Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    44s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 13:01

General

  • Target

    1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe

  • Size

    765KB

  • MD5

    a8e583583122cff4ea57a3062bb4aa3f

  • SHA1

    b4a4bee8dbc966624f43273a500aa0ec1bbf1790

  • SHA256

    68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4

  • SHA512

    3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91

  • SSDEEP

    12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE

Malware Config

Extracted

Family

redline

Botnet

6951125327

C2

https://t.me/+7Lir0e4Gw381MDhi

https://steamcommunity.com/profiles/76561199038841443

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
    "C:\Users\Admin\AppData\Local\Temp\1\68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3416

Network

  • flag-us
    DNS
    t.me
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/+7Lir0e4Gw381MDhi
    RegAsm.exe
    Remote address:
    149.154.167.99:443
    Request
    GET /+7Lir0e4Gw381MDhi HTTP/1.1
    Host: t.me
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 06 Aug 2024 13:02:41 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12295
    Connection: keep-alive
    Set-Cookie: stel_ssid=13162378fa53059398_8772064884229858042; expires=Wed, 07 Aug 2024 13:02:41 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-nl
    GET
    https://t.me/+7Lir0e4Gw381MDhi
    RegAsm.exe
    Remote address:
    149.154.167.99:443
    Request
    GET /+7Lir0e4Gw381MDhi HTTP/1.1
    Host: t.me
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 06 Aug 2024 13:03:02 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12295
    Connection: keep-alive
    Set-Cookie: stel_ssid=f3eff5673544eab11d_6759829725676441982; expires=Wed, 07 Aug 2024 13:03:02 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-nl
    GET
    https://t.me/+7Lir0e4Gw381MDhi
    RegAsm.exe
    Remote address:
    149.154.167.99:443
    Request
    GET /+7Lir0e4Gw381MDhi HTTP/1.1
    Host: t.me
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 06 Aug 2024 13:03:23 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12296
    Connection: keep-alive
    Set-Cookie: stel_ssid=521c6f8010caafa88c_7127241095845861833; expires=Wed, 07 Aug 2024 13:03:23 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    aw.bulgod.top
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    aw.bulgod.top
    IN A
    Response
    aw.bulgod.top
    IN A
    157.90.30.125
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • 149.154.167.99:443
    https://t.me/+7Lir0e4Gw381MDhi
    tls, http
    RegAsm.exe
    1.9kB
    46.0kB
    29
    42

    HTTP Request

    GET https://t.me/+7Lir0e4Gw381MDhi

    HTTP Response

    200

    HTTP Request

    GET https://t.me/+7Lir0e4Gw381MDhi

    HTTP Response

    200

    HTTP Request

    GET https://t.me/+7Lir0e4Gw381MDhi

    HTTP Response

    200
  • 157.90.30.125:443
    aw.bulgod.top
    RegAsm.exe
    260 B
    5
  • 157.90.30.125:443
    aw.bulgod.top
    RegAsm.exe
    260 B
    5
  • 157.90.30.125:443
    aw.bulgod.top
    RegAsm.exe
    260 B
    5
  • 8.8.8.8:53
    t.me
    dns
    RegAsm.exe
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    73 B
    166 B
    1
    1

    DNS Request

    99.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    aw.bulgod.top
    dns
    RegAsm.exe
    59 B
    75 B
    1
    1

    DNS Request

    aw.bulgod.top

    DNS Response

    157.90.30.125

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2572-0-0x0000000002B10000-0x0000000002B11000-memory.dmp

    Filesize

    4KB

  • memory/3416-1-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/3416-2-0x000000007472E000-0x000000007472F000-memory.dmp

    Filesize

    4KB

  • memory/3416-3-0x0000000005820000-0x0000000005886000-memory.dmp

    Filesize

    408KB

  • memory/3416-4-0x00000000062F0000-0x0000000006908000-memory.dmp

    Filesize

    6.1MB

  • memory/3416-5-0x0000000005D60000-0x0000000005D72000-memory.dmp

    Filesize

    72KB

  • memory/3416-6-0x0000000005E90000-0x0000000005F9A000-memory.dmp

    Filesize

    1.0MB

  • memory/3416-7-0x0000000074720000-0x0000000074ED0000-memory.dmp

    Filesize

    7.7MB

  • memory/3416-8-0x0000000006C90000-0x0000000006CCC000-memory.dmp

    Filesize

    240KB

  • memory/3416-9-0x0000000006CD0000-0x0000000006D1C000-memory.dmp

    Filesize

    304KB

  • memory/3416-10-0x000000007472E000-0x000000007472F000-memory.dmp

    Filesize

    4KB

  • memory/3416-11-0x0000000074720000-0x0000000074ED0000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.