Overview
overview
10Static
static
30033b9ed1c...40.exe
windows7-x64
30033b9ed1c...40.exe
windows10-2004-x64
101277233607...ba.exe
windows10-2004-x64
10138ff2ce9b...de.exe
windows10-2004-x64
73a88637efb...d4.exe
windows10-2004-x64
85a4570005d...a4.exe
windows7-x64
35a4570005d...a4.exe
windows10-2004-x64
106ade7154c7...fb.exe
windows7-x64
36ade7154c7...fb.exe
windows10-2004-x64
108167afa496...61.exe
windows7-x64
38167afa496...61.exe
windows10-2004-x64
1086a6beb680...62.exe
windows10-2004-x64
108bd2da3bdd...7e.exe
windows10-2004-x64
109b9cb00d14...04.exe
windows10-2004-x64
109e375a6be4...d0.exe
windows7-x64
39e375a6be4...d0.exe
windows10-2004-x64
10a228d77265...ea.exe
windows7-x64
3a228d77265...ea.exe
windows10-2004-x64
10b565c9e6f0...8a.exe
windows7-x64
3b565c9e6f0...8a.exe
windows10-2004-x64
10dffc83be30...0a.exe
windows10-2004-x64
10ebff69daab...05.exe
windows10-2004-x64
10ee1d385890...f3.exe
windows7-x64
3ee1d385890...f3.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0033b9ed1c09bad0795150029eeb32a7620ee7b6768eb42c36c9ecdece2dd440.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
3a88637efb4cafae6238b6c3dc5b6b17b7a535e47a3f6a230dcc5cf428db3ad4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win7-20231129-en
Behavioral task
behavioral7
Sample
5a4570005d13d7c9c706dbdc0cc5ee5b8dfd33f7be6a6204a95d2134e3a483a4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
6ade7154c76ec8ac19448403d594b3b6aaaaa14c5a193f4f31694ff3643d45fb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61.exe
Resource
win7-20240508-en
Behavioral task
behavioral11
Sample
8167afa4960bf7ec3e9ccea8204567bf3c18d20b72fe034ca2fe482d19f96f61.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
86a6beb6802f9ec2aa387143ba41461fb82783226223ba68b44e49b21c8d3d62.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
9e375a6be43c6fb35a506cdbbab7a9291cd783ccc69adf51e1cf73f8e1c949d0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
a228d772653c687276cdf5b1bc02ef2c37eb367c1d2dbdef0e221c3b16ce87ea.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
b565c9e6f0f8b9856b032a9a41f04204d306f060af94e74bea3cfb296522818a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
ee1d3858900f809c3008350e86070aa4ffffa399e13f538b41006cf42f5648f3.exe
Resource
win10v2004-20240226-en
General
-
Target
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe
-
Size
307KB
-
MD5
7ca7c1a1e3520b42ee24d3b82c215022
-
SHA1
1b2394ce0934a55e09f29874d70a41f80943608b
-
SHA256
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba
-
SHA512
0e115f5b0af7d7dbced850c883ef63fcac7bf4cef8d7897c9dce247ff0220e2c3273a0ce57ee426487276fdc85ac6198f83d7123576320ca4083ab5ad85c5feb
-
SSDEEP
6144:K+y+bnr+Hp0yN90QEqUHh4HZn7Erx2br2JpeFfX0vCk0uqo:SMrny90TH0gsbrOAfk6kFL
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral3/files/0x00090000000233f9-5.dat family_redline behavioral3/memory/4580-8-0x0000000000CB0000-0x0000000000CE0000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
Processes:
k9045512.exepid Process 4580 k9045512.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exedescription pid Process procid_target PID 920 wrote to memory of 4580 920 127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe 83 PID 920 wrote to memory of 4580 920 127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe 83 PID 920 wrote to memory of 4580 920 127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe"C:\Users\Admin\AppData\Local\Temp\127723360773375a1005cb7ffdbb02b75f03e7f7a488e47fc79f18439c3371ba.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9045512.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9045512.exe2⤵
- Executes dropped EXE
PID:4580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5df2e676c830f164d9f214c8959e674a5
SHA1590743303ba64d989b5e8dc0a4779b87c2a05be7
SHA256d2c29095234fb20d37c2763193d3b21ca708f11ec501db6c6c52b797752e9dc1
SHA512e743b3683816475376d1e985120d96ba3b82497389cc2eef156583de8f83fdd31d0fa9712ca69a2e2ec35fa32fb240f78206d311fcfaf55000976b318155bfd0