Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:01
Static task
static1
Behavioral task
behavioral1
Sample
f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe
Resource
win10v2004-20241007-en
General
-
Target
f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe
-
Size
772KB
-
MD5
039cb4e36fc235b50dc492c57b36f513
-
SHA1
75f6afcb7eeedd3b593f3d331edfc6d281b995d9
-
SHA256
f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84
-
SHA512
7f573ef178a8df7b04962b99531233c44e547f59ea66b6f73f4e80985d24251b8abcf53243c8dc669d4a739b20dcf806ac2939f535d9fcaebd005fb9d06fd18a
-
SSDEEP
12288:kMrny90jVZRD1TinRFVMne5e7haaTwovxkyzpBTKpGD9lFfs9Ov0Rf5lkfR2:LyYbDNUtMnew6Yp4p29po5W2
Malware Config
Extracted
redline
dubur
217.196.96.102:4132
-
auth_value
32d04179aa1e8d655d2d80c21f99de41
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca9-19.dat family_redline behavioral1/memory/3748-21-0x00000000005F0000-0x000000000061E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4944 x9787554.exe 3256 x6551464.exe 3748 f9552594.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9787554.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6551464.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x9787554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x6551464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9552594.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2740 wrote to memory of 4944 2740 f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe 83 PID 2740 wrote to memory of 4944 2740 f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe 83 PID 2740 wrote to memory of 4944 2740 f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe 83 PID 4944 wrote to memory of 3256 4944 x9787554.exe 84 PID 4944 wrote to memory of 3256 4944 x9787554.exe 84 PID 4944 wrote to memory of 3256 4944 x9787554.exe 84 PID 3256 wrote to memory of 3748 3256 x6551464.exe 85 PID 3256 wrote to memory of 3748 3256 x6551464.exe 85 PID 3256 wrote to memory of 3748 3256 x6551464.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe"C:\Users\Admin\AppData\Local\Temp\f8f569be55ad5ae9978f241cc61258e3b4acda993a3df0e941281eea344c9c84.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9787554.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9787554.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6551464.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6551464.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9552594.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9552594.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
489KB
MD51e5494c8a4db0c29199db61f3b3e8621
SHA1a1c49c1644585b4649e9c54bf5687da8218271e9
SHA2568f5a8550a2bb87917bbb0efa268224bc1b5de8aaf7b9cf9235b32390fdec9549
SHA51298feaff6cb9fa76de9fb94d86d3e45a92b51b18192cfe479a3a29bf6caea21a44c10b3986588386864fc6ec567075a9c19c03bcbfb660ea0e919a5e05429f90b
-
Filesize
317KB
MD5b0a5e687e0da409b3d3b6a048b1aad9d
SHA1a5194e7a382de89d3403b2e20f6cffab39827fc8
SHA256144bb2763087d5badb44a90fa4248dbefcf347d44c473e28315db51cef23346e
SHA5120fdff01757e406a6d2194d78f0772b501116ed9f7d04aa177bd4c2376c7722b45f27c0f7cdf5b3a3bf46c4904c3e3c7f3a368e03f19b88912dbccda64735ca21
-
Filesize
168KB
MD5e2ce2715cd9c3210082dbee50a728272
SHA120635e9451d14d9439431d1146a0a263e00cdd36
SHA25689eb23cdb625d5207903095b3eb8ff7a6c4b35c314d64ee5d6930e2da85a765d
SHA512828a68ff1c41dc8cd2b5a2a8c837b99a14823062bc2f15011d2a9dbae8aabe779133c4463ad4019443e57c8cfdf43dcd07572986e48ada514363ff6c803e5302