Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 23:15
Static task
static1
Behavioral task
behavioral1
Sample
91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe
Resource
win10v2004-20241007-en
General
-
Target
91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe
-
Size
739KB
-
MD5
bdbd596f02b47e9394b855d2935bd5ba
-
SHA1
1bd0c1bc5ab11af4507af0a7aed38abaad23ebdb
-
SHA256
91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89
-
SHA512
8e8cbd851e5ab39008b770a5278a848805f71891f5df792137741a147a2a0c804bb8a8e79f828ced7fa2f2af12ed83b1dd1ce5c639cc8c71d14f1340079186cf
-
SSDEEP
12288:aMrTy90krEKWY2/cdQ1lBN5fTu6EUnAhg0QUmvYvIhsi:5yuBzcUP5fTu6EuwgLvcIV
Malware Config
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4824-22-0x0000000004D10000-0x0000000004D56000-memory.dmp family_redline behavioral1/memory/4824-24-0x0000000004D90000-0x0000000004DD4000-memory.dmp family_redline behavioral1/memory/4824-54-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-62-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-88-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-86-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-84-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-82-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-80-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-76-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-72-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-70-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-69-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-66-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-64-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-60-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-58-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-52-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-50-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-48-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-46-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-44-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-40-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-36-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-34-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-32-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-30-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-78-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-38-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-26-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline behavioral1/memory/4824-42-0x0000000004D90000-0x0000000004DCE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4920 vOH21.exe 1164 vgE60.exe 4824 dSR33.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vOH21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vgE60.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vOH21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vgE60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dSR33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4824 dSR33.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4920 4936 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe 84 PID 4936 wrote to memory of 4920 4936 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe 84 PID 4936 wrote to memory of 4920 4936 91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe 84 PID 4920 wrote to memory of 1164 4920 vOH21.exe 85 PID 4920 wrote to memory of 1164 4920 vOH21.exe 85 PID 4920 wrote to memory of 1164 4920 vOH21.exe 85 PID 1164 wrote to memory of 4824 1164 vgE60.exe 86 PID 1164 wrote to memory of 4824 1164 vgE60.exe 86 PID 1164 wrote to memory of 4824 1164 vgE60.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe"C:\Users\Admin\AppData\Local\Temp\91faebc3db8a692738897a2d841afd2f4443780afe9f1033f6152ae27206fc89.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vOH21.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgE60.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSR33.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
635KB
MD5061a690b6e59859bbe6b9e2b2a065837
SHA187d9318901894dde383e1415f969c0f674d98163
SHA2565a7d20c157da8f7272d992d9a836c3fb07d87db64df817811de7062cc96ded12
SHA51239e228ec7087804e407ec3cf0b6c75d75def808bfc4a457954592de057124459fa0a2b3cffd14d9071441a95b87d18ad375c96dcfcadd5e069256b95072bf318
-
Filesize
491KB
MD56152d6997a4a314c7cc84f91a2f9d255
SHA124741359c190377f2d992eaf8d095c8ca4969cba
SHA256ba0a88430c18336ca71151ba08d0044ab7e050312664c1a1e15b38e0c2340a42
SHA512a543188032424c9b9029cf4eb8f1b3ca5b86397e11e0fbb584f743a53e904413b0bb98795136bc803321aea568d515d48502fb0e69a8c115f66fa3675597f621
-
Filesize
293KB
MD5b5b088e47af91c344e3583ef9391586f
SHA181c28284f693f66d1d30b8ee09f0d69e27457333
SHA2563f201ce75b624c56d73e6aa11e0d93825455d0ee88d3fdcc8e2f3bafae6cc739
SHA5129d0789dfa16b849709e3bb04159ed2bf6ccd74975472efe87aeb9d8ff0539b8953cb0937b4d646fba7d1460ea8c1fd0ee4dfb9ec2debfefdee70ab9b05ca1a3b