Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 20:03
Static task
static1
Behavioral task
behavioral1
Sample
2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe
Resource
win10v2004-20240426-en
General
-
Target
2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe
-
Size
729KB
-
MD5
2cf2cb1c22aede8fd8a995f4f073ec71
-
SHA1
ce921866530f90bd63359b379292233cf202d733
-
SHA256
2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a
-
SHA512
d996fcab5b013c5cb9ffaba403d56c81bb2fdc57ae9ed43ccc2a7c95770b3eb173b014a8a693aa45e4e45c46e94c62b72c00b88f461a3e8a30422a1fc5ab8749
-
SSDEEP
12288:EzKy90JE0kP5xBRWOp4ATeD1uNaDMFrOszYl9tFbrYdCYBXA5XmvNt:FyG4mq6sFShrbr4bXGXe
Malware Config
Extracted
redline
furga
83.97.73.128:19071
-
auth_value
1b7af6db7a79a3475798fcf494818be7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4756-21-0x0000000000670000-0x00000000006A0000-memory.dmp family_redline -
Detects executables packed with ConfuserEx Mod 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4756-21-0x0000000000670000-0x00000000006A0000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Executes dropped EXE 3 IoCs
Processes:
x7814841.exex1815410.exef2420036.exepid process 1368 x7814841.exe 3216 x1815410.exe 4756 f2420036.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exex7814841.exex1815410.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7814841.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1815410.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exex7814841.exex1815410.exedescription pid process target process PID 3040 wrote to memory of 1368 3040 2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe x7814841.exe PID 3040 wrote to memory of 1368 3040 2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe x7814841.exe PID 3040 wrote to memory of 1368 3040 2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe x7814841.exe PID 1368 wrote to memory of 3216 1368 x7814841.exe x1815410.exe PID 1368 wrote to memory of 3216 1368 x7814841.exe x1815410.exe PID 1368 wrote to memory of 3216 1368 x7814841.exe x1815410.exe PID 3216 wrote to memory of 4756 3216 x1815410.exe f2420036.exe PID 3216 wrote to memory of 4756 3216 x1815410.exe f2420036.exe PID 3216 wrote to memory of 4756 3216 x1815410.exe f2420036.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe"C:\Users\Admin\AppData\Local\Temp\2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7814841.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7814841.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1815410.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1815410.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2420036.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2420036.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7814841.exeFilesize
465KB
MD5f369ea6da02f48a71994c53b1909dc05
SHA15219c73a3ce57f8d2cc84281e461c1df3164da9c
SHA256ba3f96313033ea7a6924a032d7eea1896f30ce31c55de72e80a3902cc40c87e4
SHA512cf57e8338bcc4a89101b8779c43a39ffbd9141b7a861ff9f13e6015cc3d40b8d441a72ec50ab8e43414648b2d49ade936cbe79e61b1a6443adbc00ca2e1bcd4b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1815410.exeFilesize
364KB
MD54e8679a98d26b0360b7f4ded4737d6cc
SHA10f3bd441a53e6e27e38ea7c09fad1e30e6615d1c
SHA2563aa41a0b78da49282f1977e436f5884f3d079d250ab04837c0a25c0aa400d418
SHA512584b742fcc528822f8eef15b626239c552ad9a28ce607476c02b0ade53cfe12b1548317a6fe1c7f38ae9744f3b292cb219538b2f3e9e53dee45ec0f8180776d0
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2420036.exeFilesize
402KB
MD53a37f3253ff79ee63dfd80088f55b364
SHA117c1b58ca9d4ff4ff14c7e772d1983b97a8ca5f7
SHA2568902a3af5c2df49f3163d1914f9e3b899aa835effa1860e01e2506ff622130b8
SHA512e70acc985fd4c6b15984664f9a01fd35f2706ee1036b182087932e9d8745ecb052dbba0bfbb326a2c3a9eb9894b6ee7151aecd6030ffd80fe903fafd2151ee2a
-
memory/4756-21-0x0000000000670000-0x00000000006A0000-memory.dmpFilesize
192KB
-
memory/4756-25-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/4756-26-0x0000000002450000-0x0000000002456000-memory.dmpFilesize
24KB
-
memory/4756-27-0x0000000009E80000-0x000000000A498000-memory.dmpFilesize
6.1MB
-
memory/4756-28-0x000000000A520000-0x000000000A62A000-memory.dmpFilesize
1.0MB
-
memory/4756-29-0x000000000A660000-0x000000000A672000-memory.dmpFilesize
72KB
-
memory/4756-30-0x000000000A680000-0x000000000A6BC000-memory.dmpFilesize
240KB
-
memory/4756-31-0x00000000044B0000-0x00000000044FC000-memory.dmpFilesize
304KB