Analysis
-
max time kernel
169s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2023 17:52
Static task
static1
Behavioral task
behavioral1
Sample
05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
Resource
win10v2004-20231023-en
General
-
Target
05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
-
Size
1.5MB
-
MD5
213724da16f36242e50dafa7d142bba0
-
SHA1
2172e5e403c1fbacb444d555acd2dbdd597e7a4b
-
SHA256
05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0
-
SHA512
dc47b66d3ed3f1bf322b693396094ae5f2d223fb1c49c947dbe13b618447536da865dcdd1627086936e6918cb10d1f9e8a2cd44a22f3dfc268e8a258cde3a9d4
-
SSDEEP
24576:TyGku0Brki1KmZHmQW6fkS1gXSspfpFYrusyKelLQCnoH4cHvMi1wxZA7BIwnhpU:mNQjQWxOm9pfvnP5QCnq/PhwxZA95n
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i97602730.exei47041688.exei52140104.exei82794194.exea62984866.exepid process 2356 i97602730.exe 3628 i47041688.exe 3248 i52140104.exe 4032 i82794194.exe 2128 a62984866.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exei97602730.exei47041688.exei52140104.exei82794194.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i97602730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i47041688.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i52140104.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i82794194.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exei97602730.exei47041688.exei52140104.exei82794194.exedescription pid process target process PID 4512 wrote to memory of 2356 4512 05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe i97602730.exe PID 4512 wrote to memory of 2356 4512 05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe i97602730.exe PID 4512 wrote to memory of 2356 4512 05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe i97602730.exe PID 2356 wrote to memory of 3628 2356 i97602730.exe i47041688.exe PID 2356 wrote to memory of 3628 2356 i97602730.exe i47041688.exe PID 2356 wrote to memory of 3628 2356 i97602730.exe i47041688.exe PID 3628 wrote to memory of 3248 3628 i47041688.exe i52140104.exe PID 3628 wrote to memory of 3248 3628 i47041688.exe i52140104.exe PID 3628 wrote to memory of 3248 3628 i47041688.exe i52140104.exe PID 3248 wrote to memory of 4032 3248 i52140104.exe i82794194.exe PID 3248 wrote to memory of 4032 3248 i52140104.exe i82794194.exe PID 3248 wrote to memory of 4032 3248 i52140104.exe i82794194.exe PID 4032 wrote to memory of 2128 4032 i82794194.exe a62984866.exe PID 4032 wrote to memory of 2128 4032 i82794194.exe a62984866.exe PID 4032 wrote to memory of 2128 4032 i82794194.exe a62984866.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe"C:\Users\Admin\AppData\Local\Temp\05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exe6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exeFilesize
1.3MB
MD508f44ad67e6c3f45dd5722b6ac7b0bff
SHA17a607210adc252586152b9db03eec1926f625c2b
SHA2564b52fec53b41632f5e03f5cdc601227da51082995111760af754370a535c6e00
SHA512f08a5d772a6085af217a312d35752036832d59cfa0a61edbacad80e73ed227b540abce0e1f24bb48baddcd1a895f923320fc5318e46b4bd862a91a45207ab24c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exeFilesize
1.3MB
MD508f44ad67e6c3f45dd5722b6ac7b0bff
SHA17a607210adc252586152b9db03eec1926f625c2b
SHA2564b52fec53b41632f5e03f5cdc601227da51082995111760af754370a535c6e00
SHA512f08a5d772a6085af217a312d35752036832d59cfa0a61edbacad80e73ed227b540abce0e1f24bb48baddcd1a895f923320fc5318e46b4bd862a91a45207ab24c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exeFilesize
1015KB
