Overview
overview
10Static
static
335c135016a...ef.exe
windows10-2004-x64
103ab23a3036...c6.exe
windows10-2004-x64
103b8cd7306b...71.exe
windows10-2004-x64
103ea65c50a2...63.exe
windows7-x64
33ea65c50a2...63.exe
windows10-2004-x64
1051c9916d6f...bf.exe
windows10-2004-x64
1053cf9b6e16...08.exe
windows10-2004-x64
1064792ffeec...35.exe
windows10-2004-x64
1071d1420ff1...80.exe
windows10-2004-x64
107a08e2a624...2b.exe
windows10-2004-x64
107dbf05d83f...65.exe
windows7-x64
37dbf05d83f...65.exe
windows10-2004-x64
107f80787d38...fd.exe
windows10-2004-x64
109176ff0f1c...21.exe
windows10-2004-x64
10babd836631...1d.exe
windows10-2004-x64
10cbd8058875...48.exe
windows7-x64
3cbd8058875...48.exe
windows10-2004-x64
10d134576ca7...48.exe
windows10-2004-x64
10da09729d57...e8.exe
windows10-2004-x64
10dcfab037f7...a0.exe
windows10-2004-x64
10eca60134d9...3f.exe
windows10-2004-x64
10f16db96028...f1.exe
windows10-2004-x64
10f5957f382e...6a.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
Resource
win7-20240508-en
Behavioral task
behavioral5
Sample
3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a.exe
Resource
win10v2004-20240508-en
General
-
Target
3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
-
Size
857KB
-
MD5
0f0d0b0d1763725ce36c1c1db736fc8e
-
SHA1
3a5d36a40ae2f0aa832b88db12e8080f83b8503d
-
SHA256
3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6
-
SHA512
224c93c379f47a4b1886478c26427daab891b4cdbbacf2dbdce454a8d3acc1c16eda545ff2381cbfe0fb872fe670060471f346986f7fc6ae4007039531322f5d
-
SSDEEP
24576:nyD97B7U1CjyvR3id1Z0Fr4m5lO5x99+wfCbnBYsVj:yDaCjcipq5lO5X9+wqbGK
Malware Config
Extracted
redline
kira
77.91.68.48:19071
-
auth_value
1677a40fd8997eb89377e1681911e9c6
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/3960-15-0x0000000000510000-0x0000000000540000-memory.dmp family_redline behavioral2/memory/3960-19-0x0000000000400000-0x000000000043A000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 900 x1185734.exe 3960 f0011085.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1185734.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 920 wrote to memory of 900 920 3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe 82 PID 920 wrote to memory of 900 920 3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe 82 PID 920 wrote to memory of 900 920 3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe 82 PID 900 wrote to memory of 3960 900 x1185734.exe 84 PID 900 wrote to memory of 3960 900 x1185734.exe 84 PID 900 wrote to memory of 3960 900 x1185734.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe"C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe3⤵
- Executes dropped EXE
PID:3960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD53211325470f6929971deb61d33db781a
SHA1b71e886212447aac365b2485623873f4122080bc
SHA256f5e9db4e25450c63ea89cf56c3bb7e2d9e2f7f70a2d7ef01f9070c9c9e7ea3fe
SHA5127fca2883972e3a967a1fc19c43994b57eb60edea4690ea8b47922c970e649597db40880fe511123a126b2adf0c224091308e4004d77bf110c9033d87b1861607
-
Filesize
692KB
MD55b55a135c863ac61103a4cd53f53ebf4
SHA1a7366c5895d88489f3535a903fa915bcd1f141b1
SHA256711b3f68d2100dfa3f4ee01aada958c1f9f347144cc982dfb1824e01cce64ad2
SHA512e4d1ea6248202d6a10ae0914af581d68d8fdd339ef773cabc93f70867409bb0dc7be0f42b614a376cd200921d345ab7581daa2e620b7057dee3d4b3f56a3e9f9