Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 06:36

General

  • Target

    c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe

  • Size

    1.1MB

  • MD5

    67140f7f63f24c6e992139378c4020b8

  • SHA1

    146cd965372c1bde95c57f1de898bdfcbeddcca2

  • SHA256

    c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134

  • SHA512

    62034f239430d6f32db02b0d0250acd1fbad2a17b56722db84a4dc4c538311862f9817c4e39b64eaa64e21dfe0d7399d9187bb8680595251d2bf76bba01ae74f

  • SSDEEP

    24576:6yVQSIe2prqcN0ljd0UDJpFa5cdQ/0moBvK91PSxKZrSea3lkd0Sx:BV7IRRMaYvFa5WQMmo5USb3lkyS

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes
  • auth_value

    8be53af7f78567706928d0abef953ef4

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe
    "C:\Users\Admin\AppData\Local\Temp\c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5702835.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5702835.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3558795.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3558795.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3349851.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3349851.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5702835.exe

    Filesize

    749KB

    MD5

    980426ac1cfeb37d3da9cac42e3329ff

    SHA1

    1afdaf754adb4fee59dbd400f9470df7c52653e6

    SHA256

    8eb20e7a0a57af6919f16b218bf7d41c0103fc9a2e84bee8aa7113ed2d551afe

    SHA512

    7b4a9a28a9e905fad4d8a5e76ef84a098ac5234b0e079f08c218f5ccb6888f250c49ab974419532ce7e2c9db2d81ab62a0b039d94734a84b14a182fbaad2eacf

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3558795.exe

    Filesize

    304KB

    MD5

    e168f0f8d383de423948ccb00d787e67

    SHA1

    df35da17aa439d4e65a0843ab25743891774367f

    SHA256

    5253b2dec576874376b034cd2a0590446c2b09c5c9bf82d1d8a3c95bff104629

    SHA512

    2b2d0bde39086d5fcd38a39292069c4e7d0e679fdf2416ebbb221b9daa9b1a21915ed89f4e2e9971e49e2e8d0c7d9bb2fcb99ca65a748177a573431241fcf2be

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3349851.exe

    Filesize

    145KB

    MD5

    ed0f31b1da6c545df6d5b5c52c966fb3

    SHA1

    41df1e28014c5d54ae8f33df6f2527813fc15efe

    SHA256

    3d55bd3b427d4b10dd719a877c65b194145180b436d71055d064eb5231a7efa6

    SHA512

    a6c969e09c21bf393266d15070e53bc35934007a766d3b45d05046a0f3538696c19bad42c105a79fcba648b97bce508ccabf0378cb42bd2ff31e155e7cc40626

  • memory/4808-21-0x0000000000860000-0x000000000088A000-memory.dmp

    Filesize

    168KB

  • memory/4808-22-0x0000000005670000-0x0000000005C88000-memory.dmp

    Filesize

    6.1MB

  • memory/4808-23-0x00000000051F0000-0x00000000052FA000-memory.dmp

    Filesize

    1.0MB

  • memory/4808-24-0x0000000005120000-0x0000000005132000-memory.dmp

    Filesize

    72KB

  • memory/4808-25-0x0000000005180000-0x00000000051BC000-memory.dmp

    Filesize

    240KB

  • memory/4808-26-0x0000000005300000-0x000000000534C000-memory.dmp

    Filesize

    304KB