Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 06:14
Static task
static1
Behavioral task
behavioral1
Sample
df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe
Resource
win10v2004-20241007-en
General
-
Target
df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe
-
Size
890KB
-
MD5
253e0c55a77bbe1f1194de5892327868
-
SHA1
02138d6c59180ff03da9126b1f044f630d1bb8c2
-
SHA256
df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0
-
SHA512
f18e98575f78a966eb362092148fca52f433e1c35f5678ad01d48ca783f8b413dcfee27e2f1667f8a39735528090b7dacd9e1248cc80ac10f99a2192f88db7bc
-
SSDEEP
24576:Sy0K8Ace5NcentRZzOjk8mybHjUYPR0R8ozzC:50ebCet7+t024
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/5080-2169-0x00000000059C0000-0x00000000059F2000-memory.dmp family_redline behavioral1/files/0x000800000001e560-2174.dat family_redline behavioral1/memory/4392-2182-0x00000000008E0000-0x000000000090E000-memory.dmp family_redline behavioral1/files/0x0007000000023cc3-2194.dat family_redline behavioral1/memory/2244-2196-0x0000000000C80000-0x0000000000CB0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation p96354167.exe -
Executes dropped EXE 4 IoCs
pid Process 3112 y64085405.exe 5080 p96354167.exe 4392 1.exe 2244 r99060708.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y64085405.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6124 5080 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p96354167.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r99060708.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y64085405.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5080 p96354167.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3924 wrote to memory of 3112 3924 df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe 83 PID 3924 wrote to memory of 3112 3924 df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe 83 PID 3924 wrote to memory of 3112 3924 df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe 83 PID 3112 wrote to memory of 5080 3112 y64085405.exe 84 PID 3112 wrote to memory of 5080 3112 y64085405.exe 84 PID 3112 wrote to memory of 5080 3112 y64085405.exe 84 PID 5080 wrote to memory of 4392 5080 p96354167.exe 91 PID 5080 wrote to memory of 4392 5080 p96354167.exe 91 PID 5080 wrote to memory of 4392 5080 p96354167.exe 91 PID 3112 wrote to memory of 2244 3112 y64085405.exe 95 PID 3112 wrote to memory of 2244 3112 y64085405.exe 95 PID 3112 wrote to memory of 2244 3112 y64085405.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe"C:\Users\Admin\AppData\Local\Temp\df90d3dd42c3f9a52b2be1544b7ed1986a654175b981ee387911d1bf0c0986f0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y64085405.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y64085405.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p96354167.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p96354167.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 13764⤵
- Program crash
PID:6124
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r99060708.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r99060708.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5080 -ip 50801⤵PID:6024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
589KB
MD5e2bea2d56fd6b0acd090321892580830
SHA1f8d0ad011be62b2cc33fd2e69f6e8d45b300069c
SHA256bccc105fe0a0dbbf33819e10b9f911a196796bf71bb755ecff934d4b9df67ff2
SHA5122f189f1e247db6a7af71c28f167b2c2d8667302c7d3e29d39ccf1c263f40c0b3507cc3f3cd85af063dedd2a14058b5ba2ca72fa8fb9e993ecb611971779437d7
-
Filesize
530KB
MD54b4e1594a7367fd9484589a512b8d573
SHA1c74fbd0fd8b8d342a6261384ee49b0482c71682a
SHA25664c2c820af609c5b668a8e8decc5d738fc160a84b80b13860a2b839e95dff173
SHA5128d08d44bb803e62c96c870838809ccbfc852771e1d53d52e2293d23cc104aa09638b9430c33f77d41d1108dff9e18c3e415a468781621a4b96f4f0a241f4a205
-
Filesize
168KB
MD54f58bd31b60fbba2dd3da7fe3cfcc89b
SHA12953e5165f8b2960031c892982b307a94e86ce15
SHA256a8921bff480e7bd1415985c0fd3b9b8742f272473c506ce96db04c66db38f887
SHA512ad510b46b8d40e49da2dfee588eb08fa1b5a42a02b1b035a8e50e394c63540737dbeff6cd25f5df2d2547744fc7dba0c29c1b8c0d99a07890f21f1e61f235da2
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf