Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe
Resource
win10v2004-20241007-en
General
-
Target
61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe
-
Size
782KB
-
MD5
bb34463a68849937cee62d3b9bb59f95
-
SHA1
d32a706d2f94638862680bb56742ff84e0b13f80
-
SHA256
61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5
-
SHA512
d0e3c797bc484e48b6d716625601f1193cbb3f550412ddad6fd3d032fc0916a8c5dbadfce31364f1fdc375092f3435c2f7409f1f5caddd23225f5daf5f7be745
-
SSDEEP
12288:ay90w4b4H5WPQWm5vwsmQIOV+ei+f46MM9G9zClqZhW2wF/M580/aaKVmv2OcDpi:ayvo4IP4lwJbYVMp9vW2wmmaV2doVx
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dark
185.161.248.73:4164
-
auth_value
ae85b01f66afe8770afeed560513fc2d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/772-2168-0x0000000005760000-0x0000000005792000-memory.dmp family_redline behavioral1/files/0x0002000000022ab5-2173.dat family_redline behavioral1/memory/5348-2181-0x00000000009C0000-0x00000000009EE000-memory.dmp family_redline behavioral1/files/0x000a000000023b82-2193.dat family_redline behavioral1/memory/5564-2195-0x0000000000900000-0x0000000000930000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation m66681166.exe -
Executes dropped EXE 4 IoCs
pid Process 232 x24854258.exe 772 m66681166.exe 5348 1.exe 5564 n41547715.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x24854258.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5480 772 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language n41547715.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x24854258.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m66681166.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 772 m66681166.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 964 wrote to memory of 232 964 61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe 84 PID 964 wrote to memory of 232 964 61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe 84 PID 964 wrote to memory of 232 964 61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe 84 PID 232 wrote to memory of 772 232 x24854258.exe 86 PID 232 wrote to memory of 772 232 x24854258.exe 86 PID 232 wrote to memory of 772 232 x24854258.exe 86 PID 772 wrote to memory of 5348 772 m66681166.exe 92 PID 772 wrote to memory of 5348 772 m66681166.exe 92 PID 772 wrote to memory of 5348 772 m66681166.exe 92 PID 232 wrote to memory of 5564 232 x24854258.exe 96 PID 232 wrote to memory of 5564 232 x24854258.exe 96 PID 232 wrote to memory of 5564 232 x24854258.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe"C:\Users\Admin\AppData\Local\Temp\61f979c3cc609820bd8061f559de11f58d550e4d3f7c603b325266bd9a7c8aa5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x24854258.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x24854258.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m66681166.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m66681166.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 14684⤵
- Program crash
PID:5480
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n41547715.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n41547715.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 772 -ip 7721⤵PID:5452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD55cb688de8a1178f458ccffd44b5afe44
SHA1a6eaba963728ae162a9150e0ec58982a625788b6
SHA2564bc19320d784e0c0bcd021443b737c8538a30bc8d2c7df97a4dad96d4737df04
SHA512d1619f93e2448688c2b6ed7d0a82b53e97be724729683ef07a0dee658f616f8560680385ffbee8d36f41d567667fedb93a338050f1504d7b90a923203e03b795
-
Filesize
574KB
MD5a93ca5d7a2159937ad335d0bf8f333c1
SHA12d9cf660b14e7b99faefe5f5bc1a870f32e26eb2
SHA25635f36d7a8acf986eaa5f2768798024f6178550c25d2f9ca344756bcaddf5f632
SHA51296915cbaf947721131c36f340e554fdda44fc6a38c12cd4c5f185d781260d947733ea96c53541391c3ffa4691c3f74668c257bd5878a3f404056ecc6dd91c28d
-
Filesize
171KB
MD569864c2b9a0107f11f03dc73b122b1ce
SHA17b45cddb34924c46ff0ef7ad99ebfdf3e228aacb
SHA25692e963a721bab48024a7c2e8f4455466b2e007564d4bb1350ae15e0974f7833f
SHA512cc7ae3c45058d7d6f50a922b6cedcb68f7ffbf670339b79172ac8c8869448f05a3cd69a3419d9382fc0dbd0c0d533fc5bf10355e6c810a04bd942bdf74a1b7e3
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf