Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 11:04

General

  • Target

    1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe

  • Size

    479KB

  • MD5

    7d92ac0444146dcdffe198e1f15c99a9

  • SHA1

    aeb5b436c272aa3440a1f9a80ffeb96bd4b484d7

  • SHA256

    1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c

  • SHA512

    2c5c7ee1bc1032fe833cad613bfe88821dff55cc9d93dfa9f6d7cc024471a954e104f6d354990c0b96413c606e67cfd04109a98cb3fcfb4633403a7cb8e0a93d

  • SSDEEP

    12288:JMrWy90lNlWVZqaITX5cC1Pr4mlZr8lej:PyXqaIT9z8lej

Malware Config

Extracted

Family

redline

Botnet

douma

C2

217.196.96.101:4132

Attributes
  • auth_value

    e7c0659b5f9d26f2f97df8d25fefbb44

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe
    "C:\Users\Admin\AppData\Local\Temp\1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9868550.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9868550.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6842033.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6842033.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4124

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9868550.exe

          Filesize

          308KB

          MD5

          de299c034e66b20b7b36be1dc2313282

          SHA1

          5a33104628a05d8608d7f95a97cd475ff97b9cfd

          SHA256

          5db3e88641bec444d463168f0f79da5f32cbc2b60f6cb7dcda0b229704ce61a5

          SHA512

          9f8841ca0fc0bd7d366d0bb2347e550814a682d6d95d617757653416f49006494aeb7792b81da21924b4e20270051831ec0735a523811f9829cedfdb37b836bf

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6842033.exe

          Filesize

          168KB

          MD5

          8ec757b1097227c814e3b61124c9498f

          SHA1

          1ac48eef7a555c4a4dfcc660614d614d617d844d

          SHA256

          860a4042625dd063bfda42a4256e642b16cc21a37026597b213cc8b04618bbf2

          SHA512

          641edf480cdbee1c2b8b70f8e12ca1a411ba534f29e62699376ce6ff5fed2aa51122cdc399b0a8f3810f9609824760e62f1475d98ae4a14618f49ea7b3b478a3

        • memory/4124-14-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

          Filesize

          4KB

        • memory/4124-15-0x0000000000D20000-0x0000000000D4E000-memory.dmp

          Filesize

          184KB

        • memory/4124-16-0x0000000005500000-0x0000000005506000-memory.dmp

          Filesize

          24KB

        • memory/4124-17-0x0000000005D20000-0x0000000006338000-memory.dmp

          Filesize

          6.1MB

        • memory/4124-18-0x0000000005810000-0x000000000591A000-memory.dmp

          Filesize

          1.0MB

        • memory/4124-19-0x0000000005590000-0x00000000055A2000-memory.dmp

          Filesize

          72KB

        • memory/4124-20-0x0000000005700000-0x000000000573C000-memory.dmp

          Filesize

          240KB

        • memory/4124-21-0x0000000073C20000-0x00000000743D0000-memory.dmp

          Filesize

          7.7MB

        • memory/4124-22-0x0000000005750000-0x000000000579C000-memory.dmp

          Filesize

          304KB

        • memory/4124-23-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

          Filesize

          4KB

        • memory/4124-24-0x0000000073C20000-0x00000000743D0000-memory.dmp

          Filesize

          7.7MB