Analysis
-
max time kernel
193s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe
Resource
win10v2004-20231023-en
General
-
Target
391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe
-
Size
1.7MB
-
MD5
e1193f055ae2aa309a39592646d1a329
-
SHA1
a2c1b5c4ea097c543b7318ffc38215820c508958
-
SHA256
391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a
-
SHA512
1226d7e75fb1ee2e893ac8460a185052a55adc4f144d448278b93906a0106d8365ff895c1eed64efe280a46873871e6f745c3a72ceee70d62960c174b944bd1f
-
SSDEEP
49152:MixS2taMyYPiFX7y+tKSYvuusF7zttytZ4f/IHAnGELhappi:z9taMy7FW+tAofttytZ4fHGuaLi
Malware Config
Extracted
redline
kedru
77.91.124.86:19084
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000022e17-40.dat family_redline behavioral1/files/0x0006000000022e17-42.dat family_redline behavioral1/memory/408-44-0x00000000003A0000-0x00000000003DC000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 924 Hd6py8GN.exe 632 kA7dL9vv.exe 1424 KY7eO0Cc.exe 1892 aS4Ob6ki.exe 3988 1cI12Fz6.exe 408 2fB327pW.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" KY7eO0Cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" aS4Ob6ki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Hd6py8GN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kA7dL9vv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3988 set thread context of 3716 3988 1cI12Fz6.exe 95 -
Program crash 2 IoCs
pid pid_target Process procid_target 4760 3716 WerFault.exe 95 4568 3716 WerFault.exe 95 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4680 wrote to memory of 924 4680 391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe 90 PID 4680 wrote to memory of 924 4680 391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe 90 PID 4680 wrote to memory of 924 4680 391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe 90 PID 924 wrote to memory of 632 924 Hd6py8GN.exe 91 PID 924 wrote to memory of 632 924 Hd6py8GN.exe 91 PID 924 wrote to memory of 632 924 Hd6py8GN.exe 91 PID 632 wrote to memory of 1424 632 kA7dL9vv.exe 92 PID 632 wrote to memory of 1424 632 kA7dL9vv.exe 92 PID 632 wrote to memory of 1424 632 kA7dL9vv.exe 92 PID 1424 wrote to memory of 1892 1424 KY7eO0Cc.exe 93 PID 1424 wrote to memory of 1892 1424 KY7eO0Cc.exe 93 PID 1424 wrote to memory of 1892 1424 KY7eO0Cc.exe 93 PID 1892 wrote to memory of 3988 1892 aS4Ob6ki.exe 94 PID 1892 wrote to memory of 3988 1892 aS4Ob6ki.exe 94 PID 1892 wrote to memory of 3988 1892 aS4Ob6ki.exe 94 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 3988 wrote to memory of 3716 3988 1cI12Fz6.exe 95 PID 1892 wrote to memory of 408 1892 aS4Ob6ki.exe 96 PID 1892 wrote to memory of 408 1892 aS4Ob6ki.exe 96 PID 1892 wrote to memory of 408 1892 aS4Ob6ki.exe 96 PID 3716 wrote to memory of 4760 3716 AppLaunch.exe 100 PID 3716 wrote to memory of 4760 3716 AppLaunch.exe 100 PID 3716 wrote to memory of 4760 3716 AppLaunch.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe"C:\Users\Admin\AppData\Local\Temp\391518ddb072635c469fb8eaa6575d2680b8c2542bb95b51159981293941052a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd6py8GN.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hd6py8GN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kA7dL9vv.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kA7dL9vv.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY7eO0Cc.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KY7eO0Cc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aS4Ob6ki.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aS4Ob6ki.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cI12Fz6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cI12Fz6.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 5408⤵
- Program crash
PID:4760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 5408⤵
- Program crash