MD51eb8ce540f25218c5ad2cd13c1de0f95
SHA10a830367b491640c0b3668184b2fb743bf962341
SHA256a9530b01570a936aa99b84f1cf557f8bff74bd0233726407b0d75e27db887dd8
SHA51218b3b38b236987ad95baf4a367984f31226cf706a974661d7500b24fc253fe401c8fa608075d10b4945efb9c8efd443d9af5357eb4eca45f2cb99c08addb869f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exeFilesize
1015KB
MD51eb8ce540f25218c5ad2cd13c1de0f95
SHA10a830367b491640c0b3668184b2fb743bf962341
SHA256a9530b01570a936aa99b84f1cf557f8bff74bd0233726407b0d75e27db887dd8
SHA51218b3b38b236987ad95baf4a367984f31226cf706a974661d7500b24fc253fe401c8fa608075d10b4945efb9c8efd443d9af5357eb4eca45f2cb99c08addb869f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exeFilesize
843KB
MD5285dba2edeac627e730574a01009a1f4
SHA1648cf268cf65450f23f6210b8b1709788100b491
SHA256cce4fce89219707c95276b0491e56c8db7b929834e6f123fc29801ecc8a00de4
SHA512025e4e90bd1f4fbe71d5e187b5879467ead58507f64e9e1ff9dec28948c0632996daa8fabe0d62cbed39ad44d35d436ae375dc85595af5769ce2db9fc6008f88
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exeFilesize
843KB
MD5285dba2edeac627e730574a01009a1f4
SHA1648cf268cf65450f23f6210b8b1709788100b491
SHA256cce4fce89219707c95276b0491e56c8db7b929834e6f123fc29801ecc8a00de4
SHA512025e4e90bd1f4fbe71d5e187b5879467ead58507f64e9e1ff9dec28948c0632996daa8fabe0d62cbed39ad44d35d436ae375dc85595af5769ce2db9fc6008f88
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exeFilesize
371KB
MD56c1f427979ad73239a8eb9e6e0e47088
SHA16c216ac5c1b5c06514ecd1dcd188aaea270f3709
SHA25625eb0b75349a56ace309d640ee60fc93bebd2533ef699968638e47fb2b626848
SHA512bc98f9ab19de262ecd12a38f75a3d6c98a6ca200b7ca4fd4f070b9e4a8170dd85fcd951b5d5d5e350e8b367a8472fb5bbee485a1bb0084bdf45bcca8549e268f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exeFilesize
371KB
MD56c1f427979ad73239a8eb9e6e0e47088
SHA16c216ac5c1b5c06514ecd1dcd188aaea270f3709
SHA25625eb0b75349a56ace309d640ee60fc93bebd2533ef699968638e47fb2b626848
SHA512bc98f9ab19de262ecd12a38f75a3d6c98a6ca200b7ca4fd4f070b9e4a8170dd85fcd951b5d5d5e350e8b367a8472fb5bbee485a1bb0084bdf45bcca8549e268f
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exeFilesize
169KB
MD5de7389ac7b0bece4d8398bdea8515bf7
SHA1b3d182dcba4f9be20385976b63166f944769a8e1
SHA2564f1b4c5e0a123f79bd88becdc22dd7ad133340291a69e348d556b7f201595cf9
SHA51289aeacfead680fbeab21969a11a7681cd151f25cfd4e105a08bc04c98854792bdf65d91883acd832d15f10f3c1ec3ec76e4f88141ce26ff1b99f0405468982dd
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exeFilesize
169KB
MD5de7389ac7b0bece4d8398bdea8515bf7
SHA1b3d182dcba4f9be20385976b63166f944769a8e1
SHA2564f1b4c5e0a123f79bd88becdc22dd7ad133340291a69e348d556b7f201595cf9
SHA51289aeacfead680fbeab21969a11a7681cd151f25cfd4e105a08bc04c98854792bdf65d91883acd832d15f10f3c1ec3ec76e4f88141ce26ff1b99f0405468982dd
-
memory/2128-35-0x0000000073D40000-0x00000000744F0000-memory.dmpFilesize
7.7MB
-
memory/2128-36-0x0000000000770000-0x00000000007A0000-memory.dmpFilesize
192KB
-
memory/2128-37-0x0000000002C80000-0x0000000002C86000-memory.dmpFilesize
24KB
-
memory/2128-38-0x0000000073D40000-0x00000000744F0000-memory.dmpFilesize
7.7MB
-
memory/2128-39-0x000000000AE70000-0x000000000B488000-memory.dmpFilesize
6.1MB
-
memory/2128-40-0x000000000A9A0000-0x000000000AAAA000-memory.dmpFilesize
1.0MB
-
memory/2128-41-0x00000000052C0000-0x00000000052D0000-memory.dmpFilesize
64KB
-
memory/2128-42-0x000000000A8D0000-0x000000000A8E2000-memory.dmpFilesize
72KB
-
memory/2128-43-0x0000000000D50000-0x0000000000D8C000-memory.dmpFilesize
240KB