a0cac467b919a
SHA512a7bb102ab95800ce5b942a03ffaa0092c103cee62c7bf5e0e08e63d4b3ecbd75e5e86c9ab64ba82d60132e836a74a3ecc5bd1464cf3dad873795992eeca43e04
-
memory/348-168-0x0000000000A20000-0x0000000000A50000-memory.dmpFilesize
192KB
-
memory/348-169-0x000000000AE20000-0x000000000B438000-memory.dmpFilesize
6.1MB
-
memory/348-170-0x000000000A9A0000-0x000000000AAAA000-memory.dmpFilesize
1.0MB
-
memory/348-171-0x000000000A8D0000-0x000000000A8E2000-memory.dmpFilesize
72KB
-
memory/348-172-0x000000000A930000-0x000000000A96C000-memory.dmpFilesize
240KB
-
memory/348-173-0x0000000005370000-0x0000000005380000-memory.dmpFilesize
64KB
-
memory/348-174-0x0000000005370000-0x0000000005380000-memory.dmpFilesize
64KB