Overview
overview
10Static
static
101/0178b79b...bd.exe
windows7-x64
101/0178b79b...bd.exe
windows10-2004-x64
101/0280cde4...60.exe
windows7-x64
101/0280cde4...60.exe
windows10-2004-x64
101/08b76206...65.exe
windows7-x64
101/08b76206...65.exe
windows10-2004-x64
101/0e4fc438...91.exe
windows7-x64
31/0e4fc438...91.exe
windows10-2004-x64
101/0fb86a8b...05.exe
windows7-x64
101/0fb86a8b...05.exe
windows10-2004-x64
101/25898c73...8f.exe
windows7-x64
101/25898c73...8f.exe
windows10-2004-x64
101/2c2e9491...3c.exe
windows7-x64
31/2c2e9491...3c.exe
windows10-2004-x64
101/2ef0f582...2e.exe
windows7-x64
31/2ef0f582...2e.exe
windows10-2004-x64
101/39884fc0...82.exe
windows7-x64
101/39884fc0...82.exe
windows10-2004-x64
101/3a72ecec...8a.exe
windows7-x64
101/3a72ecec...8a.exe
windows10-2004-x64
101/3bfcb4f7...71.exe
windows7-x64
101/3bfcb4f7...71.exe
windows10-2004-x64
101/4103411f...f5.exe
windows7-x64
101/4103411f...f5.exe
windows10-2004-x64
101/4e0fdb84...95.exe
windows7-x64
31/4e0fdb84...95.exe
windows10-2004-x64
71/5297372f...33.exe
windows7-x64
51/5297372f...33.exe
windows10-2004-x64
51/68292f38...e4.exe
windows7-x64
31/68292f38...e4.exe
windows10-2004-x64
101/6da4696b...e5.exe
windows7-x64
71/6da4696b...e5.exe
windows10-2004-x64
7Resubmissions
11-12-2024 15:32
241211-sy44nssrdm 1009-08-2024 21:57
240809-1t1vfs1cpm 1006-08-2024 13:01
240806-p9f97szdlm 1006-08-2024 12:52
240806-p3672stdkg 1006-08-2024 12:29
240806-ppa8fsygqr 1006-08-2024 12:26
240806-pmc92ashlh 10Analysis
-
max time kernel
44s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 13:01
Behavioral task
behavioral1
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win10v2004-20240802-en
General
-
Target
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
-
Size
765KB
-
MD5
a8e583583122cff4ea57a3062bb4aa3f
-
SHA1
b4a4bee8dbc966624f43273a500aa0ec1bbf1790
-
SHA256
68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4
-
SHA512
3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91
-
SSDEEP
12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE
Malware Config
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi
https://steamcommunity.com/profiles/76561199038841443
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral30/memory/3416-1-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2572 set thread context of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3416 RegAsm.exe 3416 RegAsm.exe 3416 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3416 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85 PID 2572 wrote to memory of 3416 2572 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe"C:\Users\Admin\AppData\Local\Temp\1\68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
Network
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:149.154.167.99:443RequestGET /+7Lir0e4Gw381MDhi HTTP/1.1
Host: t.me
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 06 Aug 2024 13:02:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12295
Connection: keep-alive
Set-Cookie: stel_ssid=13162378fa53059398_8772064884229858042; expires=Wed, 07 Aug 2024 13:02:41 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
-
Remote address:149.154.167.99:443RequestGET /+7Lir0e4Gw381MDhi HTTP/1.1
Host: t.me
ResponseHTTP/1.1 200 OK
Date: Tue, 06 Aug 2024 13:03:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12295
Connection: keep-alive
Set-Cookie: stel_ssid=f3eff5673544eab11d_6759829725676441982; expires=Wed, 07 Aug 2024 13:03:02 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
-
Remote address:149.154.167.99:443RequestGET /+7Lir0e4Gw381MDhi HTTP/1.1
Host: t.me
ResponseHTTP/1.1 200 OK
Date: Tue, 06 Aug 2024 13:03:23 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12296
Connection: keep-alive
Set-Cookie: stel_ssid=521c6f8010caafa88c_7127241095845861833; expires=Wed, 07 Aug 2024 13:03:23 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request99.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestaw.bulgod.topIN AResponseaw.bulgod.topIN A157.90.30.125
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
1.9kB 46.0kB 29 42
HTTP Request
GET https://t.me/+7Lir0e4Gw381MDhiHTTP Response
200HTTP Request
GET https://t.me/+7Lir0e4Gw381MDhiHTTP Response
200HTTP Request
GET https://t.me/+7Lir0e4Gw381MDhiHTTP Response
200 -
260 B 5
-
260 B 5
-
260 B 5
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
73 B 166 B 1 1
DNS Request
99.167.154.149.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
aw.bulgod.top
DNS Response
157.90.30.125
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa