Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe
Resource
win10v2004-20241007-en
General
-
Target
5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe
-
Size
707KB
-
MD5
a657fc85b52b52bd8e5bc2f6945f1adf
-
SHA1
a97ecc1c4e294961f31b28dd6b4a6a17eeb99f60
-
SHA256
5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646
-
SHA512
1badd82d98e1864d8b3d04c271538c6a9c912a4d026fa9d3bf671cc1168b95f43b9398568396e164cd3eb5e769ce6fc4ecc371731cf189206fcf57f6e7a2214f
-
SSDEEP
12288:rMrxy90IOtKI7HDFC30TMDsrnjr2wEB1RPzGEreboY4YWbJoC4KtZyOknNYAL:+yoBC+iwEB1JGEmP0bJuHxxL
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b74-12.dat family_redline behavioral1/memory/724-15-0x0000000000410000-0x0000000000438000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4572 x4960761.exe 724 g6503738.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4960761.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4960761.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6503738.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4276 wrote to memory of 4572 4276 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe 84 PID 4276 wrote to memory of 4572 4276 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe 84 PID 4276 wrote to memory of 4572 4276 5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe 84 PID 4572 wrote to memory of 724 4572 x4960761.exe 85 PID 4572 wrote to memory of 724 4572 x4960761.exe 85 PID 4572 wrote to memory of 724 4572 x4960761.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe"C:\Users\Admin\AppData\Local\Temp\5352ac1aaa618dd27cab45a0d345a68cd7f32d93b9c17ade420a4cdea9e4d646.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4960761.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6503738.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6503738.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD51277da9010ebc55f5f6913ba8f8cd9d7
SHA186002a35d9676d85a38bcae1ce4442879b4beb93
SHA256d42b630b59feab7c21aaf032aa72840593b1a8a6c8e517e418f71f2b4d3aa39d
SHA51247cb668bf718b71a7d42de9cf733a434712d442b9cf497ce8aa5cbf75f8ddc84b17b6531f6cc372faa8fbc87b4f38d3c01c71ba578ae4c44b778b6b7ca749614
-
Filesize
136KB
MD5bdb266e3f32484186305b8802d7d14ed
SHA17d542b89c3e7b94f0db746d21f949bf708a0ba8c
SHA256cd84f486ed55ef9dae20483659268bbb8111d7aed151ec0bda4a1272c3cb4c96
SHA512dba745d2da8236c015a4efe52d30af7f03b2c12a50772b247daedef9d43ceaa5246c09cabd73454ecc7010700899e7494eb159677d9c1144b534b2a02a299aaa