Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 09:02
Static task
static1
Behavioral task
behavioral1
Sample
ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe
Resource
win10v2004-20230220-en
General
-
Target
ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe
-
Size
850KB
-
MD5
4f4634c58d752041aabbc8f6e75955a8
-
SHA1
310e0fd194fefde2db2e4efcdb1992410a1ff662
-
SHA256
ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401
-
SHA512
d6d91dabb47d9dd4cfc4e3e9b08ad5a03efa325c94306e394d4a9dcf39ed6c847e85d70fea3f9e681936f3306ab31fb59f33e93a146848e45ddd0fa840647657
-
SSDEEP
24576:pyYWbrPlffGMSRASoapNtMIksYwwaRikJXLs:cYWbr9fdSkYNowTtL
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
Processes:
resource yara_rule behavioral2/memory/2200-2320-0x0000000005890000-0x0000000005EA8000-memory.dmp redline_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
p11609311.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation p11609311.exe -
Executes dropped EXE 4 IoCs
Processes:
y76699233.exep11609311.exe1.exer08915770.exepid process 4808 y76699233.exe 4792 p11609311.exe 2200 1.exe 3280 r08915770.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exey76699233.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y76699233.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y76699233.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
p11609311.exedescription pid process Token: SeDebugPrivilege 4792 p11609311.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exey76699233.exep11609311.exedescription pid process target process PID 2156 wrote to memory of 4808 2156 ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe y76699233.exe PID 2156 wrote to memory of 4808 2156 ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe y76699233.exe PID 2156 wrote to memory of 4808 2156 ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe y76699233.exe PID 4808 wrote to memory of 4792 4808 y76699233.exe p11609311.exe PID 4808 wrote to memory of 4792 4808 y76699233.exe p11609311.exe PID 4808 wrote to memory of 4792 4808 y76699233.exe p11609311.exe PID 4792 wrote to memory of 2200 4792 p11609311.exe 1.exe PID 4792 wrote to memory of 2200 4792 p11609311.exe 1.exe PID 4792 wrote to memory of 2200 4792 p11609311.exe 1.exe PID 4808 wrote to memory of 3280 4808 y76699233.exe r08915770.exe PID 4808 wrote to memory of 3280 4808 y76699233.exe r08915770.exe PID 4808 wrote to memory of 3280 4808 y76699233.exe r08915770.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe"C:\Users\Admin\AppData\Local\Temp\ffebb032fe236b2c4b680eda596445bb5ed101084cb70b7acde9b3f5410e9401.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y76699233.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y76699233.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11609311.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11609311.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r08915770.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r08915770.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y76699233.exeFilesize
570KB
MD5efcf53ece3c0369daf2dcbdafcb99f85
SHA1eaa9cdd0aef87dad7c9a6fe3f611490faaf11a2e
SHA25696b5b1851cedd30d61873e5e6b8ad63f873ffcc3eab1a8f2f238970340f2e1cc
SHA51268e66462f7904e97815fd732bc6365c00b7c23b6125b3046f69e52a4ee8a6c7fdd93335cdaac7bbdbf65ae5088833f013e9fe0c32342c534f9c4a160ea86ebc4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y76699233.exeFilesize
570KB
MD5efcf53ece3c0369daf2dcbdafcb99f85
SHA1eaa9cdd0aef87dad7c9a6fe3f611490faaf11a2e
SHA25696b5b1851cedd30d61873e5e6b8ad63f873ffcc3eab1a8f2f238970340f2e1cc
SHA51268e66462f7904e97815fd732bc6365c00b7c23b6125b3046f69e52a4ee8a6c7fdd93335cdaac7bbdbf65ae5088833f013e9fe0c32342c534f9c4a160ea86ebc4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11609311.exeFilesize
476KB
MD506ef514876ae49e621887495b8e23b33
SHA1c6d2282855afc8dc25275af6fde84e3d8649ca08
SHA2563ef79d8eba491981d1ad0c116a884704f32272a5e313d53d765a9e47c5597fd0
SHA512bd3a6f58071c4701e7b4b528a1e61d5daf264b2534330265bc8db6f1907358efedd89a2e8e740574d81195fe4882d8ec87bf02005298ee01d3fc6f3c2bed224a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11609311.exeFilesize
476KB
MD506ef514876ae49e621887495b8e23b33
SHA1c6d2282855afc8dc25275af6fde84e3d8649ca08
SHA2563ef79d8eba491981d1ad0c116a884704f32272a5e313d53d765a9e47c5597fd0
