Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe
Resource
win10v2004-20241007-en
General
-
Target
42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe
-
Size
758KB
-
MD5
b4c8b97b7a9590541c364f63db9fcda4
-
SHA1
00e6d2dc2aa2aa04a1c88801c06821708cb03723
-
SHA256
42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54
-
SHA512
b914a298b9e529cf776c34655ba9d2fbed19ee58ae6a2dd03a3b85049ce19adc097f05ce77290523f5a2309d3bb8a6222e00cf1f55b4236f68cb0fbe98b0e495
-
SSDEEP
12288:/Mrgy90DT2QynJoTvJrY2ZSChFBsVKsKKI6F5r+t3H9c+R39srPREMHiqbb8VimB:7y9nJo9Yq5BsV7rG3HF59CdHheiQ
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3844-22-0x00000000029C0000-0x0000000002A06000-memory.dmp family_redline behavioral1/memory/3844-24-0x0000000005490000-0x00000000054D4000-memory.dmp family_redline behavioral1/memory/3844-78-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-88-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-86-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-84-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-82-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-80-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-76-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-74-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-72-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-71-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-68-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-66-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-64-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-62-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-60-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-58-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-56-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-54-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-52-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-50-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-48-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-44-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-42-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-40-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-38-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-34-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-32-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-28-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-27-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-25-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-46-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-36-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline behavioral1/memory/3844-30-0x0000000005490000-0x00000000054CE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3504 vhG61.exe 4848 vbC50.exe 3844 dCN02.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vbC50.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vhG61.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhG61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbC50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dCN02.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3844 dCN02.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3948 wrote to memory of 3504 3948 42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe 84 PID 3948 wrote to memory of 3504 3948 42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe 84 PID 3948 wrote to memory of 3504 3948 42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe 84 PID 3504 wrote to memory of 4848 3504 vhG61.exe 85 PID 3504 wrote to memory of 4848 3504 vhG61.exe 85 PID 3504 wrote to memory of 4848 3504 vhG61.exe 85 PID 4848 wrote to memory of 3844 4848 vbC50.exe 86 PID 4848 wrote to memory of 3844 4848 vbC50.exe 86 PID 4848 wrote to memory of 3844 4848 vbC50.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe"C:\Users\Admin\AppData\Local\Temp\42446d3f1f28d14d2494a98807c9c2137823f8426e2a5d0d88bc878eeb411c54.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhG61.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhG61.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vbC50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vbC50.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCN02.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCN02.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654KB
MD55f319088668812c15f0a7c4966516d2e
SHA13ec6aedd3459f009eb465a5412e88a4d9c419010
SHA25624f63cf5be7c8b213c30e7c2af95b3596d02d4cfe1dcee7798f8ba0a16f8f47b
SHA512780f3a373ba5cea978e8c0f45776923d6f2a34bc7edbf4cbe09d97528a687392ab9e97f8f8dbd539cac07547124ec42405e4ae43c6edae3a393ecc1da390a89f
-
Filesize
509KB
MD5cce4d633ca1657f2011ec59d3b0919c3
SHA1dad6a0e9b1859601e8956e8c6d9e81debb4e56fd
SHA256af723ec81897207de4c342f83d040cc9b6d06ec4d45a8d11236435211d346636
SHA51278df3659a96a9326409a4beb6e3bcc2f886c203782e5de4491edab02857207457497513644d00fb086619f54a4da860edd42a22d42a4a91c46af0b6d021dba71
-
Filesize
280KB
MD5b58d808ae45fbac26df97d12df2cc4f2
SHA1f6a486a5676cb556fade08c92c7bceacff09c670
SHA2567043383d2630321f64a3bcfb573d957966e48d57e1d4a57a6e0c068a411314a5
SHA51295adcd5d2f678b6310826537c0d37a6a687f2ba88cf47e41ea8a0f9a4c3d400583e1de40fb67751e1698eac11d8194430fd7a5944aba2b3fc7f803c17114d845