PID:4568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fB327pW.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fB327pW.exe6⤵
- Executes dropped EXE
PID:408
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3716 -ip 37161⤵PID:1452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5517e596a435f0be6250cbd7ee44cf491
SHA10b708075b6f71ef28ef51d1d85dda1f3bb3f5807
SHA256abef328399df075d998330ff7848dca6443bfaafbb54964fbeae8af8d8d081a8
SHA5125a5ff283b0f339701ea394d2063729799a2d6e2f784b2c6f3e9a9b7dbdb6a9b06b60949a8a90c339a98712f12d5c572ceda245da40cfcb87e892588a442a3ce2
-
Filesize
1.6MB
MD5517e596a435f0be6250cbd7ee44cf491
SHA10b708075b6f71ef28ef51d1d85dda1f3bb3f5807
SHA256abef328399df075d998330ff7848dca6443bfaafbb54964fbeae8af8d8d081a8
SHA5125a5ff283b0f339701ea394d2063729799a2d6e2f784b2c6f3e9a9b7dbdb6a9b06b60949a8a90c339a98712f12d5c572ceda245da40cfcb87e892588a442a3ce2
-
Filesize
1.4MB
MD5c067f987dbe89282c37cdf8df79500a7
SHA1d0a98bcdc9f248de14815c6693dd0fca1339bccd
SHA256adad3b325e408ceabb225c6f173f17f370a6ace118c2f8900668234bde23f7a0
SHA5122e48c7708c4ed3ad8b2cb72477b38a48b2d94a166a5fe319ccfea4a4463e8d769b871c29fba9a06798f77345a29cbf1b5b7a9a4ca13de1a0202894e9761962f9
-
Filesize
1.4MB
MD5c067f987dbe89282c37cdf8df79500a7
SHA1d0a98bcdc9f248de14815c6693dd0fca1339bccd
SHA256adad3b325e408ceabb225c6f173f17f370a6ace118c2f8900668234bde23f7a0
SHA5122e48c7708c4ed3ad8b2cb72477b38a48b2d94a166a5fe319ccfea4a4463e8d769b871c29fba9a06798f77345a29cbf1b5b7a9a4ca13de1a0202894e9761962f9
-
Filesize
883KB
MD5674e53069cbca1946e7b880db16654ae
SHA1f18bca2b7ae3c31f7bd1029c943eff1974a143e6
SHA256f8e484e014626210b21753f1e3cfcd245c41a842943250a6d0afed343d84aba6
SHA512f09df02bf42012b73c6d7dc5414e4547fee09e0c3b010dd73be6f3e0b561585e256e93c6f1ff0cd5668a6fc92437d93881b3855f9fbd211c757774090fc03385
-
Filesize
883KB
MD5674e53069cbca1946e7b880db16654ae
SHA1f18bca2b7ae3c31f7bd1029c943eff1974a143e6
SHA256f8e484e014626210b21753f1e3cfcd245c41a842943250a6d0afed343d84aba6
SHA512f09df02bf42012b73c6d7dc5414e4547fee09e0c3b010dd73be6f3e0b561585e256e93c6f1ff0cd5668a6fc92437d93881b3855f9fbd211c757774090fc03385
-
Filesize
688KB
MD55c453e32500e739fa95030b5eaa9b20a
SHA17a7129cf11729e305f480b25769d26e908dc285d
SHA2561eece4a116167cb261beebe59a1610b8fc1807243c41a148936bfc0086edf145
SHA51290292f34a50d4c24d83ab4866b3ce696d4d25e6800e9aa565321922af64e7bfc6fe15b794528834cdf8c23a8031f78b05b9b874e8d535c4f11e531568759a803
-
Filesize
688KB
MD55c453e32500e739fa95030b5eaa9b20a
SHA17a7129cf11729e305f480b25769d26e908dc285d
SHA2561eece4a116167cb261beebe59a1610b8fc1807243c41a148936bfc0086edf145
SHA51290292f34a50d4c24d83ab4866b3ce696d4d25e6800e9aa565321922af64e7bfc6fe15b794528834cdf8c23a8031f78b05b9b874e8d535c4f11e531568759a803
-
Filesize
1.8MB
MD508a49c18f0970e9ab5a0754a6fc2e2ef
SHA19ed697e03046f8af9aa247f9577aab60788576bd
SHA2562b5f4b1d15153d71d7dc3356a20469344f16c1ff456efb2b54b101711ee359ab
SHA512b73f76cd804ca62662911bf02e3c81abf5137baa0bc9a4203efabc56a7616b3ea852fb65d8a343811e05ac6dbebb2f2c890959a42c47e14075b8ef06d7478c58
-
Filesize
1.8MB
MD508a49c18f0970e9ab5a0754a6fc2e2ef
SHA19ed697e03046f8af9aa247f9577aab60788576bd
SHA2562b5f4b1d15153d71d7dc3356a20469344f16c1ff456efb2b54b101711ee359ab
SHA512b73f76cd804ca62662911bf02e3c81abf5137baa0bc9a4203efabc56a7616b3ea852fb65d8a343811e05ac6dbebb2f2c890959a42c47e14075b8ef06d7478c58
-
Filesize
219KB
MD56e8254e9ff11367731ca6b1562a583f9
SHA1993af9af64f0ea9c9c0e513234844647f3457523
SHA256d352874aea23916868b5a3741b3c676aabefb6e2d739c6ecca17592f1eaf09fe
SHA5126aeac7e9310404f05edf80f202c938e60fb1b1c8318641311048069e476a9c19955bf7938b170cec97778039b5e0fc15491a70ab76eb4e9481f8b2d3eab9bf5d
-
Filesize
219KB
MD56e8254e9ff11367731ca6b1562a583f9
SHA1993af9af64f0ea9c9c0e513234844647f3457523
SHA256d352874aea23916868b5a3741b3c676aabefb6e2d739c6ecca17592f1eaf09fe
SHA5126aeac7e9310404f05edf80f202c938e60fb1b1c8318641311048069e476a9c19955bf7938b170cec97778039b5e0fc15491a70ab76eb4e9481f8b2d3eab9bf5d