SHA512bd3a6f58071c4701e7b4b528a1e61d5daf264b2534330265bc8db6f1907358efedd89a2e8e740574d81195fe4882d8ec87bf02005298ee01d3fc6f3c2bed224a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r08915770.exeFilesize
169KB
MD5530930e691d927da8f6ddc697f4652cb
SHA1a284ccb4b250a0d804779af34058a6ddda0d4d71
SHA2567ca28e74f3c6fde7f1cd63a06bf0e1b298950fc7be39aaaebd0246a82e5ddab5
SHA512ed633a987fcca4f8d41d781fc583b572053c6e7c899f9c50e67ff4a3f8fc252ba3c38edf40d35a6e640302efd5e9ed68bf08f7ae4da539cbc78c1a38f6c3fa7d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r08915770.exeFilesize
169KB
MD5530930e691d927da8f6ddc697f4652cb
SHA1a284ccb4b250a0d804779af34058a6ddda0d4d71
SHA2567ca28e74f3c6fde7f1cd63a06bf0e1b298950fc7be39aaaebd0246a82e5ddab5
SHA512ed633a987fcca4f8d41d781fc583b572053c6e7c899f9c50e67ff4a3f8fc252ba3c38edf40d35a6e640302efd5e9ed68bf08f7ae4da539cbc78c1a38f6c3fa7d
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
C:\Windows\Temp\1.exeFilesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
memory/2200-2314-0x00000000008C0000-0x00000000008EE000-memory.dmpFilesize
184KB
-
memory/2200-2326-0x0000000005160000-0x0000000005170000-memory.dmpFilesize
64KB
-
memory/2200-2324-0x0000000005160000-0x0000000005170000-memory.dmpFilesize
64KB
-
memory/2200-2323-0x0000000005270000-0x00000000052AC000-memory.dmpFilesize
240KB
-
memory/2200-2322-0x0000000005100000-0x0000000005112000-memory.dmpFilesize
72KB
-
memory/2200-2321-0x0000000005380000-0x000000000548A000-memory.dmpFilesize
1.0MB
-
memory/2200-2320-0x0000000005890000-0x0000000005EA8000-memory.dmpFilesize
6.1MB
-
memory/3280-2325-0x00000000048D0000-0x00000000048E0000-memory.dmpFilesize
64KB
-
memory/3280-2319-0x0000000000030000-0x0000000000060000-memory.dmpFilesize
192KB
-
memory/3280-2327-0x00000000048D0000-0x00000000048E0000-memory.dmpFilesize
64KB
-
memory/4792-180-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-200-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-166-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-168-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-170-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-172-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-174-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-176-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-178-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-162-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-182-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-184-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-186-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-188-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-190-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-192-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-194-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-196-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-198-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-164-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-202-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-204-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-206-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-208-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-210-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-160-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-158-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-156-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-154-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-153-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-152-0x00000000027F0000-0x0000000002800000-memory.dmpFilesize
64KB
-
memory/4792-151-0x00000000027F0000-0x0000000002800000-memory.dmpFilesize
64KB
-
memory/4792-150-0x00000000027F0000-0x0000000002800000-memory.dmpFilesize
64KB
-
memory/4792-149-0x0000000004F00000-0x00000000054A4000-memory.dmpFilesize
5.6MB
-
memory/4792-148-0x00000000007D0000-0x000000000082B000-memory.dmpFilesize
364KB
-
memory/4792-212-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-214-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-216-0x0000000002790000-0x00000000027F0000-memory.dmpFilesize
384KB
-
memory/4792-2301-0x00000000007D0000-0x000000000082B000-memory.dmpFilesize
364KB
-
memory/4792-2302-0x00000000027F0000-0x0000000002800000-memory.dmpFilesize
64KB