Analysis
-
max time kernel
127s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 16:10
Static task
static1
Behavioral task
behavioral1
Sample
bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe
Resource
win10v2004-20230915-en
General
-
Target
bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe
-
Size
1.2MB
-
MD5
d725f316f6e11449170743aca1680036
-
SHA1
e8b15fef1faf90d8a314e499211643d21dae7dc5
-
SHA256
bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960
-
SHA512
288fbe947afb48c9c9530150de07779b0386649b09af618b77325bdc401c7c65558d81dba8cc32bac8097a994d2b62a64453da0480bc78b39ee6abacc5032231
-
SSDEEP
24576:WyW4tae1sL27ESWmTajggwwD36TEgfKSsE9kOzHVKtc2W:l7oeea7kNnwwb6Ttc6k0
Malware Config
Extracted
redline
kolyan
77.91.124.82:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x000700000002302a-41.dat family_redline behavioral1/files/0x000700000002302a-42.dat family_redline behavioral1/memory/3012-44-0x0000000000030000-0x000000000006E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3492 AN6TL2ZP.exe 364 Jq0lb8GM.exe 3788 AG7QM6Bs.exe 1852 zE6Hr6LR.exe 1772 1pL35qN7.exe 3012 2kT374UW.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" AG7QM6Bs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" zE6Hr6LR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" AN6TL2ZP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Jq0lb8GM.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1772 set thread context of 2792 1772 1pL35qN7.exe 92 -
Program crash 1 IoCs
pid pid_target Process procid_target 2424 2792 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3492 5004 bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe 82 PID 5004 wrote to memory of 3492 5004 bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe 82 PID 5004 wrote to memory of 3492 5004 bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe 82 PID 3492 wrote to memory of 364 3492 AN6TL2ZP.exe 83 PID 3492 wrote to memory of 364 3492 AN6TL2ZP.exe 83 PID 3492 wrote to memory of 364 3492 AN6TL2ZP.exe 83 PID 364 wrote to memory of 3788 364 Jq0lb8GM.exe 84 PID 364 wrote to memory of 3788 364 Jq0lb8GM.exe 84 PID 364 wrote to memory of 3788 364 Jq0lb8GM.exe 84 PID 3788 wrote to memory of 1852 3788 AG7QM6Bs.exe 85 PID 3788 wrote to memory of 1852 3788 AG7QM6Bs.exe 85 PID 3788 wrote to memory of 1852 3788 AG7QM6Bs.exe 85 PID 1852 wrote to memory of 1772 1852 zE6Hr6LR.exe 86 PID 1852 wrote to memory of 1772 1852 zE6Hr6LR.exe 86 PID 1852 wrote to memory of 1772 1852 zE6Hr6LR.exe 86 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1772 wrote to memory of 2792 1772 1pL35qN7.exe 92 PID 1852 wrote to memory of 3012 1852 zE6Hr6LR.exe 93 PID 1852 wrote to memory of 3012 1852 zE6Hr6LR.exe 93 PID 1852 wrote to memory of 3012 1852 zE6Hr6LR.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe"C:\Users\Admin\AppData\Local\Temp\bae1435c2568e7d2fd897523f15f55d7a15d62793a26e726acb8ac8df55ba960.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AN6TL2ZP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AN6TL2ZP.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jq0lb8GM.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jq0lb8GM.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AG7QM6Bs.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AG7QM6Bs.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zE6Hr6LR.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zE6Hr6LR.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pL35qN7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pL35qN7.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 5408⤵
- Program crash
PID:2424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kT374UW.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kT374UW.exe6⤵
- Executes dropped EXE
