Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe
Resource
win10v2004-20241007-en
General
-
Target
6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe
-
Size
556KB
-
MD5
86751ccf3450705deb2751f8b9cad5aa
-
SHA1
cac15580afeddba436d64506885a1dad9728af01
-
SHA256
6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7
-
SHA512
13f12b8e3ad39bb817cacf61b7fdb0a7b579bb0274ae080f23e81924529592024e2e247d7813e4619009b7b9d851d9fb7ea2a3acdb072b4169b70a10533615bc
-
SSDEEP
12288:tMrEy905ZclIc1mKHtgUQjGbyIfv1wLxJkNa2shB4eSIS:Zy0YP1btsIfv1mk7shB4eA
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c85-12.dat family_redline behavioral1/memory/3308-15-0x0000000000D80000-0x0000000000DB0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1464 x8390277.exe 3308 g3472709.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8390277.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x8390277.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g3472709.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2592 wrote to memory of 1464 2592 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe 83 PID 2592 wrote to memory of 1464 2592 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe 83 PID 2592 wrote to memory of 1464 2592 6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe 83 PID 1464 wrote to memory of 3308 1464 x8390277.exe 84 PID 1464 wrote to memory of 3308 1464 x8390277.exe 84 PID 1464 wrote to memory of 3308 1464 x8390277.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe"C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3308
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD51753c64f28a828eae7fde7294760247f
SHA1abe51a56348ecaec4b329ce54805d1b73b03ea38
SHA25629cc9ea1fa2282a496bdd4ec6999af191b760bdaef977bccc87fea386a3a4cdf
SHA5126444bc3d3b9eaae179a8bb73992b8111cbd1bdbd365bcd65dffa74122b5b8f1a7dfee2a06b2dc3361a9510d92ce78ff7f7b4529f0d40a0b397d27c726b93103e
-
Filesize
169KB
MD5df763011f3cccf02835dd6115ab93407
SHA10bc714d28b579d26ff6991ba416e127957fa80e1
SHA2566f11fae0cfe33d7bf220b633470d4fba619a67600aba58580e6602191ac249ca
SHA512c987114dc2012e9813ff6a8bc40c06764b23a9ebb122acdb8e203b03a4f6c2442351dc1f77bd2922a76c85e680496fa2d884fc0c2eb9ef156fb4b069568933cb