Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe
Resource
win10v2004-20241007-en
General
-
Target
5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe
-
Size
590KB
-
MD5
a40c6c1257c4a09d6e5501983bf4bddb
-
SHA1
4afe29ed2399b92e608a02ac9aea1451a9444a3b
-
SHA256
5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1
-
SHA512
aff233b964c8a1ad98b6533c7c30bba58189448f5be3ddd2411173b414f7ad2776cd8f198fc5c60bc842dd29004793d15c413ef38545d3afd3760fab6ee5c6b2
-
SSDEEP
12288:AMr4y90gIlF74E3n/Akezn1SG70kgvJBlcqqnRi94Mss/j:oybIlFL3SZV70TuRknss/j
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c89-12.dat family_redline behavioral1/memory/2092-15-0x0000000000AD0000-0x0000000000AF8000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2012 x1136628.exe 2092 g1680635.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1136628.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x1136628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g1680635.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2012 1288 5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe 83 PID 1288 wrote to memory of 2012 1288 5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe 83 PID 1288 wrote to memory of 2012 1288 5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe 83 PID 2012 wrote to memory of 2092 2012 x1136628.exe 84 PID 2012 wrote to memory of 2092 2012 x1136628.exe 84 PID 2012 wrote to memory of 2092 2012 x1136628.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe"C:\Users\Admin\AppData\Local\Temp\5d830d65e5319643c83b620ab365240a3fcfed708630c83336ea7d1638f785c1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1136628.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1136628.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1680635.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1680635.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
417KB
MD54b309f6609388a5358f7f19687b5a412
SHA1a153ce2e62550c54fc224592dcac6681353c32fe
SHA256884e28a10c0f90fab903f123eaea047c339f5512d99509a7e1b47d3688a0f732
SHA5125b7dd18935c24606a62d5700408376f4ea829e519bd73df980d894501b73d2708415e83cd2262704c0b2bcaf9409158d802e148b811dddbc45786423cbfc507f
-
Filesize
136KB
MD537759421cf41d0aaebe20d54b86f436c
SHA1c3eb1bf0e9da5bec3c907e34476a90553237edad
SHA256ecaf5c335e54d7bf34660d14ab9432ee1c6bd22377c5fc22dfdaaa9df715737f
SHA5123c75ff63215f5cd5b6ba7fdbc0dc497b9e905e353275e0277f40f5b8c4f037b81d4928292499e06cf1107289390eb5e3ea8a78e874ce27a71013e99749e567aa