Analysis
-
max time kernel
132s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:22
Static task
static1
Behavioral task
behavioral1
Sample
b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe
Resource
win10v2004-20241007-en
General
-
Target
b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe
-
Size
488KB
-
MD5
e8e22918ff35366ccd2d71612b1d5fee
-
SHA1
58746d2542539da66a9690111474d0582e64fd53
-
SHA256
b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4
-
SHA512
5f2a31e2042c53dfa5c65a68e33eb9d994f0c5d4dd3c74956d86183f50e0cc5a54440ed01b40374f4082ddfb27921be52533896ad07be8e41085b7ccec2f0343
-
SSDEEP
12288:nMr7y90Fc98lbMBH9BEK2sNDgjrtCj/dI:wyOMBH9BEt2kjoW
Malware Config
Extracted
redline
dippo
217.196.96.102:4132
-
auth_value
79490ff628fd6af3b29170c3c163874b
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b83-12.dat family_redline behavioral1/memory/516-15-0x0000000000FD0000-0x0000000000FFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2412 x9291247.exe 516 g6282725.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9291247.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x9291247.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6282725.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2412 2840 b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe 83 PID 2840 wrote to memory of 2412 2840 b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe 83 PID 2840 wrote to memory of 2412 2840 b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe 83 PID 2412 wrote to memory of 516 2412 x9291247.exe 84 PID 2412 wrote to memory of 516 2412 x9291247.exe 84 PID 2412 wrote to memory of 516 2412 x9291247.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe"C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD52f56696fb2923c0c7a1bc527833b4e71
SHA1aaa9e66aeb313455bff74ecea62b1732e907264e
SHA256edd036c6a3b21d3ac0069c26fee6f389ded679a5ad0312e8d1e24def19a0f28f
SHA5123442e2252484fc754ac4b5505740ac8e1896d3c7ce50e736ea441657e12c13165596f124c1d9f50b67d725cb2ed5d9eabc69a352251065749653cd0046d0062f
-
Filesize
168KB
MD5347bcfbf2d72b1233671bc0850229d7e
SHA1642ab2fd1e524e82c575ead965bd04950a475a15
SHA2568f770edae94cb40607f73037d6d048f0d45cf84554b08b67eb555600fb52c2cc
SHA512ee9f669a7a104cc4f7b47109cdba20a51f70f5a810222ef569939216ae38b52a6d79ae78d12ae04f686611b8e14c28bbf95c9e1b43e2d3183c0b1847e6ebb50c