Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:04
Static task
static1
Behavioral task
behavioral1
Sample
1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe
Resource
win10v2004-20241007-en
General
-
Target
1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe
-
Size
479KB
-
MD5
7d92ac0444146dcdffe198e1f15c99a9
-
SHA1
aeb5b436c272aa3440a1f9a80ffeb96bd4b484d7
-
SHA256
1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c
-
SHA512
2c5c7ee1bc1032fe833cad613bfe88821dff55cc9d93dfa9f6d7cc024471a954e104f6d354990c0b96413c606e67cfd04109a98cb3fcfb4633403a7cb8e0a93d
-
SSDEEP
12288:JMrWy90lNlWVZqaITX5cC1Pr4mlZr8lej:PyXqaIT9z8lej
Malware Config
Extracted
redline
douma
217.196.96.101:4132
-
auth_value
e7c0659b5f9d26f2f97df8d25fefbb44
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023bc0-12.dat family_redline behavioral1/memory/4124-15-0x0000000000D20000-0x0000000000D4E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1224 x9868550.exe 4124 g6842033.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9868550.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x9868550.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6842033.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3400 wrote to memory of 1224 3400 1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe 84 PID 3400 wrote to memory of 1224 3400 1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe 84 PID 3400 wrote to memory of 1224 3400 1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe 84 PID 1224 wrote to memory of 4124 1224 x9868550.exe 85 PID 1224 wrote to memory of 4124 1224 x9868550.exe 85 PID 1224 wrote to memory of 4124 1224 x9868550.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe"C:\Users\Admin\AppData\Local\Temp\1525bc7644ae3ff83d7cafb75dffaf18d847e0f3652cf1ec1636df4bc49e449c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9868550.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9868550.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6842033.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6842033.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4124
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5de299c034e66b20b7b36be1dc2313282
SHA15a33104628a05d8608d7f95a97cd475ff97b9cfd
SHA2565db3e88641bec444d463168f0f79da5f32cbc2b60f6cb7dcda0b229704ce61a5
SHA5129f8841ca0fc0bd7d366d0bb2347e550814a682d6d95d617757653416f49006494aeb7792b81da21924b4e20270051831ec0735a523811f9829cedfdb37b836bf
-
Filesize
168KB
MD58ec757b1097227c814e3b61124c9498f
SHA11ac48eef7a555c4a4dfcc660614d614d617d844d
SHA256860a4042625dd063bfda42a4256e642b16cc21a37026597b213cc8b04618bbf2
SHA512641edf480cdbee1c2b8b70f8e12ca1a411ba534f29e62699376ce6ff5fed2aa51122cdc399b0a8f3810f9609824760e62f1475d98ae4a14618f49ea7b3b478a3