Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 08:58
Static task
static1
Behavioral task
behavioral1
Sample
fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
Resource
win10v2004-20230220-en
General
-
Target
fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
-
Size
1.5MB
-
MD5
06c49a40cde38474e581fe8196c97144
-
SHA1
f51d89725de428ac98e99058b1196398617889ec
-
SHA256
fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf
-
SHA512
728e092ea4d12203e7417cedfb409e5884337f8966e6c119f08c752e59bff9876b566b5074d0a54a356cca4678ef0a3f41735bac70770bce07f73c8d86afcc95
-
SSDEEP
24576:6y4w1qBXlgNPrt/ernl6VRL8tg+m7+MYmZfpHVlS6rQZsNHOmm5jAltG0I5QyFvu:B4wglaz/EQVJAuYmVpHDTrQaup9AlkFN
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/4692-169-0x000000000A820000-0x000000000AE38000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i41733190.exei44010740.exei45434198.exei96358631.exea67267342.exepid process 3024 i41733190.exe 1316 i44010740.exe 1956 i45434198.exe 4492 i96358631.exe 4692 a67267342.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exei45434198.exei96358631.exei41733190.exei44010740.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i45434198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i96358631.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i45434198.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i96358631.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i41733190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i41733190.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i44010740.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i44010740.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exei41733190.exei44010740.exei45434198.exei96358631.exedescription pid process target process PID 4356 wrote to memory of 3024 4356 fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe i41733190.exe PID 4356 wrote to memory of 3024 4356 fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe i41733190.exe PID 4356 wrote to memory of 3024 4356 fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe i41733190.exe PID 3024 wrote to memory of 1316 3024 i41733190.exe i44010740.exe PID 3024 wrote to memory of 1316 3024 i41733190.exe i44010740.exe PID 3024 wrote to memory of 1316 3024 i41733190.exe i44010740.exe PID 1316 wrote to memory of 1956 1316 i44010740.exe i45434198.exe PID 1316 wrote to memory of 1956 1316 i44010740.exe i45434198.exe PID 1316 wrote to memory of 1956 1316 i44010740.exe i45434198.exe PID 1956 wrote to memory of 4492 1956 i45434198.exe i96358631.exe PID 1956 wrote to memory of 4492 1956 i45434198.exe i96358631.exe PID 1956 wrote to memory of 4492 1956 i45434198.exe i96358631.exe PID 4492 wrote to memory of 4692 4492 i96358631.exe a67267342.exe PID 4492 wrote to memory of 4692 4492 i96358631.exe a67267342.exe PID 4492 wrote to memory of 4692 4492 i96358631.exe a67267342.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe"C:\Users\Admin\AppData\Local\Temp\fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exe6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exeFilesize
1.3MB
MD53e6abf641867fa06a81980beff90e3a7
SHA1d49d47a9b0ab47d7ee69ec72d4624b3fb5b921a8
SHA25600dda400c4bfa5623e78f1660a436a03a3fbd1c17a8227ceef264a3024e28964
SHA512c45ba1f74d18254a547ac7d0ccfc54379262d7d2d92dce4419f8455fe7d1c831bdb0e55e6b359a624a47e1848ccd6c0bc88b94e8ad5091a0b640891971cd9e72
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exeFilesize
1.3MB
MD53e6abf641867fa06a81980beff90e3a7
SHA1d49d47a9b0ab47d7ee69ec72d4624b3fb5b921a8
SHA25600dda400c4bfa5623e78f1660a436a03a3fbd1c17a8227ceef264a3024e28964
