Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe
Resource
win10v2004-20241007-en
General
-
Target
95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe
-
Size
1.1MB
-
MD5
b57de41e9a25af0b1d5cf053386458f6
-
SHA1
dc1ab292af1fabe346083ee3f6a77bc2531bd174
-
SHA256
95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa
-
SHA512
81162e2d3b591934c112bed3f24277e0c28198207ddfa34dda0c1032e35117c69c49ac40bf2bcef85acaa6197eba048eae90663ad3f669982afe9f35d6cf8be1
-
SSDEEP
24576:pyKyVzjykR7daLq+u8P0lzgmeCs2R+Yn5TRhQXB:c7V+q7daLqyPMAwYYVre
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3508-29-0x0000000004C60000-0x0000000004CA6000-memory.dmp family_redline behavioral1/memory/3508-31-0x00000000077A0000-0x00000000077E4000-memory.dmp family_redline behavioral1/memory/3508-35-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-63-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-95-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-93-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-91-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-89-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-87-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-85-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-83-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-81-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-79-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-77-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-75-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-73-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-69-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-67-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-65-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-61-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-59-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-57-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-55-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-53-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-51-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-49-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-47-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-45-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-43-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-41-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-39-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-71-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-37-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-33-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline behavioral1/memory/3508-32-0x00000000077A0000-0x00000000077DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 5096 nZx81ND.exe 4412 nNL46jI.exe 2136 nky57By.exe 3508 bnE61aA55.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nZx81ND.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" nNL46jI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" nky57By.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nZx81ND.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nNL46jI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nky57By.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnE61aA55.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3508 bnE61aA55.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2376 wrote to memory of 5096 2376 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe 83 PID 2376 wrote to memory of 5096 2376 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe 83 PID 2376 wrote to memory of 5096 2376 95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe 83 PID 5096 wrote to memory of 4412 5096 nZx81ND.exe 84 PID 5096 wrote to memory of 4412 5096 nZx81ND.exe 84 PID 5096 wrote to memory of 4412 5096 nZx81ND.exe 84 PID 4412 wrote to memory of 2136 4412 nNL46jI.exe 85 PID 4412 wrote to memory of 2136 4412 nNL46jI.exe 85 PID 4412 wrote to memory of 2136 4412 nNL46jI.exe 85 PID 2136 wrote to memory of 3508 2136 nky57By.exe 86 PID 2136 wrote to memory of 3508 2136 nky57By.exe 86 PID 2136 wrote to memory of 3508 2136 nky57By.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe"C:\Users\Admin\AppData\Local\Temp\95b95a66d42542d9d705a383c151d7688b37f9f79c4c19e7f72a79ce812f1efa.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZx81ND.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNL46jI.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nky57By.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bnE61aA55.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
950KB
MD5f55c9b36562ace6d480b1e931e09e918
SHA1cfbd0c94955181645af8cee57394b6d46cdca1ea
SHA256017374323884b51e854036ee6fee42f1a07c041ab7cf6740c058851b3dec874e
SHA5122087ec8d44b3cd388f49846270ecec884b220cd081a00ddb92f256901d8db633e11cfab440549ae09b077ebd147caa08c667fe4289329c8b0defdb9d42d4eaec
-
Filesize
676KB
MD5df72ca8e216aecb3460c0ca0989ef93d
SHA12a0f644b48b3f10a5cbc889db9c87558a00a0319
SHA2569944be9df706b932b25e64b8fc5590d490f8520b555fbd74c17682ee83533f56
SHA5123e30b24a249df193e5a0d09256f1f8323be1e7e4fc626ba304857b22712ba16e1b6f6161e0a52e991c9ddfedbc287a2fdead40c7544033d3f31c8b3cbd16fc7c
-
Filesize
396KB
MD5760e193d0de6af62e9be94e6a62aab80
SHA15db723781ee502c93f6b1954079694aa04d99fe4
SHA256ec09b351cc91237cfe79c2038659a0fbec3b251f9a2ac6d31826a70596d846b8
SHA512908d6e0235e1456dce5b06f23b489ab1d137bf3666f138967838caa7e01fb2fdf3b680eb55e6ccc41c7e2f37154d0076133a7337a5ac5b857b904c93b1e88ef5
-
Filesize
375KB
MD5e5e97fd2974a50b5a07e32634aa8c336
SHA1c841973581b669ce53d079feae3bfc163eac3d48
SHA256934f074101777f99e03a4671dfba2384942017a561be032adb310ac2aaf317e7
SHA5129ce9697c2d5d18313dbcc463f3c6691f28783ff4a1671f205b8a4c5464adb2970fd34d279810266a814b65157e691fe7da59bac25da5a994ed15f35716a07e4b