Analysis
-
max time kernel
137s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 09:01
Static task
static1
Behavioral task
behavioral1
Sample
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
Resource
win10v2004-20230220-en
General
-
Target
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
-
Size
1.5MB
-
MD5
2a2216b605e12dcd36c580688eaa81e7
-
SHA1
35bf6a2abf0410f0b21ed318f7268cf0f4f57ced
-
SHA256
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155
-
SHA512
442d967593ce0ea07b91d723b082851707dac15433c9e93715b72d08caed0c0ed4613eba8c46c862725907aa34afda2c822235d65ba73056a92bf758b24679c2
-
SSDEEP
24576:syt4JIJoKJsJ+PMz+eI7i8hEr6YhS/x3Xs77GhHoqLsKaKW+i3QtWMMLlpaqJK9z:btYko8PMVCih2n/xns7CBraCigtyLlpd
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/1216-169-0x000000000B0C0000-0x000000000B6D8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i15915063.exei01671203.exei50561024.exei85282792.exea28836202.exepid process 3368 i15915063.exe 1440 i01671203.exe 800 i50561024.exe 2260 i85282792.exe 1216 a28836202.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exei15915063.exei50561024.exei85282792.exei01671203.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i15915063.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i50561024.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i50561024.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i85282792.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i85282792.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i01671203.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i01671203.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i15915063.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exei15915063.exei01671203.exei50561024.exei85282792.exedescription pid process target process PID 4556 wrote to memory of 3368 4556 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 4556 wrote to memory of 3368 4556 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 4556 wrote to memory of 3368 4556 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 3368 wrote to memory of 1440 3368 i15915063.exe i01671203.exe PID 3368 wrote to memory of 1440 3368 i15915063.exe i01671203.exe PID 3368 wrote to memory of 1440 3368 i15915063.exe i01671203.exe PID 1440 wrote to memory of 800 1440 i01671203.exe i50561024.exe PID 1440 wrote to memory of 800 1440 i01671203.exe i50561024.exe PID 1440 wrote to memory of 800 1440 i01671203.exe i50561024.exe PID 800 wrote to memory of 2260 800 i50561024.exe i85282792.exe PID 800 wrote to memory of 2260 800 i50561024.exe i85282792.exe PID 800 wrote to memory of 2260 800 i50561024.exe i85282792.exe PID 2260 wrote to memory of 1216 2260 i85282792.exe a28836202.exe PID 2260 wrote to memory of 1216 2260 i85282792.exe a28836202.exe PID 2260 wrote to memory of 1216 2260 i85282792.exe a28836202.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe"C:\Users\Admin\AppData\Local\Temp\ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exe6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeFilesize
1.3MB
MD56f9516919aa643cad0b8d6d607fc2560
SHA135be3d81998333d6f47087c9530e8bc1cdc3b76d
SHA256ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2
SHA5125bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeFilesize
1.3MB
MD56f9516919aa643cad0b8d6d607fc2560
SHA135be3d81998333d6f47087c9530e8bc1cdc3b76d
SHA256ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2
SHA5125bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeFilesize
1023KB
MD5cbe4e6b9c1192bb27422585d478c7513
SHA110a6c270eae40808d49c6bf6fecad25b4fc6cbf3
SHA256f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5
SHA51209f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeFilesize
1023KB
MD5cbe4e6b9c1192bb27422585d478c7513
SHA110a6c270eae40808d49c6bf6fecad25b4fc6cbf3
SHA256f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5
SHA51209f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeFilesize
852KB
MD5e65a78ee22410808a42bb138234e7b57
SHA1d96556f8d7f603bfecf69d22f7d9cb13b737647c
SHA256f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041
SHA512cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeFilesize
852KB
MD5e65a78ee22410808a42bb138234e7b57
SHA1d96556f8d7f603bfecf69d22f7d9cb13b737647c
SHA256f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041
SHA512cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeFilesize
375KB
MD52ad4946b18bf5c8017a3c96c675ce46d
SHA1a5525f06bedd6b39832e0391b803b00aaae9a51f
SHA256f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e
SHA5125dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeFilesize
375KB
MD52ad4946b18bf5c8017a3c96c675ce46d
SHA1a5525f06bedd6b39832e0391b803b00aaae9a51f
SHA256f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e
SHA5125dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeFilesize
169KB
MD5d99d8df158eaa69d84edd709623c9f5f
SHA170bf9d02e8778f894c5ea343ffab716064d1efa2
SHA25671fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db
SHA51295d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeFilesize
169KB
MD5d99d8df158eaa69d84edd709623c9f5f
SHA170bf9d02e8778f894c5ea343ffab716064d1efa2
SHA25671fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db
SHA51295d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7
-
memory/1216-168-0x0000000000C40000-0x0000000000C70000-memory.dmpFilesize
192KB
-
memory/1216-169-0x000000000B0C0000-0x000000000B6D8000-memory.dmpFilesize
6.1MB
-
memory/1216-170-0x000000000ABC0000-0x000000000ACCA000-memory.dmpFilesize
1.0MB
-
memory/1216-171-0x000000000AAF0000-0x000000000AB02000-memory.dmpFilesize
72KB
-
memory/1216-172-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB
-
memory/1216-173-0x000000000AB50000-0x000000000AB8C000-memory.dmpFilesize
240KB
-
memory/1216-174-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB