Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe
Resource
win10v2004-20241007-en
General
-
Target
fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe
-
Size
584KB
-
MD5
84af3730dffd87b53290f60aec7c8071
-
SHA1
b208cd2a79266166620da7d134e11cd96e19a9fb
-
SHA256
fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33
-
SHA512
7fc1a60cb2d16be677b0bac0ca4e7263abc7664e044a5d98fc292a3f737bb0ffc6c43177222a76460bb48d0edb22c408a51ef863ff76efba3d1f9e33401e1420
-
SSDEEP
12288:xMrcy90czgyvK1KDswl/9kZHV54UGfI8ZTrYDZ+KTPWrtmRMz4OD4qybd:hyiyvK1Nwl1kVVpGg8ZTrYDgKTQII4OC
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1936-19-0x0000000002600000-0x0000000002646000-memory.dmp family_redline behavioral1/memory/1936-21-0x0000000005150000-0x0000000005194000-memory.dmp family_redline behavioral1/memory/1936-85-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-73-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-61-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-49-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-37-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-23-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-22-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-83-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-81-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-79-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-77-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-75-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-71-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-69-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-67-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-65-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-63-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-59-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-57-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-55-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-53-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-51-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-47-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-45-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-43-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-41-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-39-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-35-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-33-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-31-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-29-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-27-0x0000000005150000-0x000000000518E000-memory.dmp family_redline behavioral1/memory/1936-25-0x0000000005150000-0x000000000518E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2984 dgz9772.exe 1936 nAC45rD.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dgz9772.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dgz9772.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nAC45rD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1936 nAC45rD.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3156 wrote to memory of 2984 3156 fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe 84 PID 3156 wrote to memory of 2984 3156 fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe 84 PID 3156 wrote to memory of 2984 3156 fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe 84 PID 2984 wrote to memory of 1936 2984 dgz9772.exe 85 PID 2984 wrote to memory of 1936 2984 dgz9772.exe 85 PID 2984 wrote to memory of 1936 2984 dgz9772.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe"C:\Users\Admin\AppData\Local\Temp\fd8d6c563af2d0a613a1a14daabbd3dfa35ea733e92cd545baf3b9e3c5075f33.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgz9772.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dgz9772.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nAC45rD.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nAC45rD.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD57c1e27d63057f147b09635a59ff74e40
SHA16ced602148ca2b755db6edbf15f2b636e9f5472f
SHA25640210d997d0e112a3b129ad5bb80cee60769fe007c79f04653a748977b51e113
SHA512e55d5a9687233053eb23472f1be4a457425d0989bd9c2c414a03ed32d13683bfa3ef4bad22656d7575114c8a3c4aef04dd0179c14a3c4e191cb62d94c4a27268
-
Filesize
311KB
MD52eafd71a540e9cd3f430ffdaccc2a1dc
SHA11b64a112431b61e04e59c1e992ebe8d97a79260d
SHA256ec87c08660e5a044aa123c0ab27d8c88da6de3973418e13485d95ed69c0e2f5e
SHA512956e803d8ee326b53af85572e64e4c41bc66a0d68dcf5e47349c029e62f62d71416a4f3a54a562ca3f2e68ff6a2e3de6091bc4b480b7391eaa6b87e835e29a06