Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe
Resource
win10v2004-20241007-en
General
-
Target
e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe
-
Size
564KB
-
MD5
6c9f9c13101a53185dede951d7e060bc
-
SHA1
d9310c26fd68fa9f30263a168a392e954605afb5
-
SHA256
e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e
-
SHA512
b47dd3f38cada3e6e99f31a997ee79b8ef6e1b9dd496a5804dd1159b862f14e5f8ac7dc38c356abcc635d5f537586141eca4a6bff76209dec9a5cd249a299279
-
SSDEEP
12288:qMrwy90ATmnLihKMlxJi3t2caf3Rr+KvDXdXyAK:eyfkLejlxJi3I1xDNPK
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1372-19-0x0000000004B10000-0x0000000004B56000-memory.dmp family_redline behavioral1/memory/1372-21-0x0000000004B90000-0x0000000004BD4000-memory.dmp family_redline behavioral1/memory/1372-29-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-85-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-83-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-81-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-79-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-77-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-75-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-71-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-69-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-67-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-65-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-63-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-61-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-59-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-57-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-55-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-51-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-49-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-47-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-45-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-43-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-41-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-39-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-37-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-35-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-33-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-31-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-27-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-25-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-23-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-73-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-22-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline behavioral1/memory/1372-53-0x0000000004B90000-0x0000000004BCE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4916 nQf67gg07.exe 1372 eXx74On.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nQf67gg07.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nQf67gg07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eXx74On.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1372 eXx74On.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1324 wrote to memory of 4916 1324 e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe 84 PID 1324 wrote to memory of 4916 1324 e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe 84 PID 1324 wrote to memory of 4916 1324 e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe 84 PID 4916 wrote to memory of 1372 4916 nQf67gg07.exe 85 PID 4916 wrote to memory of 1372 4916 nQf67gg07.exe 85 PID 4916 wrote to memory of 1372 4916 nQf67gg07.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe"C:\Users\Admin\AppData\Local\Temp\e69f8fd1a60cd77d53de6db0c6f9344f816c3fdeae6211f7f6cb81a4b71ac52e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQf67gg07.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQf67gg07.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXx74On.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eXx74On.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD546f9a6210d8de402e0e16bac4d409349
SHA1788d0c08237c908b9fcd7bd42251d70e66874fb4
SHA256a441e1bd6745f3695987827cd40272430dc8075901efbd19dd7d4fcda928dafc
SHA5129849ae1f604fbc0fd9aab719b1df06996e67af30c0b851fa81903dcc160deef3beef57e7a26beb3ed2babc427d976e99aa9bf8ea5c8134d000d193fb4b15d4e9
-
Filesize
265KB
MD57a78f52edbea16ad7c9ba5d09f7aa32b
SHA1486aaf1b89a4dc78da8b73a75417d4d875efbe2a
SHA25600631c3b76c2cad95b50e997aa14945832db0283e512b7eac0229246a869b73b
SHA5120484461740ed7bfa0c11fbe7c2afc6db7984b892b086b0d36184d35f9baf3795d3ccdae14530813c11deaf33b73191e4477ff2004e99e1bde356a979bf40b550