Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe
Resource
win10v2004-20241007-en
General
-
Target
7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe
-
Size
592KB
-
MD5
1c08faa47118f68335279cd62948e0c5
-
SHA1
238aca8e1c77f1696f757689f4b9cb8276f0d02c
-
SHA256
7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e
-
SHA512
0893886c2f3884b1a03b33c7d36d509ab39f1f6719fcc2c8e5410f4f32422c9b8327348de075742e1f4b5122878b7abf2d42502374e36c5175dacdbd6ed7709a
-
SSDEEP
12288:nMrfy90U1jGs6teCAJlsoLJlJFlG0CrSQ/3XjJy+:gy9B6teZsoLJlNG0CrrfP
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1844-19-0x00000000025F0000-0x0000000002636000-memory.dmp family_redline behavioral1/memory/1844-21-0x00000000026C0000-0x0000000002704000-memory.dmp family_redline behavioral1/memory/1844-29-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-49-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-85-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-83-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-81-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-79-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-77-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-75-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-73-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-71-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-69-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-67-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-65-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-63-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-61-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-59-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-57-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-55-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-53-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-51-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-47-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-45-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-43-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-41-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-39-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-37-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-35-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-33-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-31-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-27-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-25-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-23-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral1/memory/1844-22-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4800 ncz27CU94.exe 1844 eci65eM.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ncz27CU94.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ncz27CU94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eci65eM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1844 eci65eM.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3460 wrote to memory of 4800 3460 7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe 84 PID 3460 wrote to memory of 4800 3460 7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe 84 PID 3460 wrote to memory of 4800 3460 7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe 84 PID 4800 wrote to memory of 1844 4800 ncz27CU94.exe 85 PID 4800 wrote to memory of 1844 4800 ncz27CU94.exe 85 PID 4800 wrote to memory of 1844 4800 ncz27CU94.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe"C:\Users\Admin\AppData\Local\Temp\7c3870677cb2105ee402568259d4a104dd0c9e593a61535b72f4ba2da372611e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ncz27CU94.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ncz27CU94.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eci65eM.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eci65eM.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
447KB
MD50216fc1c857b8befbefa83a1f1edea6e
SHA1d7838f9ba84b992ef404a16abdb64873ad5aa2ff
SHA256da4d803c1ea0bca5c0fbe7d6e523bc44ff41aae59d81c3d02c282701b847dc7f
SHA512f433b7d671eb8a664badb1a580f621151d328e243a0a6db82eb14d1d36a16b0ee2c48a65ddc09f187cb23ae74c5ec63d548c26338c642e8995e8832ce2b2ec88
-
Filesize
328KB
MD5dc56499d8a1803fe15a9f3aafaa51eff
SHA17e1a0fca051e257eac7107469e21e54926adb045
SHA2567adba657539fa1149a87bdfa3d5d070a425713116e19d9cfb0ecf736f9efd469
SHA512ae2d5615f00d216f3037a823c8201cabc56deca68ef31415230b60d46192cbc391128e4bcc06a347cf46fe29ba3a908771449d1d603a988f20f165a1a0f895a7