Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe
Resource
win10v2004-20241007-en
General
-
Target
49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe
-
Size
794KB
-
MD5
dffa7d6b4708b40053421a6995eaf9be
-
SHA1
b28f6eaed28c9c4ecd12e016e3108d4eb3f1357a
-
SHA256
49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862
-
SHA512
7ac774dd19d59adabddc2c810698c9f1ddd141c4bb246da09f185a459404a28bd467626020e65ce1d36fbd2b09d7b32049da67fcf0ee810ed86062495b80c8a6
-
SSDEEP
12288:ey90PemQKHqTrGp7BZnnZeXiR5wwB+Pm5InepXug6nPM5WGo1Iepa/hB:ey2RQ7TrKHn1R3B+u53pXCMLo1Iz/v
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3616-2169-0x00000000059D0000-0x0000000005A02000-memory.dmp family_redline behavioral1/files/0x000a00000001e580-2174.dat family_redline behavioral1/memory/1472-2182-0x0000000000530000-0x000000000055E000-memory.dmp family_redline behavioral1/files/0x000a000000023b9d-2194.dat family_redline behavioral1/memory/1756-2196-0x0000000000D60000-0x0000000000D90000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation m00902875.exe -
Executes dropped EXE 4 IoCs
pid Process 4248 x03220774.exe 3616 m00902875.exe 1472 1.exe 1756 n48019991.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x03220774.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 760 3616 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n48019991.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x03220774.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m00902875.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3616 m00902875.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4248 2424 49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe 83 PID 2424 wrote to memory of 4248 2424 49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe 83 PID 2424 wrote to memory of 4248 2424 49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe 83 PID 4248 wrote to memory of 3616 4248 x03220774.exe 84 PID 4248 wrote to memory of 3616 4248 x03220774.exe 84 PID 4248 wrote to memory of 3616 4248 x03220774.exe 84 PID 3616 wrote to memory of 1472 3616 m00902875.exe 89 PID 3616 wrote to memory of 1472 3616 m00902875.exe 89 PID 3616 wrote to memory of 1472 3616 m00902875.exe 89 PID 4248 wrote to memory of 1756 4248 x03220774.exe 93 PID 4248 wrote to memory of 1756 4248 x03220774.exe 93 PID 4248 wrote to memory of 1756 4248 x03220774.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe"C:\Users\Admin\AppData\Local\Temp\49f4ed88f2b0bebfb3e363ab5f0642df10d6a41bb2f220199ff855166218d862.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x03220774.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x03220774.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m00902875.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m00902875.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 13684⤵
- Program crash
PID:760
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n48019991.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n48019991.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3616 -ip 36161⤵PID:1564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590KB
MD548fa781569319c6c451407a845d3c057
SHA1cf940cd91c741284e1640f8f55e1c223e967c3b4
SHA256aed7d7e49ede7bea27b7f75969cbe9e2482c8a11843dace7116b39eefc4c7655
SHA512452763d15c3a5a966a176454e9136a6c5edc910715a9d60b262333301671742d91d600acfc765023b41197ff5413a1f1969c09e4d2bdd03d5bc273b63bba086b
-
Filesize
530KB
MD50c9c15709561c52e1e70e7ace418b1b4
SHA16a7fe0160636a4bcd19766c20504e2bcfb9f9702
SHA2569b78fb739d8bfa7c946e860c2b58f4b277d1934bad61b191f889e8fcf0cdd522
SHA512579e0ab5badd804ea0d3e312d01f26ebf36c3bd276adc6a0101c09da28e3a9950df4f10f7620ea94ce793301ef43116c0242a2f0e142ed79eae54c34fbfcff0c
-
Filesize
168KB
MD5cadb85e3560bc711e4ddefa081ee2b8a
SHA178a50b5cc5f9c678891a068ed888b0d8cacfaaa5
SHA25603477c0ce841fa1d7721453b29cc6e19afb8001d55303856ab72a7bec3d4798d
SHA51285ee77e6026d5da91c814c313caa1b2d1079373b92d31fd93d03956812e9cc90c2f72b0820f6a2882c9ca6d8df75d06ad7c6ceb6ba75aaf3b7217983b69a1e9f
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf