Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 06:36
Static task
static1
Behavioral task
behavioral1
Sample
c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe
Resource
win10v2004-20241007-en
General
-
Target
c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe
-
Size
1.1MB
-
MD5
67140f7f63f24c6e992139378c4020b8
-
SHA1
146cd965372c1bde95c57f1de898bdfcbeddcca2
-
SHA256
c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134
-
SHA512
62034f239430d6f32db02b0d0250acd1fbad2a17b56722db84a4dc4c538311862f9817c4e39b64eaa64e21dfe0d7399d9187bb8680595251d2bf76bba01ae74f
-
SSDEEP
24576:6yVQSIe2prqcN0ljd0UDJpFa5cdQ/0moBvK91PSxKZrSea3lkd0Sx:BV7IRRMaYvFa5WQMmo5USb3lkyS
Malware Config
Extracted
redline
doma
185.161.248.75:4132
-
auth_value
8be53af7f78567706928d0abef953ef4
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c7e-19.dat family_redline behavioral1/memory/4808-21-0x0000000000860000-0x000000000088A000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
x5702835.exex3558795.exef3349851.exepid Process 1148 x5702835.exe 1592 x3558795.exe 4808 f3349851.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exex5702835.exex3558795.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5702835.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3558795.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exex5702835.exex3558795.exef3349851.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x5702835.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x3558795.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3349851.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exex5702835.exex3558795.exedescription pid Process procid_target PID 3500 wrote to memory of 1148 3500 c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe 84 PID 3500 wrote to memory of 1148 3500 c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe 84 PID 3500 wrote to memory of 1148 3500 c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe 84 PID 1148 wrote to memory of 1592 1148 x5702835.exe 85 PID 1148 wrote to memory of 1592 1148 x5702835.exe 85 PID 1148 wrote to memory of 1592 1148 x5702835.exe 85 PID 1592 wrote to memory of 4808 1592 x3558795.exe 86 PID 1592 wrote to memory of 4808 1592 x3558795.exe 86 PID 1592 wrote to memory of 4808 1592 x3558795.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe"C:\Users\Admin\AppData\Local\Temp\c33a0e00bbcde9dc48d5f845bf6c8b56c2f94ea3601c6879a1b72d5f047fb134.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5702835.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5702835.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3558795.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3558795.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3349851.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3349851.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
749KB
MD5980426ac1cfeb37d3da9cac42e3329ff
SHA11afdaf754adb4fee59dbd400f9470df7c52653e6
SHA2568eb20e7a0a57af6919f16b218bf7d41c0103fc9a2e84bee8aa7113ed2d551afe
SHA5127b4a9a28a9e905fad4d8a5e76ef84a098ac5234b0e079f08c218f5ccb6888f250c49ab974419532ce7e2c9db2d81ab62a0b039d94734a84b14a182fbaad2eacf
-
Filesize
304KB
MD5e168f0f8d383de423948ccb00d787e67
SHA1df35da17aa439d4e65a0843ab25743891774367f
SHA2565253b2dec576874376b034cd2a0590446c2b09c5c9bf82d1d8a3c95bff104629
SHA5122b2d0bde39086d5fcd38a39292069c4e7d0e679fdf2416ebbb221b9daa9b1a21915ed89f4e2e9971e49e2e8d0c7d9bb2fcb99ca65a748177a573431241fcf2be
-
Filesize
145KB
MD5ed0f31b1da6c545df6d5b5c52c966fb3
SHA141df1e28014c5d54ae8f33df6f2527813fc15efe
SHA2563d55bd3b427d4b10dd719a877c65b194145180b436d71055d064eb5231a7efa6
SHA512a6c969e09c21bf393266d15070e53bc35934007a766d3b45d05046a0f3538696c19bad42c105a79fcba648b97bce508ccabf0378cb42bd2ff31e155e7cc40626