Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 11:01

General

  • Target

    f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe

  • Size

    772KB

  • MD5

    039cb4e36fc235b50dc492c57b36f513

  • SHA1

    75f6afcb7eeedd3b593f3d331edfc6d281b995d9

  • SHA256

    f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84

  • SHA512

    7f573ef178a8df7b04962b99531233c44e547f59ea66b6f73f4e80985d24251b8abcf53243c8dc669d4a739b20dcf806ac2939f535d9fcaebd005fb9d06fd18a

  • SSDEEP

    12288:kMrny90jVZRD1TinRFVMne5e7haaTwovxkyzpBTKpGD9lFfs9Ov0Rf5lkfR2:LyYbDNUtMnew6Yp4p29po5W2

Malware Config

Extracted

Family

redline

Botnet

dubur

C2

217.196.96.102:4132

Attributes
  • auth_value

    32d04179aa1e8d655d2d80c21f99de41

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe
    "C:\Users\Admin\AppData\Local\Temp\f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9787554.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9787554.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6551464.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6551464.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3256
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9552594.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9552594.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3748

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9787554.exe

          Filesize

          489KB

          MD5

          1e5494c8a4db0c29199db61f3b3e8621

          SHA1

          a1c49c1644585b4649e9c54bf5687da8218271e9

          SHA256

          8f5a8550a2bb87917bbb0efa268224bc1b5de8aaf7b9cf9235b32390fdec9549

          SHA512

          98feaff6cb9fa76de9fb94d86d3e45a92b51b18192cfe479a3a29bf6caea21a44c10b3986588386864fc6ec567075a9c19c03bcbfb660ea0e919a5e05429f90b

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6551464.exe

          Filesize

          317KB

          MD5

          b0a5e687e0da409b3d3b6a048b1aad9d

          SHA1

          a5194e7a382de89d3403b2e20f6cffab39827fc8

          SHA256

          144bb2763087d5badb44a90fa4248dbefcf347d44c473e28315db51cef23346e

          SHA512

          0fdff01757e406a6d2194d78f0772b501116ed9f7d04aa177bd4c2376c7722b45f27c0f7cdf5b3a3bf46c4904c3e3c7f3a368e03f19b88912dbccda64735ca21

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9552594.exe

          Filesize

          168KB

          MD5

          e2ce2715cd9c3210082dbee50a728272

          SHA1

          20635e9451d14d9439431d1146a0a263e00cdd36

          SHA256

          89eb23cdb625d5207903095b3eb8ff7a6c4b35c314d64ee5d6930e2da85a765d

          SHA512

          828a68ff1c41dc8cd2b5a2a8c837b99a14823062bc2f15011d2a9dbae8aabe779133c4463ad4019443e57c8cfdf43dcd07572986e48ada514363ff6c803e5302

        • memory/3748-21-0x00000000005F0000-0x000000000061E000-memory.dmp

          Filesize

          184KB

        • memory/3748-22-0x0000000002A00000-0x0000000002A06000-memory.dmp

          Filesize

          24KB

        • memory/3748-23-0x000000000AA90000-0x000000000B0A8000-memory.dmp

          Filesize

          6.1MB

        • memory/3748-24-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

          Filesize

          1.0MB

        • memory/3748-25-0x000000000A4D0000-0x000000000A4E2000-memory.dmp

          Filesize

          72KB

        • memory/3748-26-0x000000000A530000-0x000000000A56C000-memory.dmp

          Filesize

          240KB

        • memory/3748-27-0x00000000028C0000-0x000000000290C000-memory.dmp

          Filesize

          304KB