SHA512c45ba1f74d18254a547ac7d0ccfc54379262d7d2d92dce4419f8455fe7d1c831bdb0e55e6b359a624a47e1848ccd6c0bc88b94e8ad5091a0b640891971cd9e72
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exeFilesize
1014KB
MD54af0cae50c7a40bf423f5a3598963f0a
SHA1fba8c4995e281a1d5c6d8150a4898e569cdfdd62
SHA2564beca234c18bd275d3e9e1ef6b9582285272d91d1bb20b2e2d382e0ed08cec60
SHA512309523ea3418854a21bf6320686684c76dd1bf1844075bccc23293951f6b6be44e4bc4dece65857e75290beaa8f46f222fc7e88c7660a9d67404c7199d7092d5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exeFilesize
1014KB
MD54af0cae50c7a40bf423f5a3598963f0a
SHA1fba8c4995e281a1d5c6d8150a4898e569cdfdd62
SHA2564beca234c18bd275d3e9e1ef6b9582285272d91d1bb20b2e2d382e0ed08cec60
SHA512309523ea3418854a21bf6320686684c76dd1bf1844075bccc23293951f6b6be44e4bc4dece65857e75290beaa8f46f222fc7e88c7660a9d67404c7199d7092d5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exeFilesize
842KB
MD53ab63240985369b23718100b596275c8
SHA1f7ce0c5202be8bf751098d265d47f98b29e8248c
SHA256df72145e25a32cb15157b25d77b2257a80bef087a780d648c5e0e059f77bf7e5
SHA5129218cf765dfd75b75000aa469adff05d8f94869db197e2e3f5dae15cc0fd91e0e09b52d8ca017077ead87c9ea9b0a359a1d5eb7d4bd346fd337326aaa0076177
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exeFilesize
842KB
MD53ab63240985369b23718100b596275c8
SHA1f7ce0c5202be8bf751098d265d47f98b29e8248c
SHA256df72145e25a32cb15157b25d77b2257a80bef087a780d648c5e0e059f77bf7e5
SHA5129218cf765dfd75b75000aa469adff05d8f94869db197e2e3f5dae15cc0fd91e0e09b52d8ca017077ead87c9ea9b0a359a1d5eb7d4bd346fd337326aaa0076177
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exeFilesize
370KB
MD58274ec3f196c145f59b912a3d38e3c6d
SHA1352ef45be6b8a8524870b9b5be4d5d6f47611dcc
SHA2565e83ebdd6963b7d1186e25aeef5b60df50f12e876a3ae529e8870bbe6565bdf0
SHA512d039afe4dab661ae51150a97fc2149eef77e4a0530062d28a86f08ebd57378c9d04d25e3a0ad5c939dd4565582f286309a60d5bcce696bc2f42054f9e6954555
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exeFilesize
370KB
MD58274ec3f196c145f59b912a3d38e3c6d
SHA1352ef45be6b8a8524870b9b5be4d5d6f47611dcc
SHA2565e83ebdd6963b7d1186e25aeef5b60df50f12e876a3ae529e8870bbe6565bdf0
SHA512d039afe4dab661ae51150a97fc2149eef77e4a0530062d28a86f08ebd57378c9d04d25e3a0ad5c939dd4565582f286309a60d5bcce696bc2f42054f9e6954555
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exeFilesize
169KB
MD5c25c8b6b96c728271c4e1c4ee81d3af7
SHA1cfff4be28b6873004e89f7a44445ae53572f5ab6
SHA2567750bc6294651cf8907344d6b2d2131106a85011031657f684506a42db6381fe
SHA512c749f6878b8194c6e5f27635eceef9ed5768d9f7c47ec1c0960ab066a5554fc49c386913e9b84759e527d4677243d8621e275ea59b9843874a94840ba57ea42b
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exeFilesize
169KB
MD5c25c8b6b96c728271c4e1c4ee81d3af7
SHA1cfff4be28b6873004e89f7a44445ae53572f5ab6
SHA2567750bc6294651cf8907344d6b2d2131106a85011031657f684506a42db6381fe
SHA512c749f6878b8194c6e5f27635eceef9ed5768d9f7c47ec1c0960ab066a5554fc49c386913e9b84759e527d4677243d8621e275ea59b9843874a94840ba57ea42b
-
memory/4692-168-0x00000000003A0000-0x00000000003D0000-memory.dmpFilesize
192KB
-
memory/4692-169-0x000000000A820000-0x000000000AE38000-memory.dmpFilesize
6.1MB
-
memory/4692-170-0x000000000A320000-0x000000000A42A000-memory.dmpFilesize
1.0MB
-
memory/4692-171-0x000000000A250000-0x000000000A262000-memory.dmpFilesize
72KB
-
memory/4692-172-0x000000000A2B0000-0x000000000A2EC000-memory.dmpFilesize
240KB
-
memory/4692-173-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB
-
memory/4692-174-0x0000000004D70000-0x0000000004D80000-memory.dmpFilesize
64KB