Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe
Resource
win10v2004-20241007-en
General
-
Target
f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe
-
Size
480KB
-
MD5
73caa4cfb3bf0213291ad360d0d1e717
-
SHA1
e567f1ff3c60a91ccb1a25b9277305d9633fedf2
-
SHA256
f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324
-
SHA512
d49e9802831df2c2ddf8eeab42369624c0176a51a2e0a5570c6aa28c65c87295f5b2034ab75b007e7cdb74b8be6cf2f46bf34bb28da39178f8eda3904e783156
-
SSDEEP
6144:KBy+bnr+up0yN90QElVdJ/pw9pZqjLIgRv4gBx0/NBXEbMC071xxJ12wDqkSL6Om:bMrCy901/p7IKxkXEYCm1112yqdGwI/
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb5-12.dat family_redline behavioral1/memory/1372-15-0x0000000000E60000-0x0000000000E8E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 464 y0142964.exe 1372 k6571072.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y0142964.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0142964.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k6571072.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5080 wrote to memory of 464 5080 f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe 84 PID 5080 wrote to memory of 464 5080 f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe 84 PID 5080 wrote to memory of 464 5080 f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe 84 PID 464 wrote to memory of 1372 464 y0142964.exe 85 PID 464 wrote to memory of 1372 464 y0142964.exe 85 PID 464 wrote to memory of 1372 464 y0142964.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe"C:\Users\Admin\AppData\Local\Temp\f12fc959ece1258cc4b7aae577b4a02ff45adf0aa26018f5f73c3d875aafc324.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0142964.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0142964.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6571072.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6571072.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD552fe9fd12a2f21312669861fb10f03c9
SHA1509d58982d1af456ec640e13d68eccba0b34c3ea
SHA2564e1762ceaa917340a0c97075ddbbc845cd689f1a235d345765ac268ccabcd145
SHA5125acb670333f1b3bb4a6fe54fa13142b78d493650d79347615ae7166ec6bc0127088309a8bd161e020e2f56d98aac9029b1f8864995824e14c23d03f57fb66652
-
Filesize
168KB
MD51fd302276aeeed6ec4b87c3ae2245bcb
SHA1d1e36a09c04c72bf2319c817790ad2c93d2ee6ea
SHA25632c78fb6d1dce5d8aa5e4b7484b7a1e45b4c311485abec0c8e3e0eaee598bc53
SHA5123f55d6d55beab38ef3d958193a8d614dd1b0e1bb17fa3d16b74b7a0a427dbbeb6fffed89a03fbeef0e124d0087976aee8b705780cf9c605ef0e525330287a774