Overview
overview
10Static
static
101214e5f9de...98.exe
windows7-x64
61214e5f9de...98.exe
windows10-2004-x64
7236020bb91...f6.exe
windows7-x64
10236020bb91...f6.exe
windows10-2004-x64
1025dc70a3de...60.exe
windows7-x64
1025dc70a3de...60.exe
windows10-2004-x64
1054de718b63...d9.exe
windows7-x64
154de718b63...d9.exe
windows10-2004-x64
37ae9504811...a4.exe
windows7-x64
107ae9504811...a4.exe
windows10-2004-x64
109c2554e79b...a0.exe
windows7-x64
109c2554e79b...a0.exe
windows10-2004-x64
10a568f22004...3b.exe
windows7-x64
10a568f22004...3b.exe
windows10-2004-x64
8aefd0c7794...37.exe
windows7-x64
10aefd0c7794...37.exe
windows10-2004-x64
10d68b4d6cec...27.exe
windows7-x64
10d68b4d6cec...27.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 02:11
Behavioral task
behavioral1
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1214e5f9dec9e4c94ccf93c4495788c8314f396ce74dbb5c15cd372411ceed98.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
25dc70a3def65cca61f30ad3a818edbf0dcebbf8257a302212fd7424cc7e8560.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
54de718b634d2dbddaf2530aa3b1768823dfdd97f5a2782b4131fe369e903dd9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7ae95048117dcae6685b6d3206a013fc3e76631d0d4cb58a95f065d79c6cc8a4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
9c2554e79b717eca531348c6e0430944ab7288bc46a8d56e2e49898c4b0e59a0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
a568f22004828c8dc2e3e31c3a8f49a89b164e1eb268f57c93430b20368cfe3b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
d68b4d6cec032458824abdf3ac6f379f33db2167cb0c399845f4d7735a426827.exe
Resource
win7-20240903-en
General
-
Target
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe
-
Size
541KB
-
MD5
616b97038b6328ae6e45a08077df4a7a
-
SHA1
11473c1f0515f06579e7704dc036bbc620c7510a
-
SHA256
236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6
-
SHA512
4730733b4be691840fa1905fc4bfeeeba7ebb06e10d24cfe78a285a3e518a2f2ba31bbc378cda68edf4311df322fd137ed1f65d4b844737e9f0df547506c04e0
-
SSDEEP
12288:vNpszYhvXWSVJdMaeaxxJHuT8DmP79TovFZFW84:FhvJVJdMQPuTVP792gR
Malware Config
Extracted
redline
@Seno_47
45.81.227.32:22625
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x0038000000012275-22.dat family_redline behavioral3/memory/2140-27-0x00000000013C0000-0x00000000013DE000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral3/files/0x0038000000012275-22.dat family_sectoprat behavioral3/memory/2140-27-0x00000000013C0000-0x00000000013DE000-memory.dmp family_sectoprat -
Sectoprat family
-
Executes dropped EXE 2 IoCs
pid Process 2796 output.exe 2140 cpAaYCmhNDsLQiRFCCCqoVSn.exe -
Loads dropped DLL 5 IoCs
pid Process 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 2796 output.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpAaYCmhNDsLQiRFCCCqoVSn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language output.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2140 cpAaYCmhNDsLQiRFCCCqoVSn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2796 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 30 PID 2700 wrote to memory of 2796 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 30 PID 2700 wrote to memory of 2796 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 30 PID 2700 wrote to memory of 2796 2700 236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe 30 PID 2796 wrote to memory of 2140 2796 output.exe 31 PID 2796 wrote to memory of 2140 2796 output.exe 31 PID 2796 wrote to memory of 2140 2796 output.exe 31 PID 2796 wrote to memory of 2140 2796 output.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"C:\Users\Admin\AppData\Local\Temp\236020bb910e3cfd1e03bff5722204be40c0739fb6d2954b35c8b02185e37ef6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Roaming\output.exe"C:\Users\Admin\AppData\Roaming\output.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe"C:\Users\Admin\AppData\Local\Temp\cpAaYCmhNDsLQiRFCCCqoVSn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD52f376ad2903620fd9f52c4d8af903777
SHA1726ecc2dff7d3af1b4d03591761183f70c9a1242
SHA256e60ab1c5095002e6ed227251cfc4c4124db13255af95b6b76405e44e7a750215
SHA51275fbb18d81c022bef30887718da799ffd77c462ef324b9975bd3815b7af5b759e70858a9e0f472b9bedd0af3c90a05df02fd3f6c492fea802e12c719ad2dd0eb
-
Filesize
97KB
MD5f4bbbbd0c06b5b5f46386ad1db6227b0
SHA15a026b7ed8c49b1213a6393e938c91399ff33eb8
SHA2563783dda749b402ddb2065d6830dc3d7d2771b4b8dc02358efe64947205b2517d
SHA5123a7554883cf3c729a1f249eff33e3ad5de69be174971209e536d7d2c829d50bc9666391e9663db782eb445f8e8f87c81ac7b0248faff2f2e594909bbd84f5d48