Overview
overview
10Static
static
302fdf4c910...66.exe
windows10-2004-x64
100be251d0ab...8e.exe
windows10-2004-x64
100e80ad3a8f...f6.exe
windows10-2004-x64
1016688c383c...d0.exe
windows10-2004-x64
102fad2d07bb...73.exe
windows10-2004-x64
102fe920abb6...a6.exe
windows10-2004-x64
1048143dd10c...4c.exe
windows10-2004-x64
104b7ea12db6...e4.exe
windows10-2004-x64
1052365e9025...44.exe
windows10-2004-x64
10695cd347d1...6a.exe
windows10-2004-x64
1087139651e5...22.exe
windows10-2004-x64
109e061347f6...86.exe
windows10-2004-x64
109ec41d0e12...a4.exe
windows10-2004-x64
10a68d0534de...a7.exe
windows10-2004-x64
10b480c9cd31...f3.exe
windows10-2004-x64
10cf449b541f...5e.exe
windows10-2004-x64
10d8a34be272...bd.exe
windows10-2004-x64
7e303858850...2c.exe
windows10-2004-x64
10feb3084f5c...99.exe
windows10-2004-x64
10ff0593e795...5f.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:47
Static task
static1
Behavioral task
behavioral1
Sample
02fdf4c9103ebcca7b26adc9161a504fa42c4a825a66d1c39221891576c0f866.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0be251d0ab9bbcdf4e410ed6872fcb32d854da896cf79b561b30639bf6d7c48e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
16688c383c392aa6325c78d89165cf92d6a9aa6243e19fe6c19d73fb522546d0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2fe920abb67663cc154599076d351357cc5282ac2505d5c20990fb89b97853a6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
9e061347f64310d6e4bee03e70c36999f9e81fbcbba43f870f821e4fff10c686.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
a68d0534deb0e389e03aa786911c769caba8ce5acc03a27e3cfadf2a704811a7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
cf449b541feb04da499c8d4ae8b93d871fe5c6772403b253da370ea358d20b5e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
d8a34be272e0dbfba0df5744bafa235f27121e065c13cb3620946ea7d15898bd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
e3038588509eb9920f189d128da3a43d650c5a72fc8ad856641f6777809f702c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
ff0593e795d855d33fe8872b94c0354d60cb3bf24a1af92da6667c6aec50325f.exe
Resource
win10v2004-20240508-en
General
-
Target
2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe
-
Size
292KB
-
MD5
5c17238da1a32ccf60825ade1dca7b70
-
SHA1
6d3d94d248c47c5251d4bbbe600776740d926756
-
SHA256
2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73
-
SHA512
97425dd74aa55060d41ec35f7813e953ff1ef76ba7d6b40c17b830600dec8a4482d8618ac4b83e59c88d5b167469bfd345237707491e60908ee07d1f296b84f3
-
SSDEEP
6144:Kny+bnr+hp0yN90QECOurNn/ayrVD193aSZfshS8S2UvycIGxm:FMr9y90lit5R5xFpwSPRXm
Malware Config
Extracted
redline
buben
77.91.124.82:19071
-
auth_value
c62fa04aa45f5b78f62d2c21fcbefdec
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral5/files/0x0008000000023536-5.dat family_redline behavioral5/memory/4924-8-0x0000000000430000-0x0000000000460000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
pid Process 4924 h0077360.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1852 wrote to memory of 4924 1852 2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe 90 PID 1852 wrote to memory of 4924 1852 2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe 90 PID 1852 wrote to memory of 4924 1852 2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe"C:\Users\Admin\AppData\Local\Temp\2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0077360.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0077360.exe2⤵
- Executes dropped EXE
PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:81⤵PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5dabc24871fc2b604c267f576ac7f6573
SHA179b6f74572a2391445b87d2f46cb0e37e48fee98
SHA256676c7c84004823ffa7b13696b8c66c2875d69a671291d23f37741ceff0c686aa
SHA5129372524e3fd699c446ac238c7999618474cdcb993a24dd93c4797c919dd5cf30c94e479323ede5394ebd2ab7d36dc9c550cd612c7d06c3e1b214cb419c6226c3