Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 11:00

General

  • Target

    6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe

  • Size

    556KB

  • MD5

    86751ccf3450705deb2751f8b9cad5aa

  • SHA1

    cac15580afeddba436d64506885a1dad9728af01

  • SHA256

    6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7

  • SHA512

    13f12b8e3ad39bb817cacf61b7fdb0a7b579bb0274ae080f23e81924529592024e2e247d7813e4619009b7b9d851d9fb7ea2a3acdb072b4169b70a10533615bc

  • SSDEEP

    12288:tMrEy905ZclIc1mKHtgUQjGbyIfv1wLxJkNa2shB4eSIS:Zy0YP1btsIfv1mk7shB4eA

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe
    "C:\Users\Admin\AppData\Local\Temp\6f8e1083763c29331a8a89b0e87ce5d3a65082d04b8e17a133f69915e7ec72c7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3308

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8390277.exe

          Filesize

          384KB

          MD5

          1753c64f28a828eae7fde7294760247f

          SHA1

          abe51a56348ecaec4b329ce54805d1b73b03ea38

          SHA256

          29cc9ea1fa2282a496bdd4ec6999af191b760bdaef977bccc87fea386a3a4cdf

          SHA512

          6444bc3d3b9eaae179a8bb73992b8111cbd1bdbd365bcd65dffa74122b5b8f1a7dfee2a06b2dc3361a9510d92ce78ff7f7b4529f0d40a0b397d27c726b93103e

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3472709.exe

          Filesize

          169KB

          MD5

          df763011f3cccf02835dd6115ab93407

          SHA1

          0bc714d28b579d26ff6991ba416e127957fa80e1

          SHA256

          6f11fae0cfe33d7bf220b633470d4fba619a67600aba58580e6602191ac249ca

          SHA512

          c987114dc2012e9813ff6a8bc40c06764b23a9ebb122acdb8e203b03a4f6c2442351dc1f77bd2922a76c85e680496fa2d884fc0c2eb9ef156fb4b069568933cb

        • memory/3308-14-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

          Filesize

          4KB

        • memory/3308-15-0x0000000000D80000-0x0000000000DB0000-memory.dmp

          Filesize

          192KB

        • memory/3308-16-0x00000000055A0000-0x00000000055A6000-memory.dmp

          Filesize

          24KB

        • memory/3308-17-0x000000000B140000-0x000000000B758000-memory.dmp

          Filesize

          6.1MB

        • memory/3308-18-0x000000000AC30000-0x000000000AD3A000-memory.dmp

          Filesize

          1.0MB

        • memory/3308-19-0x000000000AB20000-0x000000000AB32000-memory.dmp

          Filesize

          72KB

        • memory/3308-20-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB

        • memory/3308-21-0x000000000AB80000-0x000000000ABBC000-memory.dmp

          Filesize

          240KB

        • memory/3308-22-0x0000000002F90000-0x0000000002FDC000-memory.dmp

          Filesize

          304KB

        • memory/3308-23-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

          Filesize

          4KB

        • memory/3308-24-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB