Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 05:30

General

  • Target

    399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c.exe

  • Size

    307KB

  • MD5

    c707329775778d23ea0f4097ce097a59

  • SHA1

    009a8997852eea8bf1449167afae6c7842714a19

  • SHA256

    399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c

  • SHA512

    9a4bd7e678a323297ad3c88fd15d1c7fae422e6f813816deb0261953906049b37251d94f1891c7b2c75133450950a9cde135136c886cb1befb010c7f36ab2f7d

  • SSDEEP

    6144:KUy+bnr+ip0yN90QEcx5QofdhZQ1Gr6VLNGiWH+2ZYXBAT:UMr6y90I5QmXO11TWHSXc

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes
  • auth_value

    8f24ed370a9b24aa28d3d634ea57912e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c.exe
    "C:\Users\Admin\AppData\Local\Temp\399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8139850.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8139850.exe
      2⤵
      • Executes dropped EXE
      PID:904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8139850.exe

    Filesize

    168KB

    MD5

    48e8f07bc78b1abf25051d2f82dcc14d

    SHA1

    2fbaf147ac7c7de708eabe78bada2c29d4c27750

    SHA256

    7f75fab1bafdb41c15bf4239b9f1a608858046a198d8d821e3dbe4113d667254

    SHA512

    398797aa4561e044991873b05fb434187f77c06113cbe94e6e409ec41fbb83324f218f117dbd89992cd2ee3998012439c22048f06b3eac06584af543a02a3d55

  • memory/904-7-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

    Filesize

    4KB

  • memory/904-8-0x00000000004D0000-0x0000000000500000-memory.dmp

    Filesize

    192KB

  • memory/904-9-0x00000000027C0000-0x00000000027C6000-memory.dmp

    Filesize

    24KB

  • memory/904-10-0x0000000005500000-0x0000000005B18000-memory.dmp

    Filesize

    6.1MB

  • memory/904-11-0x0000000004FF0000-0x00000000050FA000-memory.dmp

    Filesize

    1.0MB

  • memory/904-12-0x0000000004D40000-0x0000000004D52000-memory.dmp

    Filesize

    72KB

  • memory/904-13-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

    Filesize

    240KB

  • memory/904-14-0x0000000074A10000-0x00000000751C0000-memory.dmp

    Filesize

    7.7MB

  • memory/904-15-0x0000000004F20000-0x0000000004F6C000-memory.dmp

    Filesize

    304KB

  • memory/904-16-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

    Filesize

    4KB

  • memory/904-17-0x0000000074A10000-0x00000000751C0000-memory.dmp

    Filesize

    7.7MB