Analysis

  • max time kernel
    132s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 21:41

General

  • Target

    20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe

  • Size

    479KB

  • MD5

    371935e6206a860e121a6968c283af30

  • SHA1

    4ac50d5a43a213aa450c8f913774fa7890d2c144

  • SHA256

    20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b

  • SHA512

    031a1716ba8b2da4d8d49330e1a8b5dfb2cca9134820699011dbefe01acf81eee39dfb4b4525027d3889d95cd56afe21955c57ee53e2dd02c5393460677c8673

  • SSDEEP

    6144:Kky+bnr+8p0yN90QEF13cJzzZnMAews4ZnZs50XYNYCQcJPniwJykdu6sp0xEzN2:gMrYy90NsbMW7vwJzduJ0v9kMN1gq9B

Malware Config

Extracted

Family

redline

Botnet

dippo

C2

217.196.96.102:4132

Attributes
  • auth_value

    79490ff628fd6af3b29170c3c163874b

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe
    "C:\Users\Admin\AppData\Local\Temp\20d12f34550001beafd3592769ba74f1b4abf28bee966de063b3e76165eaa08b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7474593.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7474593.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2744051.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2744051.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7474593.exe

    Filesize

    307KB

    MD5

    9337938de858f95646c55a67babf9358

    SHA1

    56dcb0b887917475dbb330b1887e01ba94865956

    SHA256

    7a42612b2f96804d35f74a177b6c8f7e1ac17271350c1f2c142003d2606b7211

    SHA512

    f41f3819f76ae2431f7b07752be05e1f74da38ea532d8c708d9907d764f1dbfeedc15ce02e0cae596c1dc0f1b384a51fc3dad137dd1a261d5ed4e10d2fcbafe9

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2744051.exe

    Filesize

    168KB

    MD5

    b486ae6b4d9032e888a5a62898b3e24b

    SHA1

    a0608db39817c75f44993ab40350d9d2c3a8317d

    SHA256

    2fdf778ab9c2d9aa6de68b508cd1bce00043e4284a9ad23d310bb6ad10b8bb90

    SHA512

    7c87031ba2cdce44a916ccda43c3a4c732193a8365d56e4b550404e050e7dbfbc99bb12e0769676acdc6b46571a09dc5aa221a8c8dddacba5a0234cfcb05615e

  • memory/2192-14-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

    Filesize

    4KB

  • memory/2192-15-0x0000000000E30000-0x0000000000E5E000-memory.dmp

    Filesize

    184KB

  • memory/2192-16-0x0000000005850000-0x0000000005856000-memory.dmp

    Filesize

    24KB

  • memory/2192-17-0x0000000005F00000-0x0000000006518000-memory.dmp

    Filesize

    6.1MB

  • memory/2192-18-0x00000000059F0000-0x0000000005AFA000-memory.dmp

    Filesize

    1.0MB

  • memory/2192-19-0x0000000005900000-0x0000000005912000-memory.dmp

    Filesize

    72KB

  • memory/2192-20-0x0000000073F60000-0x0000000074710000-memory.dmp

    Filesize

    7.7MB

  • memory/2192-21-0x0000000005960000-0x000000000599C000-memory.dmp

    Filesize

    240KB

  • memory/2192-22-0x00000000059A0000-0x00000000059EC000-memory.dmp

    Filesize

    304KB

  • memory/2192-23-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

    Filesize

    4KB

  • memory/2192-24-0x0000000073F60000-0x0000000074710000-memory.dmp

    Filesize

    7.7MB