Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 09:13

General

  • Target

    399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c.exe

  • Size

    307KB

  • MD5

    c707329775778d23ea0f4097ce097a59

  • SHA1

    009a8997852eea8bf1449167afae6c7842714a19

  • SHA256

    399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c

  • SHA512

    9a4bd7e678a323297ad3c88fd15d1c7fae422e6f813816deb0261953906049b37251d94f1891c7b2c75133450950a9cde135136c886cb1befb010c7f36ab2f7d

  • SSDEEP

    6144:KUy+bnr+ip0yN90QEcx5QofdhZQ1Gr6VLNGiWH+2ZYXBAT:UMr6y90I5QmXO11TWHSXc

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes
  • auth_value

    8f24ed370a9b24aa28d3d634ea57912e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c.exe
    "C:\Users\Admin\AppData\Local\Temp\399f6dfec39b77c21a8b31e45c5c8fb863a8b28a73a4923ff7543886ebfa0c0c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8139850.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8139850.exe
      2⤵
      • Executes dropped EXE
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8139850.exe

    Filesize

    168KB

    MD5

    48e8f07bc78b1abf25051d2f82dcc14d

    SHA1

    2fbaf147ac7c7de708eabe78bada2c29d4c27750

    SHA256

    7f75fab1bafdb41c15bf4239b9f1a608858046a198d8d821e3dbe4113d667254

    SHA512

    398797aa4561e044991873b05fb434187f77c06113cbe94e6e409ec41fbb83324f218f117dbd89992cd2ee3998012439c22048f06b3eac06584af543a02a3d55

  • memory/2612-7-0x000000007448E000-0x000000007448F000-memory.dmp

    Filesize

    4KB

  • memory/2612-8-0x0000000000280000-0x00000000002B0000-memory.dmp

    Filesize

    192KB

  • memory/2612-9-0x0000000004A60000-0x0000000004A66000-memory.dmp

    Filesize

    24KB

  • memory/2612-10-0x000000000A590000-0x000000000ABA8000-memory.dmp

    Filesize

    6.1MB

  • memory/2612-11-0x000000000A0F0000-0x000000000A1FA000-memory.dmp

    Filesize

    1.0MB

  • memory/2612-12-0x000000000A020000-0x000000000A032000-memory.dmp

    Filesize

    72KB

  • memory/2612-13-0x000000000A080000-0x000000000A0BC000-memory.dmp

    Filesize

    240KB

  • memory/2612-14-0x0000000074480000-0x0000000074C30000-memory.dmp

    Filesize

    7.7MB

  • memory/2612-15-0x0000000004510000-0x000000000455C000-memory.dmp

    Filesize

    304KB

  • memory/2612-16-0x000000007448E000-0x000000007448F000-memory.dmp

    Filesize

    4KB

  • memory/2612-17-0x0000000074480000-0x0000000074C30000-memory.dmp

    Filesize

    7.7MB