Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 02:30
Static task
static1
Behavioral task
behavioral1
Sample
92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe
Resource
win10v2004-20241007-en
General
-
Target
92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe
-
Size
587KB
-
MD5
4503ae29ae33f555041712313d737c2a
-
SHA1
f8015b7c2ece5019ef523104d67497df2d309fc6
-
SHA256
92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3
-
SHA512
020291601859fef2afe064b4db6eef3744fc0f660c69e0cd670a6ef7ad0f57b7cdae1b94cbef02c682ac68ba587a20a5425e6e13f745a4a88bdba2828dd02950
-
SSDEEP
12288:dMrDy90XERxlw62SGyjKNIuoCubV8YPCFHE0pNYC:WyjDw62NyjSLYcHFYC
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b74-12.dat family_redline behavioral1/memory/2896-15-0x0000000000770000-0x000000000079E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4932 x8909206.exe 2896 g8607313.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8909206.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x8909206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8607313.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1992 wrote to memory of 4932 1992 92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe 84 PID 1992 wrote to memory of 4932 1992 92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe 84 PID 1992 wrote to memory of 4932 1992 92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe 84 PID 4932 wrote to memory of 2896 4932 x8909206.exe 85 PID 4932 wrote to memory of 2896 4932 x8909206.exe 85 PID 4932 wrote to memory of 2896 4932 x8909206.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe"C:\Users\Admin\AppData\Local\Temp\92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8909206.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8909206.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8607313.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8607313.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD5b768cfe58fcd61a5dd163e50007d99ef
SHA15c1c07a63c524041759745939d18be080a156608
SHA256da60d73f4a4c505a617a56090cd692f7445ec666c245b97842645cd248ba87cb
SHA512a626c8ae59d6d3940eca5434614801187c8c7048a48f0b0c98785035a7ee3df99df1bf71d77202155dc4a9d8978001d3530c126a18d3631244325b551d2da8c0
-
Filesize
168KB
MD5df8db47877b682298146d63440a1f5ff
SHA1f30308f13a4e4bcd42b030e38a1a87b55219ed4b
SHA256e6f25db80578d2f9281fb4af2b5e27c310a7c40c1b8b509c769606afe3fbfbf8
SHA5121806a0861dcd3e7bd719bee38150597943b3b2410b3e14850685f4cca80d49a6495fd05acc5160e85431da89b9a98acd4290c645255b6fdcbf3ffdf14e74d235