PID:3012
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2792 -ip 27921⤵PID:2116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d8a04b5af47706c2f7015bd9d42114e1
SHA10f88c17f8bbfdaaedec6f9e370fb72cc2dc404c7
SHA2562ddc976bcbded54f92b387c15b315165271a70a8a73146dcc4305c9e4b74c134
SHA512621bf33ae38556a17ab55836decba15f9e6472878432b0fb2fccd594f5e16148452fcfeac31667d0c2c3c61bd07d5bdd4774a085fe11c5f2b23eaf2266a493fe
-
Filesize
1.1MB
MD5d8a04b5af47706c2f7015bd9d42114e1
SHA10f88c17f8bbfdaaedec6f9e370fb72cc2dc404c7
SHA2562ddc976bcbded54f92b387c15b315165271a70a8a73146dcc4305c9e4b74c134
SHA512621bf33ae38556a17ab55836decba15f9e6472878432b0fb2fccd594f5e16148452fcfeac31667d0c2c3c61bd07d5bdd4774a085fe11c5f2b23eaf2266a493fe
-
Filesize
917KB
MD55d93888405ce40e4997b2de51bd93ac7
SHA1f8c3ab9ffeac10a4b10380f09adc19fac2e5622e
SHA2565e00d3a7ef680aadbf661d6fb205320714ef6ca1b172a59d8bdb17de859b5345
SHA51246fb9bf0283a613bc03745760905834ab205e1510253cd6d601882282195996362ffd1545a86c9bbe044b6c426fcdf45d0e23a770d23b2fff75be052abad8d2d
-
Filesize
917KB
MD55d93888405ce40e4997b2de51bd93ac7
SHA1f8c3ab9ffeac10a4b10380f09adc19fac2e5622e
SHA2565e00d3a7ef680aadbf661d6fb205320714ef6ca1b172a59d8bdb17de859b5345
SHA51246fb9bf0283a613bc03745760905834ab205e1510253cd6d601882282195996362ffd1545a86c9bbe044b6c426fcdf45d0e23a770d23b2fff75be052abad8d2d
-
Filesize
630KB
MD53b49a144b046ef9ac85ee834d9c1c40a
SHA1167c45ec3cc831665706b1990e4a44d90317ec87
SHA2568818cabd5ef226261744fad967f5a073076d7a60acc39c7e2c0376ed3a5927e5
SHA51216a3e20dd8ccf38145c949eff95abe28c10795f4d65118ee5b4c7cf301517323866a85008aea0a96c061ac019ba6b676296f5e130072ce9beaf5e7f81a78d0b1
-
Filesize
630KB
MD53b49a144b046ef9ac85ee834d9c1c40a
SHA1167c45ec3cc831665706b1990e4a44d90317ec87
SHA2568818cabd5ef226261744fad967f5a073076d7a60acc39c7e2c0376ed3a5927e5
SHA51216a3e20dd8ccf38145c949eff95abe28c10795f4d65118ee5b4c7cf301517323866a85008aea0a96c061ac019ba6b676296f5e130072ce9beaf5e7f81a78d0b1
-
Filesize
434KB
MD521e67d1f92094568f63a488f2090ed5e
SHA193aa437034470403164477d216a0ede3aff8c46d
SHA256dbe78050b607de390bc74bb02c57a79fab265866f70afb1809a825e00308d658
SHA512fe8c14132c28fe2b6998219dcf4e4ab522d52c1827d8a51c25aca86aef88e26e80a0d885a54c845004cb6f4ade00ef9a349796ecb9ab3b4190e720a45e217a45
-
Filesize
434KB
MD521e67d1f92094568f63a488f2090ed5e
SHA193aa437034470403164477d216a0ede3aff8c46d
SHA256dbe78050b607de390bc74bb02c57a79fab265866f70afb1809a825e00308d658
SHA512fe8c14132c28fe2b6998219dcf4e4ab522d52c1827d8a51c25aca86aef88e26e80a0d885a54c845004cb6f4ade00ef9a349796ecb9ab3b4190e720a45e217a45
-
Filesize
418KB
MD57de2eeaa17f9efd917c5417abb267a56
SHA111685c5f60033603e160b8ff399024ec36424a45
SHA2566883b05e30132bfa790f2e441a19ded5b9bbaf46d6988c2ca9b35c87b3b84fef
SHA51270d65e288cdea2e3d77d65748c630f9a674c3741fc394db29e4d23e415de39b4dad432e7974509f8720969b4fbb2e2f8ea1f91dc21674269721f1afbca6b5d91
-
Filesize
418KB
MD57de2eeaa17f9efd917c5417abb267a56
SHA111685c5f60033603e160b8ff399024ec36424a45
SHA2566883b05e30132bfa790f2e441a19ded5b9bbaf46d6988c2ca9b35c87b3b84fef
SHA51270d65e288cdea2e3d77d65748c630f9a674c3741fc394db29e4d23e415de39b4dad432e7974509f8720969b4fbb2e2f8ea1f91dc21674269721f1afbca6b5d91
-
Filesize
221KB
MD5f77bb2b09f7851109de877f66e39baae
SHA18bbfe47b04fb08aa05f07d9b924fdc4203e59d8d
SHA256aece250378d680005b85432e93b5974dcd7f40bc559396ea6067e4aaad151390
SHA512419b288cc4ee6a3debd4717b1f6879318f796c27692fa1a73904b23746df2f30bf71774fba7137cc78808fb7c74ed597bbe42029aa9764a298cb2357269e0593
-
Filesize
221KB
MD5f77bb2b09f7851109de877f66e39baae
SHA18bbfe47b04fb08aa05f07d9b924fdc4203e59d8d
SHA256aece250378d680005b85432e93b5974dcd7f40bc559396ea6067e4aaad151390
SHA512419b288cc4ee6a3debd4717b1f6879318f796c27692fa1a73904b23746df2f30bf71774fba7137cc78808fb7c74ed597bbe42029aa9764a298cb2357269e0593