Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
02/10/2023, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe
Resource
win10-20230915-en
General
-
Target
b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe
-
Size
1.1MB
-
MD5
cdb281a8f0cdeeb0c36b07f9eb3f5d38
-
SHA1
e3206b7483186fed5c7d8ab4dcf507f8431b392d
-
SHA256
b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381
-
SHA512
d347e95152c1ddfca12f01790b525bbece977e9997f7e6489396f40d6dedf11ae46bd0255d2d6a1f361764bd4410f32955c48b38225ffd34204563c8210edb02
-
SSDEEP
24576:NySjnNklu2oGQA0QORLjvLz0N9LhdBZL8VLvD3TCqy:oGNkc5JfjK3/l8VLvbTB
Malware Config
Extracted
redline
genda
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/5044-38-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4484 Yu7fD7cw.exe 4640 QA6EU8bI.exe 2320 AD2Sp5AI.exe 1868 RT1Of9FP.exe 1588 am3Vw68.exe 2264 ft086Bl.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Yu7fD7cw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" QA6EU8bI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" AD2Sp5AI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" RT1Of9FP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2264 set thread context of 5044 2264 ft086Bl.exe 78 -
Program crash 1 IoCs
pid pid_target Process procid_target 3592 2264 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4432 wrote to memory of 4484 4432 b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe 71 PID 4432 wrote to memory of 4484 4432 b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe 71 PID 4432 wrote to memory of 4484 4432 b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe 71 PID 4484 wrote to memory of 4640 4484 Yu7fD7cw.exe 72 PID 4484 wrote to memory of 4640 4484 Yu7fD7cw.exe 72 PID 4484 wrote to memory of 4640 4484 Yu7fD7cw.exe 72 PID 4640 wrote to memory of 2320 4640 QA6EU8bI.exe 73 PID 4640 wrote to memory of 2320 4640 QA6EU8bI.exe 73 PID 4640 wrote to memory of 2320 4640 QA6EU8bI.exe 73 PID 2320 wrote to memory of 1868 2320 AD2Sp5AI.exe 74 PID 2320 wrote to memory of 1868 2320 AD2Sp5AI.exe 74 PID 2320 wrote to memory of 1868 2320 AD2Sp5AI.exe 74 PID 1868 wrote to memory of 1588 1868 RT1Of9FP.exe 75 PID 1868 wrote to memory of 1588 1868 RT1Of9FP.exe 75 PID 1868 wrote to memory of 1588 1868 RT1Of9FP.exe 75 PID 1868 wrote to memory of 2264 1868 RT1Of9FP.exe 76 PID 1868 wrote to memory of 2264 1868 RT1Of9FP.exe 76 PID 1868 wrote to memory of 2264 1868 RT1Of9FP.exe 76 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78 PID 2264 wrote to memory of 5044 2264 ft086Bl.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe"C:\Users\Admin\AppData\Local\Temp\b03b503a0c971f9e0fd75d3864b811145e79187eeb7e0fc2ba46e2062adf9381.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yu7fD7cw.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yu7fD7cw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA6EU8bI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA6EU8bI.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AD2Sp5AI.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AD2Sp5AI.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RT1Of9FP.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RT1Of9FP.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\am3Vw68.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\am3Vw68.exe6⤵
- Executes dropped EXE
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ft086Bl.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ft086Bl.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 2047⤵
- Program crash
PID:3592
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
932KB
