Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe
Resource
win10v2004-20241007-en
General
-
Target
5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe
-
Size
843KB
-
MD5
0060f21d8002518dc669236b5c2692b0
-
SHA1
cef3ed70fd8fb76cee25db7078bbd05945317df1
-
SHA256
5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12f
-
SHA512
890b18b5fec6b7dcc86bd99b7dce56691580fd28cc11c62aa0fe9f48c857ea2ade0ba7de6acda807d9780a811d2096c9a1757e85f19287c0e8043a97537bbb50
-
SSDEEP
24576:HyK3O3oVgzCcpr1/LVHUSoKqS7/l+Kf7:SK3OCgzCczVUS3dth
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c6f-12.dat family_redline behavioral1/memory/4680-15-0x0000000000130000-0x0000000000160000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4752 i88034347.exe 4680 a76258075.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i88034347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i88034347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a76258075.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1204 wrote to memory of 4752 1204 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe 84 PID 1204 wrote to memory of 4752 1204 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe 84 PID 1204 wrote to memory of 4752 1204 5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe 84 PID 4752 wrote to memory of 4680 4752 i88034347.exe 85 PID 4752 wrote to memory of 4680 4752 i88034347.exe 85 PID 4752 wrote to memory of 4680 4752 i88034347.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe"C:\Users\Admin\AppData\Local\Temp\5e8eec1d25e26047f0748aa13b1f25bc2cc6828367593c403420de3f4089e12fN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i88034347.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a76258075.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a76258075.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
371KB
MD57b45c3bbefc65d092f9ff72d76e87b01
SHA183e5616cd32629b164cccf68e722e8635c54b42a
SHA25668fc27a8dff40abc5216d2bb14cf5d83ce71683657b6bf111abf5e89220d8123
SHA5122a668c045d6c06f2182aefa0947756e6eae83e34d65a7399867a8c263f571537b1b5bbe65b6931ec1606d09b692875c664de452dddccd132cf438f6d6612c8a2
-
Filesize
169KB
MD5b982398e2ce0cf8b607286083bc71c47
SHA19bc0dc9f894efae29aa13c7dc8620acd65eb2912
SHA25612132f821daef3ccf262499529e908f7ca2aa461ba39d3d9f84e0c54846c2d60
SHA512a6a998e3f5ee48e58fa0d4fa59da8557cf140ef5b8d126ab6ce3b176f89f5d49284a8686ffadc24374d576d601dc012ece2421685cd66cc74e04c80594fbf754