Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe
Resource
win10v2004-20241007-en
General
-
Target
37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe
-
Size
591KB
-
MD5
764bef602723fb9df610a4a342795ad7
-
SHA1
46e5b3022868010ce6087ebf3909e4c6670ec1be
-
SHA256
37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff
-
SHA512
21dd440ddca99e78e880a0fbd2d866299e033b6e30233901d8dd6923eda07b74358b65552ecc54929bfd0bb2a1eb9dc1cf5221254e50cc91a4ee302ca8c8e71d
-
SSDEEP
12288:hMroy90v65RWM6PydAczWJXUpCaqZe+ri8ktI9ynmmKPMGQL0RT:RyHMM6PjqWh1g+ri8sIUnmmKPc4B
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4872-19-0x0000000002460000-0x00000000024A6000-memory.dmp family_redline behavioral1/memory/4872-21-0x00000000026F0000-0x0000000002734000-memory.dmp family_redline behavioral1/memory/4872-49-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-63-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-85-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-83-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-81-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-79-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-77-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-75-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-71-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-69-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-67-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-65-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-61-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-59-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-57-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-55-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-53-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-51-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-47-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-45-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-43-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-41-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-39-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-37-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-35-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-33-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-31-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-73-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-29-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-27-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-25-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-23-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline behavioral1/memory/4872-22-0x00000000026F0000-0x000000000272E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4084 naM83DY14.exe 4872 ejs33DW.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" naM83DY14.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ejs33DW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language naM83DY14.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4872 ejs33DW.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4564 wrote to memory of 4084 4564 37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe 83 PID 4564 wrote to memory of 4084 4564 37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe 83 PID 4564 wrote to memory of 4084 4564 37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe 83 PID 4084 wrote to memory of 4872 4084 naM83DY14.exe 84 PID 4084 wrote to memory of 4872 4084 naM83DY14.exe 84 PID 4084 wrote to memory of 4872 4084 naM83DY14.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe"C:\Users\Admin\AppData\Local\Temp\37892c40662c89133580abf0c2d54b5ec4d702bcd7836c57727116f35a440dff.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\naM83DY14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\naM83DY14.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ejs33DW.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ejs33DW.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446KB
MD52e7d11377da2e68afe7df1e4cbdc3d74
SHA1968ab4a96626aa0cf2ebc9f71aa5ad614f25d11c
SHA2568dc1a91f9b0716f8a6716db278e4b5a76769b29e1f1aca91b0f3d0337532d37b
SHA51281bccc3c69ddf57ad4351e144fac169e4e709d9ca41f0805a5f320f22a0f79a1687d9db83b39805336b3d504e7c22f136db4a61b1299f3fa1236804eef86330d
-
Filesize
329KB
MD5f8a8a9163c847a2144670680479a771f
SHA1e0f0cde7f67b18eb48bb253171508b1b3e39c172
SHA256def50e848f25c94a89584f91d99c89791531b1371baf1e6c5f74e9c4e81df673
SHA5121ebe59ce59652bc34e25ea90f1fce93a5fda9924c716712873840c5996cc535f6db212606cba74b2dc59c42a8ccfcb47d9d001bbfad4b9213552d8e502dfff35