Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe
Resource
win10v2004-20241007-en
General
-
Target
8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe
-
Size
584KB
-
MD5
8902702fd0d20c1988f317b447c6d3f7
-
SHA1
d98a6ab787f5c3313f2774f102e39b41e3db450b
-
SHA256
8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783
-
SHA512
67b565a41b6169edf0594febe72b2263bb56fa32cab3a3cfa5ae60fee6b836f7b7e581c387e2afbcebe4e0dba3917b45dcfac76bf64322de2174d3e20be06743
-
SSDEEP
12288:KMrVy90cQbiDQx1KIaarw7cxowMjB+fGQpIuSbvUjGg98v5REfp+:Lyp2daarw7a5MUnHSbe8RREfp+
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4180-19-0x0000000002680000-0x00000000026C6000-memory.dmp family_redline behavioral1/memory/4180-21-0x0000000004B60000-0x0000000004BA4000-memory.dmp family_redline behavioral1/memory/4180-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-82-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-77-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-43-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-41-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-39-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-37-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-35-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-31-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-29-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-27-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-25-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-33-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-23-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline behavioral1/memory/4180-22-0x0000000004B60000-0x0000000004B9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4932 dmm3689.exe 4180 nOp05IT.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dmm3689.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dmm3689.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nOp05IT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4180 nOp05IT.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4932 3580 8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe 85 PID 3580 wrote to memory of 4932 3580 8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe 85 PID 3580 wrote to memory of 4932 3580 8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe 85 PID 4932 wrote to memory of 4180 4932 dmm3689.exe 86 PID 4932 wrote to memory of 4180 4932 dmm3689.exe 86 PID 4932 wrote to memory of 4180 4932 dmm3689.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe"C:\Users\Admin\AppData\Local\Temp\8b5a064f118a278b7427481d39533826cfe81e431268f6cb5c201454961a7783.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmm3689.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmm3689.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOp05IT.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOp05IT.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD5d79b5e863c83e9dd5328d9776f6f89e4
SHA1c7409f13e768283f1d2ac246844c51a91ab5c3e2
SHA25614ee57aca9e856c4a152b26a246e56939dffe63655e274c42015585879b90cef
SHA512975bb7b66090bd0e9b1ce4d3107e95a1ae9df56b98be4b762f44901ba08b2ab7f1bc93098d459e30fde40339ebc77eec865313b06df8fbbcff2ba29ce2b38c5c
-
Filesize
303KB
MD58a92d5d1b98c45b1ef43960577618b0c
SHA1aae3650bcc74dd41f15ac893275c732b0571fc6f
SHA2568b2c644eebab796aca1fab25cd9e7e32e04a4e6a75d8a1453a5548ded968a803
SHA5126a896373f8ce522d30a5bf24fa9f0fe16c141d79a38c3c61032f7458426ce5c5337b30e0cc8590f8f0103c0b4ef33bcecb073be4362006f71d0eb1c8d16337ea