Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
05/06/2023, 00:11
General
-
Target
file.exe
-
Size
580KB
-
MD5
3d33cc4a4007bf7d7e26dae656fab795
-
SHA1
e908a0268e62aa3cbc70fb40276eccde98455106
-
SHA256
f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317
-
SHA512
67e5f38d74a6bdbfcec27519ac441cd576d8537fdc31d52876aedd5c8f415ce042e10b4d45e7bc24c31963f0afcc7c508ac2de5a3991a6aa4a400b44faf9b7b9
-
SSDEEP
12288:aMrWy90/gB9v1iFA7j8cZMdxSTjRGBsD7FKWvUkxxJI3ZB:MylNSi8cydANGBiAWFxx4
Malware Config
Extracted
redline
maxi
83.97.73.126:19046
-
auth_value
6a3f22e5f4209b056a3fd330dc71956a
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD508310e1252404cb9eb0c95405916b4e6
SHA1a2e753db164b1064f92753ebe43f00cdda5faddb
SHA256e9a223064eb629045c3df2be145cb4e4b87aa4612bb9f516bfab57000b5ed73b
SHA5125d8f9f6ed2aed8d18be191aa1cb69c91fdfc43f8b9f98a0da6f76287276f82ac5682f8fd0ace0ea51631efdb0321c4aa205cc9adb4e012e21bc3a0b29d4dc6a1
-
Filesize
378KB
MD508310e1252404cb9eb0c95405916b4e6
SHA1a2e753db164b1064f92753ebe43f00cdda5faddb
SHA256e9a223064eb629045c3df2be145cb4e4b87aa4612bb9f516bfab57000b5ed73b
SHA5125d8f9f6ed2aed8d18be191aa1cb69c91fdfc43f8b9f98a0da6f76287276f82ac5682f8fd0ace0ea51631efdb0321c4aa205cc9adb4e012e21bc3a0b29d4dc6a1
-
Filesize
206KB
MD51a59af8cfe51430ba3232b6440be2258
SHA145981b180827d80e9461c6127e0c4732819c4379
SHA256b3116bcb09056ee96110b042701d78450dac078a8e0383a70b0a5aff4f8309e4
SHA512827219098cc9c702f719b28fb95bdd0a21d12f4ae50e53434dfb2dd32ac6f7432da58cb03c30942111672e84fdb0ae3bda2d1596de5fdc0c932f474b0ca0b724
-
Filesize
206KB
MD51a59af8cfe51430ba3232b6440be2258
SHA145981b180827d80e9461c6127e0c4732819c4379
SHA256b3116bcb09056ee96110b042701d78450dac078a8e0383a70b0a5aff4f8309e4
SHA512827219098cc9c702f719b28fb95bdd0a21d12f4ae50e53434dfb2dd32ac6f7432da58cb03c30942111672e84fdb0ae3bda2d1596de5fdc0c932f474b0ca0b724
-
Filesize
11KB
MD57718786682a8337d7648a66452f38451
SHA18c920f18fcba96bf298b6b4fedc106d41bffc15d
SHA256bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062
SHA5123b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106
-
Filesize
11KB
MD57718786682a8337d7648a66452f38451
SHA18c920f18fcba96bf298b6b4fedc106d41bffc15d
SHA256bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062
SHA5123b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106
-
Filesize
172KB
MD530aa28ce8fe7e0306c6c23f43a8188be
SHA1c5e75ac0d08b223833df143725f403b2f5ad518b
SHA256b6756eac7497c8eaf1f8d0d8860e84ed6c4204a3c061367ea4304c641e2f68f0
SHA512d3b2f2bda8634daf0e1f98ece78e4aefc40ac2d644cdef9ee2d7e71f998f2f70da9e78b14366c25a21cc45714bca832acb0888c21bbc33aabf8c52c0721d0578
-
Filesize
172KB
MD530aa28ce8fe7e0306c6c23f43a8188be
SHA1c5e75ac0d08b223833df143725f403b2f5ad518b
SHA256b6756eac7497c8eaf1f8d0d8860e84ed6c4204a3c061367ea4304c641e2f68f0
SHA512d3b2f2bda8634daf0e1f98ece78e4aefc40ac2d644cdef9ee2d7e71f998f2f70da9e78b14366c25a21cc45714bca832acb0888c21bbc33aabf8c52c0721d0578
-
Filesize
6.1MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
40KB