Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-11-2024 08:55
General
-
Target
installer.exe
-
Size
1.3MB
-
MD5
4ca8d5fd296026e9594929feea52990e
-
SHA1
3d70526e7f8bbd05e64b6e195ad9cd6644fc65c3
-
SHA256
fc09addb668c15983de03593dd8f182261f3957c3dc02fbf2653820858810fa9
-
SHA512
15180308f09e989efb174cc022ad54078f6e66872c96e1027f8f36fcd37cb5b596a566b66e1935d853fc54fade05ba4179e81218c3b7952953677a7378a82712
-
SSDEEP
24576:odGlKVNT2CqjiK7VhmD2beSmNPiQ4SEqxgHY:o8lCkFz/O27mNKToxN
Malware Config
Extracted
redline
0116
81.161.229.143:26910
-
auth_value
35f84f965c2ecd5ec79c6b3e71986b0d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 17363⤵
- Program crash
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1368 -ip 13681⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD58bb02e13b56d25d583ee44b74f745d2e
SHA123f6745eeb754ca53d760ab8e3a012ed791e3698
SHA256f08949113be913898d130cf40334a88b245ebfa63a0011fa57bd32dccaf6bff8
SHA512366028ac0b1c288055b3c685389083ef0a61fe57d86e8b45c4fca5ca9aea738c626dff197f1ea0d8157324228e125bf302c8d5ccd10bca10701a9f9465ea7675
-
Filesize
360KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
96KB
-
Filesize
208KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
1.2MB