Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
21/11/2023, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe
Resource
win10-20231020-en
General
-
Target
b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe
-
Size
1.3MB
-
MD5
73433d21fa9f1146b510c5d6cf635181
-
SHA1
0e4732528e7127948b9905261350c8c3c7eb2708
-
SHA256
b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210
-
SHA512
c9341b26f07f7ae09ee590e47429efa4d0c43f6b2f35466222d909f263e8c3caf58df335953d0f35370dc8bfc625560ecc467ef36502fe334988fb403ccb9971
-
SSDEEP
24576:/yG4bqoBkT4+iP+Pbou1A9tZxCFAmiYCrpwdSHuaLdl9:KG4bqopP+DDAz/miY20mfL7
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1176-21-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 5108 WW6Wq37.exe 2540 aV6fu17.exe 1636 2rN7166.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" WW6Wq37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" aV6fu17.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1636 set thread context of 1176 1636 2rN7166.exe 76 -
Program crash 1 IoCs
pid pid_target Process procid_target 3656 1636 WerFault.exe 73 -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4584 wrote to memory of 5108 4584 b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe 71 PID 4584 wrote to memory of 5108 4584 b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe 71 PID 4584 wrote to memory of 5108 4584 b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe 71 PID 5108 wrote to memory of 2540 5108 WW6Wq37.exe 72 PID 5108 wrote to memory of 2540 5108 WW6Wq37.exe 72 PID 5108 wrote to memory of 2540 5108 WW6Wq37.exe 72 PID 2540 wrote to memory of 1636 2540 aV6fu17.exe 73 PID 2540 wrote to memory of 1636 2540 aV6fu17.exe 73 PID 2540 wrote to memory of 1636 2540 aV6fu17.exe 73 PID 1636 wrote to memory of 4916 1636 2rN7166.exe 75 PID 1636 wrote to memory of 4916 1636 2rN7166.exe 75 PID 1636 wrote to memory of 4916 1636 2rN7166.exe 75 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76 PID 1636 wrote to memory of 1176 1636 2rN7166.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe"C:\Users\Admin\AppData\Local\Temp\b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WW6Wq37.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WW6Wq37.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aV6fu17.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aV6fu17.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rN7166.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rN7166.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:4916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:1176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 6085⤵
- Program crash
PID:3656
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5250c19d7eb62c8843fbd0e97ec4cec60
SHA1024190b077ad509aa8cabef0d16f8d5b126b4c41
SHA256c8ea3f5801c2994c941b51bbeb7b3beead10532926d34fbddc53743a25fee395
SHA5123c01ac9448f1df8342ee1047cf1b8e55bfc1f550c6c5e95665e5f0a698dd2e9c6664baa38b0edfa1f4f08222ee0edfd91a90886c1445624e0174427bac064fa7
-
Filesize
1.0MB
MD5250c19d7eb62c8843fbd0e97ec4cec60
SHA1024190b077ad509aa8cabef0d16f8d5b126b4c41
SHA256c8ea3f5801c2994c941b51bbeb7b3beead10532926d34fbddc53743a25fee395
SHA5123c01ac9448f1df8342ee1047cf1b8e55bfc1f550c6c5e95665e5f0a698dd2e9c6664baa38b0edfa1f4f08222ee0edfd91a90886c1445624e0174427bac064fa7
-
Filesize
946KB
MD5e50fa73beb76198fc0833e493dcb13aa
SHA1c9584d49179d4128c03636d0bae7b963c7680081
SHA256de745081e7f1e7b90cada7b37b8469512c1e5c9eb89bb7e0e27ab38a5d03c7eb
SHA5122a2e5299496e08c8b686ddde156a087d5962ff3f4c658cb9c28f8f0f365a292014dfb968a068ff0194e0d72e857d37738cac9f644df9dd1366b7e54ad1d6ff7a
-
Filesize
946KB
MD5e50fa73beb76198fc0833e493dcb13aa
SHA1c9584d49179d4128c03636d0bae7b963c7680081
SHA256de745081e7f1e7b90cada7b37b8469512c1e5c9eb89bb7e0e27ab38a5d03c7eb
SHA5122a2e5299496e08c8b686ddde156a087d5962ff3f4c658cb9c28f8f0f365a292014dfb968a068ff0194e0d72e857d37738cac9f644df9dd1366b7e54ad1d6ff7a
-
Filesize
1.1MB
MD5337da97bb85cf1c5cf97fc37e008fa6b
SHA160ef1e81ed36b75bd141d5a950104a625093264a
SHA25620ed878c80abc2f62a34399d361a05682967e11b00ed42600fe8ce8fa0cbba98
SHA51216d02fd5145313ca822d059239b6857fc0d12be1215dce354ca955c1f94146c9a6bf67201c4b1d74d3feb9248df4452895c2e258378607ec1868a1713e0326b9
-
Filesize
1.1MB
MD5337da97bb85cf1c5cf97fc37e008fa6b
SHA160ef1e81ed36b75bd141d5a950104a625093264a
SHA25620ed878c80abc2f62a34399d361a05682967e11b00ed42600fe8ce8fa0cbba98
SHA51216d02fd5145313ca822d059239b6857fc0d12be1215dce354ca955c1f94146c9a6bf67201c4b1d74d3feb9248df4452895c2e258378607ec1868a1713e0326b9