MD5c54ae63df6899397f9fbabdb752b198b
SHA17d3b89afa84e2cce37411a57791332737f88ef74
SHA256b6c614e7c38a450282cba780b140c386962a41f9d1a3298ceb5545ef4f370731
SHA512f3e888c66fc9fda0ac22f66cd4788d6ec9ed3e577456334f3f7a9ab2521fdf10e15ee4ebc5e6b741a57d35e9e234df3a2a81f1c40b93e9bfceb63f2b2bf6354e
-
Filesize
932KB
MD5c54ae63df6899397f9fbabdb752b198b
SHA17d3b89afa84e2cce37411a57791332737f88ef74
SHA256b6c614e7c38a450282cba780b140c386962a41f9d1a3298ceb5545ef4f370731
SHA512f3e888c66fc9fda0ac22f66cd4788d6ec9ed3e577456334f3f7a9ab2521fdf10e15ee4ebc5e6b741a57d35e9e234df3a2a81f1c40b93e9bfceb63f2b2bf6354e
-
Filesize
792KB
MD51beb58b5d33562a9c1f5fb5c17c50cf8
SHA139457c8319a8fee6ce5fa0c050e210ae7ff2e096
SHA256113ce3a082cc0cebe247d52437c4534c05d644d6c0dcae966e23454d99b4e88d
SHA5129d608445f2409d166be8966da97435a4141cc99577ff23c75094d2089b456a1bba807998078c07a187ee1fee675f53aeae1d8c0f3e9c00b952195abc24420117
-
Filesize
792KB
MD51beb58b5d33562a9c1f5fb5c17c50cf8
SHA139457c8319a8fee6ce5fa0c050e210ae7ff2e096
SHA256113ce3a082cc0cebe247d52437c4534c05d644d6c0dcae966e23454d99b4e88d
SHA5129d608445f2409d166be8966da97435a4141cc99577ff23c75094d2089b456a1bba807998078c07a187ee1fee675f53aeae1d8c0f3e9c00b952195abc24420117
-
Filesize
534KB
MD56e11366a475c6df40ce03e296c07c0d7
SHA1c105bc160758eeb886cf8c87b3f8b8c5d59525fd
SHA25692f0aa1db064aebe85780c28d38101e7a1c3ac88151b0aafd5bb8c7cb192ceeb
SHA512041d64dce09e0652b57803beb11b2cbda002751988ccb4819da39965a733167b3052f473fe9517d51e42eb971e4a0f07629a380d0be4623d2dfbddc00addcf5b
-
Filesize
534KB
MD56e11366a475c6df40ce03e296c07c0d7
SHA1c105bc160758eeb886cf8c87b3f8b8c5d59525fd
SHA25692f0aa1db064aebe85780c28d38101e7a1c3ac88151b0aafd5bb8c7cb192ceeb
SHA512041d64dce09e0652b57803beb11b2cbda002751988ccb4819da39965a733167b3052f473fe9517d51e42eb971e4a0f07629a380d0be4623d2dfbddc00addcf5b
-
Filesize
352KB
MD5170a8f1ecdcc7a62a478e38a39456ad7
SHA1766d1aa79a81f0766d58313951cf8c8a475a7101
SHA256146494c15d62af3b10293eef52ac59713a83862ed1100186bae4f323da40413d
SHA512e1a3666fa1c0e246c816c166dc90927f5b936c3cf5969d88e5065c3335137534d23ec3889a599f3d85c1483f9ccd57b1d38541fc260f5948ed20e7774ba52b76
-
Filesize
352KB
MD5170a8f1ecdcc7a62a478e38a39456ad7
SHA1766d1aa79a81f0766d58313951cf8c8a475a7101
SHA256146494c15d62af3b10293eef52ac59713a83862ed1100186bae4f323da40413d
SHA512e1a3666fa1c0e246c816c166dc90927f5b936c3cf5969d88e5065c3335137534d23ec3889a599f3d85c1483f9ccd57b1d38541fc260f5948ed20e7774ba52b76
-
Filesize
140KB
MD510ad2bafcf425f003256c6462a88fd7f
SHA1f5f362f93b4637ff39119e70bbd3556fb4fa81df
SHA256b6276c6759352e70ed880d2a57ce5aa8346298e026f2cb894f8186e7ca0d9c75
SHA512429a7f56209b44cab4369f45c4added47ce59b3a08170d4ffdb6525d025242e29d1eb4c648d29282f6dc71b35ec5dc2ec6a796ee02e656e9a1ea2fba752d8829
-
Filesize
140KB
MD510ad2bafcf425f003256c6462a88fd7f
SHA1f5f362f93b4637ff39119e70bbd3556fb4fa81df
SHA256b6276c6759352e70ed880d2a57ce5aa8346298e026f2cb894f8186e7ca0d9c75
SHA512429a7f56209b44cab4369f45c4added47ce59b3a08170d4ffdb6525d025242e29d1eb4c648d29282f6dc71b35ec5dc2ec6a796ee02e656e9a1ea2fba752d8829
-
Filesize
386KB
MD5e416810d89cd0a81c11924947a1ac6f6
SHA183e465530390ce243554116d899747f2683acc11
SHA256d67a1988de433dcaeea49e4b40d732d6a6f18da33246e77329d72b70d6ca7f38
SHA5126e160654ea51777170ed0932b57254eeddf6d418b99d4df3d914797883c78e49d5eb90147fe6c141773678facd62b324e395cb0f6a1af062236f3ac3eaff1e9c
-
Filesize
386KB
MD5e416810d89cd0a81c11924947a1ac6f6
SHA183e465530390ce243554116d899747f2683acc11
SHA256d67a1988de433dcaeea49e4b40d732d6a6f18da33246e77329d72b70d6ca7f38
SHA5126e160654ea51777170ed0932b57254eeddf6d418b99d4df3d914797883c78e49d5eb90147fe6c141773678facd62b324e395cb0f6a1af062236f3ac3eaff1e9c