Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 02:30

General

  • Target

    92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe

  • Size

    587KB

  • MD5

    4503ae29ae33f555041712313d737c2a

  • SHA1

    f8015b7c2ece5019ef523104d67497df2d309fc6

  • SHA256

    92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3

  • SHA512

    020291601859fef2afe064b4db6eef3744fc0f660c69e0cd670a6ef7ad0f57b7cdae1b94cbef02c682ac68ba587a20a5425e6e13f745a4a88bdba2828dd02950

  • SSDEEP

    12288:dMrDy90XERxlw62SGyjKNIuoCubV8YPCFHE0pNYC:WyjDw62NyjSLYcHFYC

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes
  • auth_value

    3491f24ae0250969cd45ce4b3fe77549

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe
    "C:\Users\Admin\AppData\Local\Temp\92bdbb4d6a78ebfc1fa9f229a6a49405eb2e7538535926684c97dc53bd3b63a3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8909206.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8909206.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8607313.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8607313.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2896

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8909206.exe

          Filesize

          416KB

          MD5

          b768cfe58fcd61a5dd163e50007d99ef

          SHA1

          5c1c07a63c524041759745939d18be080a156608

          SHA256

          da60d73f4a4c505a617a56090cd692f7445ec666c245b97842645cd248ba87cb

          SHA512

          a626c8ae59d6d3940eca5434614801187c8c7048a48f0b0c98785035a7ee3df99df1bf71d77202155dc4a9d8978001d3530c126a18d3631244325b551d2da8c0

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8607313.exe

          Filesize

          168KB

          MD5

          df8db47877b682298146d63440a1f5ff

          SHA1

          f30308f13a4e4bcd42b030e38a1a87b55219ed4b

          SHA256

          e6f25db80578d2f9281fb4af2b5e27c310a7c40c1b8b509c769606afe3fbfbf8

          SHA512

          1806a0861dcd3e7bd719bee38150597943b3b2410b3e14850685f4cca80d49a6495fd05acc5160e85431da89b9a98acd4290c645255b6fdcbf3ffdf14e74d235

        • memory/2896-14-0x000000007441E000-0x000000007441F000-memory.dmp

          Filesize

          4KB

        • memory/2896-15-0x0000000000770000-0x000000000079E000-memory.dmp

          Filesize

          184KB

        • memory/2896-16-0x0000000007560000-0x0000000007566000-memory.dmp

          Filesize

          24KB

        • memory/2896-17-0x0000000005800000-0x0000000005E18000-memory.dmp

          Filesize

          6.1MB

        • memory/2896-18-0x00000000052F0000-0x00000000053FA000-memory.dmp

          Filesize

          1.0MB

        • memory/2896-19-0x0000000005220000-0x0000000005232000-memory.dmp

          Filesize

          72KB

        • memory/2896-20-0x0000000074410000-0x0000000074BC0000-memory.dmp

          Filesize

          7.7MB

        • memory/2896-21-0x0000000005280000-0x00000000052BC000-memory.dmp

          Filesize

          240KB

        • memory/2896-22-0x0000000005400000-0x000000000544C000-memory.dmp

          Filesize

          304KB

        • memory/2896-23-0x000000007441E000-0x000000007441F000-memory.dmp

          Filesize

          4KB

        • memory/2896-24-0x0000000074410000-0x0000000074BC0000-memory.dmp

          Filesize

          7.7MB