Analysis

  • max time kernel
    132s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 10:22

General

  • Target

    b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe

  • Size

    488KB

  • MD5

    e8e22918ff35366ccd2d71612b1d5fee

  • SHA1

    58746d2542539da66a9690111474d0582e64fd53

  • SHA256

    b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4

  • SHA512

    5f2a31e2042c53dfa5c65a68e33eb9d994f0c5d4dd3c74956d86183f50e0cc5a54440ed01b40374f4082ddfb27921be52533896ad07be8e41085b7ccec2f0343

  • SSDEEP

    12288:nMr7y90Fc98lbMBH9BEK2sNDgjrtCj/dI:wyOMBH9BEt2kjoW

Malware Config

Extracted

Family

redline

Botnet

dippo

C2

217.196.96.102:4132

Attributes
  • auth_value

    79490ff628fd6af3b29170c3c163874b

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe
    "C:\Users\Admin\AppData\Local\Temp\b96830d626e15af47832dad135a7c41f2aa67ea7eafda539fb21151cad8789a4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:516

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9291247.exe

          Filesize

          316KB

          MD5

          2f56696fb2923c0c7a1bc527833b4e71

          SHA1

          aaa9e66aeb313455bff74ecea62b1732e907264e

          SHA256

          edd036c6a3b21d3ac0069c26fee6f389ded679a5ad0312e8d1e24def19a0f28f

          SHA512

          3442e2252484fc754ac4b5505740ac8e1896d3c7ce50e736ea441657e12c13165596f124c1d9f50b67d725cb2ed5d9eabc69a352251065749653cd0046d0062f

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6282725.exe

          Filesize

          168KB

          MD5

          347bcfbf2d72b1233671bc0850229d7e

          SHA1

          642ab2fd1e524e82c575ead965bd04950a475a15

          SHA256

          8f770edae94cb40607f73037d6d048f0d45cf84554b08b67eb555600fb52c2cc

          SHA512

          ee9f669a7a104cc4f7b47109cdba20a51f70f5a810222ef569939216ae38b52a6d79ae78d12ae04f686611b8e14c28bbf95c9e1b43e2d3183c0b1847e6ebb50c

        • memory/516-14-0x00000000746EE000-0x00000000746EF000-memory.dmp

          Filesize

          4KB

        • memory/516-15-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

          Filesize

          184KB

        • memory/516-16-0x00000000059F0000-0x00000000059F6000-memory.dmp

          Filesize

          24KB

        • memory/516-17-0x00000000060C0000-0x00000000066D8000-memory.dmp

          Filesize

          6.1MB

        • memory/516-18-0x0000000005BB0000-0x0000000005CBA000-memory.dmp

          Filesize

          1.0MB

        • memory/516-19-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

          Filesize

          72KB

        • memory/516-20-0x00000000746E0000-0x0000000074E90000-memory.dmp

          Filesize

          7.7MB

        • memory/516-21-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

          Filesize

          240KB

        • memory/516-22-0x0000000005B40000-0x0000000005B8C000-memory.dmp

          Filesize

          304KB

        • memory/516-23-0x00000000746EE000-0x00000000746EF000-memory.dmp

          Filesize

          4KB

        • memory/516-24-0x00000000746E0000-0x0000000074E90000-memory.dmp

          Filesize

          7.7MB