Analysis
-
max time kernel
106s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe
Resource
win10v2004-20241007-en
General
-
Target
3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe
-
Size
1.5MB
-
MD5
fd67ff18ddfc1d4c27c4e209a79c4980
-
SHA1
87e265f16b64b4e8aea647431b0e8cb041c2ebaa
-
SHA256
3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c
-
SHA512
803cbb1ef0e02455bb657355ebc8857c5f05532086d1b60ddc5983ff3dd56ac20d50f183e4b29a7202dd07b0b9078c026f783a658a3b56508b924e18343c7c15
-
SSDEEP
24576:8yxP4YHlQR0Y+PL5HLpEgFwdOL36ljC1hBGSG8jhu/s5oGN3jvJ88kLrR/H1:rxP44lO0YbdWKt2hsSBjh24z3jB8vLrF
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c8e-33.dat family_redline behavioral1/memory/2804-35-0x0000000000D40000-0x0000000000D70000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4196 i10299687.exe 5028 i72693967.exe 4612 i52330224.exe 1896 i68938859.exe 2804 a40676473.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i10299687.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i72693967.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i52330224.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i68938859.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i10299687.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i72693967.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i52330224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i68938859.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a40676473.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4996 wrote to memory of 4196 4996 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe 83 PID 4996 wrote to memory of 4196 4996 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe 83 PID 4996 wrote to memory of 4196 4996 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe 83 PID 4196 wrote to memory of 5028 4196 i10299687.exe 84 PID 4196 wrote to memory of 5028 4196 i10299687.exe 84 PID 4196 wrote to memory of 5028 4196 i10299687.exe 84 PID 5028 wrote to memory of 4612 5028 i72693967.exe 85 PID 5028 wrote to memory of 4612 5028 i72693967.exe 85 PID 5028 wrote to memory of 4612 5028 i72693967.exe 85 PID 4612 wrote to memory of 1896 4612 i52330224.exe 88 PID 4612 wrote to memory of 1896 4612 i52330224.exe 88 PID 4612 wrote to memory of 1896 4612 i52330224.exe 88 PID 1896 wrote to memory of 2804 1896 i68938859.exe 89 PID 1896 wrote to memory of 2804 1896 i68938859.exe 89 PID 1896 wrote to memory of 2804 1896 i68938859.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe"C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160cN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD596424ad0dbee1cbb7253980d6c1a6be7
SHA1c0738d7f51a41623c704a154a9a9013304244d47
SHA2560d55df92f772a478e54daf19b714d03404a7ac3edcd5abbc88c7eadf3733bfd2
SHA5122a8d3aaa1f1fb9865dcb7fcff9eb26e756d7c698ff0100c984ed0cf4f4d99479e87bba1d1c38b25000681dbcb22417cbc63bc507c9622410b528a1d1bb6aef45
-
Filesize
1015KB
MD5435c23635c3fdf9468818d370c448fb3
SHA1b7d1c39b7adfa85103e0dcb7f81da101c3511790
SHA2567719f88e17528c67eceb623ff389cf6581d5f1052b7c3748988db0cdbb23dfdb
SHA5129a5cd3122d9b8aa6eb14f24e73511c833c485af0681270e4ebc92f887882bd951434560b2131caa07718b7c496163e96673c91bd60b77a541f9f6403834f19ee
-
Filesize
843KB
MD5df9bffbd5de29604cfcf05286f367cf3
SHA12f2f7b628eb083068a9220f98779bfa7e423d03d
SHA256cf78e5d897eace16f314562aaaf28b46e9368ed435ea3f734baf0ccda3106a5a
SHA51264a26f763c04ed685f33ff12596f06d63e2e07f8b99695eaf66810f8d27b421a927f2b89d12151412b4f2169d78c15a3b8c2e8dbc9db271e12bcb49947954906
-
Filesize
370KB
MD5b5665f55e1124c091a5f344f231bd10f
SHA1b733a68359599dacf7c43cf04708db767d3afdee
SHA2568291e7676418fc56d50b263365968e98ccc7d18a5439017d8eaaa88d6741a4d8
SHA512146958f1c403c3c13e77a00a0494165e011e16cf2ba741d309ac3aabe36be7c454b9976dc02356d5652adcb55468d638180810b12bed019641d7c530c4034056
-
Filesize
169KB
MD59e3d31f3302c87b6bbc03ffe3af5cb52
SHA182df246e1fdf14e87d95d1772d0be46e391e2a57
SHA256e3537994912e245abac3d6c0d6e0cf66632a2697b555d8dd6296a6af1205f596
SHA51240356f32bac252a36da2f4f0d1b7aaee97deebed36d94785b4ed180e5487a7d8b32dfb10c75f40f604dcabb12701c78bea0956c91e73ba8b05442c0e372a2995