Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:29

General

  • Target

    3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe

  • Size

    857KB

  • MD5

    0f0d0b0d1763725ce36c1c1db736fc8e

  • SHA1

    3a5d36a40ae2f0aa832b88db12e8080f83b8503d

  • SHA256

    3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6

  • SHA512

    224c93c379f47a4b1886478c26427daab891b4cdbbacf2dbdce454a8d3acc1c16eda545ff2381cbfe0fb872fe670060471f346986f7fc6ae4007039531322f5d

  • SSDEEP

    24576:nyD97B7U1CjyvR3id1Z0Fr4m5lO5x99+wfCbnBYsVj:yDaCjcipq5lO5X9+wqbGK

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes
  • auth_value

    1677a40fd8997eb89377e1681911e9c6

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
    "C:\Users\Admin\AppData\Local\Temp\3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:920
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
        3⤵
        • Executes dropped EXE
        PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1185734.exe
    Filesize

    756KB

    MD5

    3211325470f6929971deb61d33db781a

    SHA1

    b71e886212447aac365b2485623873f4122080bc

    SHA256

    f5e9db4e25450c63ea89cf56c3bb7e2d9e2f7f70a2d7ef01f9070c9c9e7ea3fe

    SHA512

    7fca2883972e3a967a1fc19c43994b57eb60edea4690ea8b47922c970e649597db40880fe511123a126b2adf0c224091308e4004d77bf110c9033d87b1861607

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f0011085.exe
    Filesize

    692KB

    MD5

    5b55a135c863ac61103a4cd53f53ebf4

    SHA1

    a7366c5895d88489f3535a903fa915bcd1f141b1

    SHA256

    711b3f68d2100dfa3f4ee01aada958c1f9f347144cc982dfb1824e01cce64ad2

    SHA512

    e4d1ea6248202d6a10ae0914af581d68d8fdd339ef773cabc93f70867409bb0dc7be0f42b614a376cd200921d345ab7581daa2e620b7057dee3d4b3f56a3e9f9

  • memory/3960-14-0x0000000000401000-0x0000000000402000-memory.dmp
    Filesize

    4KB

  • memory/3960-15-0x0000000000510000-0x0000000000540000-memory.dmp
    Filesize

    192KB

  • memory/3960-19-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

  • memory/3960-20-0x0000000002530000-0x0000000002536000-memory.dmp
    Filesize

    24KB

  • memory/3960-21-0x000000000A000000-0x000000000A618000-memory.dmp
    Filesize

    6.1MB

  • memory/3960-22-0x000000000A640000-0x000000000A74A000-memory.dmp
    Filesize

    1.0MB

  • memory/3960-23-0x000000000A780000-0x000000000A792000-memory.dmp
    Filesize

    72KB

  • memory/3960-24-0x000000000A7A0000-0x000000000A7DC000-memory.dmp
    Filesize

    240KB

  • memory/3960-25-0x0000000004590000-0x00000000045DC000-memory.dmp
    Filesize

    304KB