Analysis

  • max time kernel
    131s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:20

General

  • Target

    ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe

  • Size

    534KB

  • MD5

    7fd9eb423829799f0ef592e3ec49b73c

  • SHA1

    57d81fb5bd5f52bfade9be3a982289bda852ffc0

  • SHA256

    ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed

  • SHA512

    b0e4a0414a24c603d436c4b3be2260aeca2b2f1919e40b1025001ed3c21f98187bf14941134fc8937c9a74562a17d8c6d6d276ef6164ce61b8b4f8c15f5e77cc

  • SSDEEP

    12288:YMrDy90P97VcdS/PSaYWyttbz40Kj07WasjBXVnhM:ry8tV7XSntKjaWasFbM

Malware Config

Extracted

Family

redline

Botnet

fuka

C2

193.233.20.11:4131

Attributes
  • auth_value

    90eef520554ef188793d77ecc34217bf

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe
    "C:\Users\Admin\AppData\Local\Temp\ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dCc53.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dCc53.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMn21.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMn21.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dCc53.exe

    Filesize

    202KB

    MD5

    016bb85c8880a8ce3dfe4115c171f666

    SHA1

    4d5023cfbb3f53599e99f0c39c6803c23773100c

    SHA256

    424d8797a50cfec29cbbe9c08b187130e26129f8da250e7256bc5bd73a97934d

    SHA512

    727f615a52a7dd0317c33fec5b0869625d61dfe2c9549fa9a767517be4ac0d8799be01cd86ce8f4e9d1958af6da71f8014d161e6cc7e1da7c13c8e8d14ad9d3b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMn21.exe

    Filesize

    175KB

    MD5

    4c35cfbd12826cedb7982ab4e1763a6a

    SHA1

    1496bd1d1981d8bf38cf98cdd4aa47020ffe9303

    SHA256

    8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2

    SHA512

    5e55022ab3b5a49ba3695062b7db3fa920aa9e3653e52e5a556caeed2d8f217457ae472eb2cf3da32f4332fba52b9b1d4e8b42e09793c1f3bf970dcbce35566c

  • memory/2824-14-0x000000007430E000-0x000000007430F000-memory.dmp

    Filesize

    4KB

  • memory/2824-15-0x0000000000900000-0x0000000000932000-memory.dmp

    Filesize

    200KB

  • memory/2824-16-0x0000000005860000-0x0000000005E78000-memory.dmp

    Filesize

    6.1MB

  • memory/2824-17-0x00000000053E0000-0x00000000054EA000-memory.dmp

    Filesize

    1.0MB

  • memory/2824-18-0x0000000005310000-0x0000000005322000-memory.dmp

    Filesize

    72KB

  • memory/2824-19-0x0000000005380000-0x00000000053BC000-memory.dmp

    Filesize

    240KB

  • memory/2824-20-0x00000000054F0000-0x000000000553C000-memory.dmp

    Filesize

    304KB

  • memory/2824-21-0x000000007430E000-0x000000007430F000-memory.dmp

    Filesize

    4KB