Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe
Resource
win10v2004-20241007-en
General
-
Target
be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe
-
Size
583KB
-
MD5
0d7910815498fe885c669c0729f2c212
-
SHA1
f3d347d49671d01382ca1a8e3959c0c021d3478a
-
SHA256
be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37
-
SHA512
05111f0f4dc39a5dfaa3c824dfa5d2a479e903e53929d7044dc3b19c50855d0fa06f8a010f80a329943eaacddf440d5ff3e3ba402ea538f038e7ecf6cce0269b
-
SSDEEP
12288:IMrxy90NUGBgl0zcN16ItRuKPWpDdmwmwYy0u70Goyr6TMgG53SX:ZycBg1r6IbTutdJYyh70Go8d53SX
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4724-19-0x0000000002680000-0x00000000026C6000-memory.dmp family_redline behavioral1/memory/4724-21-0x0000000004B50000-0x0000000004B94000-memory.dmp family_redline behavioral1/memory/4724-77-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-85-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-83-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-81-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-79-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-75-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-73-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-72-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-69-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-67-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-65-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-63-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-61-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-59-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-57-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-53-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-51-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-50-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-47-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-45-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-43-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-41-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-39-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-37-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-35-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-33-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-31-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-29-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-27-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-25-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-23-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-22-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline behavioral1/memory/4724-55-0x0000000004B50000-0x0000000004B8E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2536 den1901.exe 4724 neo60IW.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" den1901.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language den1901.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neo60IW.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4724 neo60IW.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3584 wrote to memory of 2536 3584 be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe 85 PID 3584 wrote to memory of 2536 3584 be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe 85 PID 3584 wrote to memory of 2536 3584 be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe 85 PID 2536 wrote to memory of 4724 2536 den1901.exe 86 PID 2536 wrote to memory of 4724 2536 den1901.exe 86 PID 2536 wrote to memory of 4724 2536 den1901.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe"C:\Users\Admin\AppData\Local\Temp\be39480e8f78cc38960853590e7873e15501ff0aaa0d831b143173a63e583a37.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\den1901.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\den1901.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\neo60IW.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\neo60IW.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD50a4d0834b0d91f53086d3f664af7561b
SHA18ca0fc94d61d5f8f409ce0b40a76b6f012a8b807
SHA2562cb1c776ce5016a480a0d767eb86d18c3114473354d9197735068652f0e75479
SHA5126ab91687a9b65994c28f2d2916090e23e138dfd0d195a3528b9ac967dec1487b936b2c882aa74c4d9c7f76313689f677e3acb0bb1dadb51a67a0ebbf4ce8973f
-
Filesize
312KB
MD5d003dffb8644ae4ec901ffe2cefd4c6e
SHA19ddef1e8a01ac2aa457bf7d6c35bd2717bbfef56
SHA256c3d4a3ed8d9548266be03aaa4e4cdd0ac00426289f147f47281c5dc7c646dd9c
SHA512a8fa575e5a58f96ee148689c1e14ec2c07bf102b0c1e217e66009e06d7478cd377214e0a409003cc64c63589336cb95d0f6dbe636cfdf00baaf046c2ccb92f30