Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe
Resource
win10v2004-20240508-en
General
-
Target
c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe
-
Size
432KB
-
MD5
291cd1c945bc670579cb5c5005afb42e
-
SHA1
3e4ba20eed4b88d9efcfeb6bcdb53d8b91365f3d
-
SHA256
c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a
-
SHA512
e34d895a06953a1fb2681884e045b5d4e2da3b41ea3f4ddbce63e0195f5d8ecf2d1c5606374b2172d7de7c19e4c55ffc3be4ca2dd71ac725e44d68b39d6596d2
-
SSDEEP
12288:AIVy90mtOPfwhZifxu2sb6HAAebxOEkjQf0dS:dydtocVbrkMcdS
Malware Config
Extracted
redline
furod
77.91.68.70:19073
-
auth_value
d2386245fe11799b28b4521492a5879d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/232-14-0x00000000005C0000-0x00000000005F0000-memory.dmp family_redline behavioral1/memory/232-19-0x0000000000400000-0x0000000000441000-memory.dmp family_redline -
Detects executables containing base64 encoded User Agent 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exe INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Detects executables packed with ConfuserEx Mod 2 IoCs
Processes:
resource yara_rule behavioral1/memory/232-14-0x00000000005C0000-0x00000000005F0000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral1/memory/232-19-0x0000000000400000-0x0000000000441000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
Executes dropped EXE 2 IoCs
Processes:
x1617216.exef7259437.exepid process 1172 x1617216.exe 232 f7259437.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exex1617216.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1617216.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exex1617216.exedescription pid process target process PID 3236 wrote to memory of 1172 3236 c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe x1617216.exe PID 3236 wrote to memory of 1172 3236 c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe x1617216.exe PID 3236 wrote to memory of 1172 3236 c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe x1617216.exe PID 1172 wrote to memory of 232 1172 x1617216.exe f7259437.exe PID 1172 wrote to memory of 232 1172 x1617216.exe f7259437.exe PID 1172 wrote to memory of 232 1172 x1617216.exe f7259437.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe"C:\Users\Admin\AppData\Local\Temp\c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1617216.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1617216.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1617216.exeFilesize
331KB
MD5aefe3f42678abad1fa1256e19a01caff
SHA1ff8f27b0ed77feee297c76aa3eb062f54d7e9019
SHA2567d6756d4ac517d35a7af2e6ee93f8f8bd58c6852d9990f0370e0c69f779b987e
SHA512a108e07cd94bb3b8bea15134c2c45067af7c052b43888e5154600df2a2ac6e732ad5a1bab7924547578689912b7e9e7651e2857611d4a2637276cd03fc971da7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exeFilesize
257KB
MD5fc27b8de9c73a2246b023fb7dd7d16e4
SHA11bcdd4f64662a3b6670590909c3b23579278a83b
SHA2563814c9dc0ad38975d27fd606f908ee5be25a5a577c0aa4f3779b4688d41f8f01
SHA512c1a6bf04e6117b4694336f965b82286b57f14943d01ecedacca7b89be0ae5e3626c07cf4bd529f79e50556716e66a442e1a3d19850e85b098c518c0b2e4dd713
-
memory/232-14-0x00000000005C0000-0x00000000005F0000-memory.dmpFilesize
192KB
-
memory/232-18-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/232-19-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/232-20-0x0000000004AB0000-0x0000000004AB6000-memory.dmpFilesize
24KB
-
memory/232-21-0x000000000A720000-0x000000000AD38000-memory.dmpFilesize
6.1MB
-
memory/232-22-0x000000000A170000-0x000000000A27A000-memory.dmpFilesize
1.0MB
-
memory/232-23-0x000000000A2B0000-0x000000000A2C2000-memory.dmpFilesize
72KB
-
memory/232-24-0x000000000A2D0000-0x000000000A30C000-memory.dmpFilesize
240KB
-
memory/232-25-0x0000000004550000-0x000000000459C000-memory.dmpFilesize
304KB