Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:22

General

  • Target

    188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe

  • Size

    376KB

  • MD5

    974c64901500421a596ad26f606128e4

  • SHA1

    c1e9d29ce7085864968ec1f33740b24f41d821a5

  • SHA256

    188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6

  • SHA512

    957ddb1f3ee56323d305b026274a12294c92ff0b2a0346efa814abf15c45d23d7965915eadbb34a884d676f86e6b26001f3c28feb23604382dfe978742d6717f

  • SSDEEP

    6144:Kgy+bnr+9p0yN90QEevJCS6Yy9MPke9wWwjXFOEOpljux43Dl:IMrly90MovM9sWrjuSTl

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe
    "C:\Users\Admin\AppData\Local\Temp\188a568c4e8126b6283ead1458713fb17f7bf1277c2c52ac16f4f4532ed1d6d6.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4507930.exe

    Filesize

    204KB

    MD5

    56252d91ac7df6398dfff7418849511a

    SHA1

    09f5b5b019d887a38f1849961f1eb6b0afbcbfb5

    SHA256

    b7e08d7096e73e3bda5aed24d3296e48b0035f7a12c7c21ca0c7b494e6e38459

    SHA512

    d92f4371eb980c46198a18dfc1b00b0445c2fa5550d70c30da36e2234feeb24cb4c34cbb2ee665c653c9a26c6327d3d41df4f13f94ffd2035662c3e11a397ea5

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7601471.exe

    Filesize

    136KB

    MD5

    8f30f7f88229560306c5959c605316de

    SHA1

    36f26a905a9743f6dd1608e39b37d1116cafcc0a

    SHA256

    3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

    SHA512

    267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

  • memory/4784-14-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

    Filesize

    4KB

  • memory/4784-15-0x0000000000A70000-0x0000000000A98000-memory.dmp

    Filesize

    160KB

  • memory/4784-16-0x0000000007DC0000-0x00000000083D8000-memory.dmp

    Filesize

    6.1MB

  • memory/4784-17-0x00000000077D0000-0x00000000077E2000-memory.dmp

    Filesize

    72KB

  • memory/4784-18-0x0000000007900000-0x0000000007A0A000-memory.dmp

    Filesize

    1.0MB

  • memory/4784-19-0x0000000007830000-0x000000000786C000-memory.dmp

    Filesize

    240KB

  • memory/4784-20-0x0000000073F20000-0x00000000746D0000-memory.dmp

    Filesize

    7.7MB

  • memory/4784-21-0x0000000004E50000-0x0000000004E9C000-memory.dmp

    Filesize

    304KB

  • memory/4784-22-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

    Filesize

    4KB

  • memory/4784-23-0x0000000073F20000-0x00000000746D0000-memory.dmp

    Filesize

    7.7MB