Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe
Resource
win10v2004-20241007-en
General
-
Target
ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe
-
Size
534KB
-
MD5
7fd9eb423829799f0ef592e3ec49b73c
-
SHA1
57d81fb5bd5f52bfade9be3a982289bda852ffc0
-
SHA256
ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed
-
SHA512
b0e4a0414a24c603d436c4b3be2260aeca2b2f1919e40b1025001ed3c21f98187bf14941134fc8937c9a74562a17d8c6d6d276ef6164ce61b8b4f8c15f5e77cc
-
SSDEEP
12288:YMrDy90P97VcdS/PSaYWyttbz40Kj07WasjBXVnhM:ry8tV7XSntKjaWasFbM
Malware Config
Extracted
redline
fuka
193.233.20.11:4131
-
auth_value
90eef520554ef188793d77ecc34217bf
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb5-12.dat family_redline behavioral1/memory/2824-15-0x0000000000900000-0x0000000000932000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4288 dCc53.exe 2824 aMn21.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dCc53.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dCc53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aMn21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3976 wrote to memory of 4288 3976 ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe 83 PID 3976 wrote to memory of 4288 3976 ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe 83 PID 3976 wrote to memory of 4288 3976 ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe 83 PID 4288 wrote to memory of 2824 4288 dCc53.exe 84 PID 4288 wrote to memory of 2824 4288 dCc53.exe 84 PID 4288 wrote to memory of 2824 4288 dCc53.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe"C:\Users\Admin\AppData\Local\Temp\ede3a9eb003f3e438c1970ddd5dd8fbb136b7a0c9eaf8cc0331bf9e27429f6ed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dCc53.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dCc53.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMn21.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aMn21.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5016bb85c8880a8ce3dfe4115c171f666
SHA14d5023cfbb3f53599e99f0c39c6803c23773100c
SHA256424d8797a50cfec29cbbe9c08b187130e26129f8da250e7256bc5bd73a97934d
SHA512727f615a52a7dd0317c33fec5b0869625d61dfe2c9549fa9a767517be4ac0d8799be01cd86ce8f4e9d1958af6da71f8014d161e6cc7e1da7c13c8e8d14ad9d3b
-
Filesize
175KB
MD54c35cfbd12826cedb7982ab4e1763a6a
SHA11496bd1d1981d8bf38cf98cdd4aa47020ffe9303
SHA2568020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2
SHA5125e55022ab3b5a49ba3695062b7db3fa920aa9e3653e52e5a556caeed2d8f217457ae472eb2cf3da32f4332fba52b9b1d4e8b42e09793c1f3bf970dcbce35566c