Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe
Resource
win10v2004-20241007-en
General
-
Target
99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe
-
Size
479KB
-
MD5
d04dc6931c91c487da949ba487e7b421
-
SHA1
e19c47004bf6f0b2910227e5b328caef85447d27
-
SHA256
99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf
-
SHA512
bb0d9cf68845b458f98789665ed060306a2d5fcce8970f0627a1b379d3ae54a8bb5b3104bba978b4c6a801b289baf26ace45e43599de8a6cf294f67df8d584a3
-
SSDEEP
12288:TMr6y90Ndqa1uBQY6moc5rxKOFqT9WhfDFVNJHIA:1yiwakZP5KTIhfrN91
Malware Config
Extracted
redline
dease
217.196.96.101:4132
-
auth_value
82e4d5f9abc21848e0345118814a4e6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023caf-12.dat family_redline behavioral1/memory/1708-15-0x0000000000DE0000-0x0000000000E0E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2680 x4203324.exe 1708 g1155140.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x4203324.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4203324.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g1155140.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2680 2252 99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe 83 PID 2252 wrote to memory of 2680 2252 99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe 83 PID 2252 wrote to memory of 2680 2252 99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe 83 PID 2680 wrote to memory of 1708 2680 x4203324.exe 84 PID 2680 wrote to memory of 1708 2680 x4203324.exe 84 PID 2680 wrote to memory of 1708 2680 x4203324.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe"C:\Users\Admin\AppData\Local\Temp\99a5333dfc6a14b55afd756ea0032102162bd7339b07872018e6565278d867bf.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4203324.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4203324.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1155140.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1155140.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5de707662ea94cf7b533a06ef24637e1d
SHA11efc343a59cab7b0a9b46d71b5bd04711c9b3909
SHA256db6152bc9f469c0e6d352ba416c6f40d08e57b65ab815c7b9a0260197fd86d30
SHA512622ee9035abb5f5c8cf9c6c23ce60d13ac48b9ee9401f5b717effdf0c1deab65b4e4c578df1b966cba8422c643f556b23e8546778ad6c821e676226b97fe52d6
-
Filesize
168KB
MD5daa6f2ef7859cf8d014314228941deaa
SHA10c1078756c078d7f45cec6673a01da531c265ff5
SHA25633fd77b5cf425b1f3dd29bc8a180a24a2dc46ac380f15b8372cd530f08717909
SHA51271e4e8f49908966b911472141c5c3dc096374c0ab8cf8f3c70258f9339323b4dfb7f2f69a50446942baadc597c167f55a35f980605a0d577b3638dd72e3aca6f