Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04/11/2024, 15:02
General
-
Target
a1144926e24c781c777900562b9e5c4a63152e9fdb599de379ad953a5b8396fa.exe
-
Size
1.1MB
-
MD5
de0c80bded816740a0df7c20dce4b10a
-
SHA1
9842e042025531f42ff5e62bdf30dcb398f79341
-
SHA256
a1144926e24c781c777900562b9e5c4a63152e9fdb599de379ad953a5b8396fa
-
SHA512
272a654b220349b919bf971d135e8854e83f06978215f3a56b76a44e67eda177719ff038310b91b0a7ab86c0a8d242e83569e20a04d1859b287f418ef5d6c211
-
SSDEEP
24576:OyrVN0rt0f9iqLu4Y6f43ZsOj33Ei8pZm9NiCcbOFLz:drW0Mq6P3ZsoEirNXJ
Malware Config
Extracted
redline
doma
185.161.248.75:4132
-
auth_value
8be53af7f78567706928d0abef953ef4
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1144926e24c781c777900562b9e5c4a63152e9fdb599de379ad953a5b8396fa.exe"C:\Users\Admin\AppData\Local\Temp\a1144926e24c781c777900562b9e5c4a63152e9fdb599de379ad953a5b8396fa.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2829041.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2829041.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5402789.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5402789.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4097970.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4097970.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD51b59a5c318367a187cad11a46a5fe929
SHA1a2197d2d100d0be0d9429291ece540a4ab0e1249
SHA256e4c22bca2960c535a907558d14a3ac53cba2cd0d857f81e587bfede8c6bd9148
SHA5123f64d774a55f0c4448cd033329ddf6a6bb03fc2ba266bac9d4dc959261327f0438f83327c69f53b1d19141d294808e4954bbd27ca606a9678ac786c16e349a1a
-
Filesize
304KB
MD564ca257ff3e8a8d28d2c400e07581e19
SHA131434adb50248b4c20e562c238e8e81b220b10b5
SHA256e1326efc619cdc8372d0e96c0134f474c44a0916a091b6f3f4221198d7983ff6
SHA51285c5e6c34fc16a788e7e1224658bf831b3a1dfe3766f4660761fa53d68f974b71546c4030d1951082e47a99347af21538fb87e89984c6217907c793e05bac69d
-
Filesize
145KB
MD5842c86c61f47ca09c937cbe6e3562757
SHA1316fbcdf3d46f0ff06aa747f8cc38c9df80e8d2a
SHA256d18e32d6b3f4b2b0b5ad89a27246338ed3889e5079c2604f36c528c7ab9132c8
SHA512106c7aa3e9c032e261260b853b18d992aafdd70a55a6b90a3b7325d2d445c674398353319ae51e3a316d34864d94996d4e5a570e26c3704cb55a23a13dea69bd
-
Filesize
168KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB