Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 00:21
Static task
static1
Behavioral task
behavioral1
Sample
8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe
Resource
win10v2004-20240508-en
General
-
Target
8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe
-
Size
507KB
-
MD5
7162ec3a578b9f26be3d3cb8254d802c
-
SHA1
27ead8d8d80fb52ce4cf47af3fcb26738b57b976
-
SHA256
8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75
-
SHA512
3b1b0fcbfcd1160b3356c8e3e67847e6b3a091745984ef5933f7b38bd554f58e63583ac7694aa6ca6fe2490029c53e4c3ad6e8ab5ea7a98df64d5b5daec82ee4
-
SSDEEP
12288:FlIy900UbnirQrWWuu0byZ0lqdXpUVW28:oy0zh0WrqUd
Malware Config
Extracted
redline
drake
83.97.73.131:19071
-
auth_value
74ce6ffe4025a2e4027fb727915e7d7c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2872-15-0x0000000000750000-0x0000000000780000-memory.dmp family_redline -
Detects executables packed with ConfuserEx Mod 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2872-15-0x0000000000750000-0x0000000000780000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Executes dropped EXE 2 IoCs
Processes:
x1250032.exef5185052.exepid process 5100 x1250032.exe 2872 f5185052.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exex1250032.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1250032.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exex1250032.exedescription pid process target process PID 600 wrote to memory of 5100 600 8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe x1250032.exe PID 600 wrote to memory of 5100 600 8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe x1250032.exe PID 600 wrote to memory of 5100 600 8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe x1250032.exe PID 5100 wrote to memory of 2872 5100 x1250032.exe f5185052.exe PID 5100 wrote to memory of 2872 5100 x1250032.exe f5185052.exe PID 5100 wrote to memory of 2872 5100 x1250032.exe f5185052.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe"C:\Users\Admin\AppData\Local\Temp\8fa971565e0c5fad5da7cb03f8ff64a010508e51ac86fb6443b94e40b8601d75.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exe3⤵
- Executes dropped EXE
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1250032.exeFilesize
436KB
MD557e96ebc3cc98f77feacc020065c546e
SHA105a6a299c4030ae6d09602b2e3ff1f49ac4f6867
SHA2568161b65c2497f2ed46c15884e5b06c2d87513294c4a1602a9a582aa16cf1f06f
SHA512c0e87def74a40b6e4980282da47adb23319a338cc577f6e1428a87079b5a88a254c58c2e32039505b12482002fb263a46506a65115a7b3a3e83656177522e084
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5185052.exeFilesize
1.3MB
MD5cc785bb007bed97870e64d2452e67592
SHA1c6f53caa6f87f72acca4c17bfd66e84610d3458b
SHA256ccdde049dae409075c3b116cbcc7277c1bd155b979b91e64491ab2cb616490e4
SHA5121c69f6ff73c52cae6713d4eaf1e8818f8bc3eff6de3b0ed3aa539d64518efae26978b75139043e5212bb86a08eaa400882aa1f09d38589e53714e72a63ad2c6b
-
memory/2872-14-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/2872-15-0x0000000000750000-0x0000000000780000-memory.dmpFilesize
192KB
-
memory/2872-19-0x0000000000400000-0x0000000000550000-memory.dmpFilesize
1.3MB
-
memory/2872-20-0x0000000002610000-0x0000000002616000-memory.dmpFilesize
24KB
-
memory/2872-21-0x0000000004C10000-0x0000000005228000-memory.dmpFilesize
6.1MB
-
memory/2872-22-0x0000000005230000-0x000000000533A000-memory.dmpFilesize
1.0MB
-
memory/2872-23-0x0000000004BE0000-0x0000000004BF2000-memory.dmpFilesize
72KB
-
memory/2872-24-0x0000000005340000-0x000000000537C000-memory.dmpFilesize
240KB
-
memory/2872-25-0x00000000053E0000-0x000000000542C000-memory.dmpFilesize
304KB