Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe
Resource
win10v2004-20241007-en
General
-
Target
c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe
-
Size
556KB
-
MD5
5ffaef4554b156412c7c7ba10254b3d7
-
SHA1
5a427d5209c5f8b2b1daa76ff69cea3b33103f20
-
SHA256
c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a
-
SHA512
ff9f1a0a37a0d9acb3a99e51849d147f1f566fabed02356d9bb1b156b6933ded5d6232407898884e55c5950154e59190127e719d27c81ef6af5bbd501e49efe5
-
SSDEEP
12288:rMrQy90XVn5zOcMfuXzqYko0huAXm02XoG9/HmyE:DyYV5XM/Yko0h712YG9/GyE
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca7-12.dat family_redline behavioral1/memory/3624-15-0x0000000000D60000-0x0000000000D90000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3256 x2415202.exe 3624 g2044034.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2415202.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2415202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2044034.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1320 wrote to memory of 3256 1320 c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe 83 PID 1320 wrote to memory of 3256 1320 c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe 83 PID 1320 wrote to memory of 3256 1320 c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe 83 PID 3256 wrote to memory of 3624 3256 x2415202.exe 85 PID 3256 wrote to memory of 3624 3256 x2415202.exe 85 PID 3256 wrote to memory of 3624 3256 x2415202.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe"C:\Users\Admin\AppData\Local\Temp\c0c9734f3cde7c48ddb421c65a2216172032d49ba6293375bfecf6ac836dc06a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2415202.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2415202.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2044034.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2044034.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD58dcb877c5881732efbccf75e40cd5dd9
SHA11e496ccd9859b6fbce949d568719d3567c88b5fd
SHA256d9f006263e883a57253f593c03f22f698e26e9af8008c04d22ea5e5cae2d660d
SHA51254ab7f6aa815b9713c0a4c3a9404ddccbfc84028ab26a93dedfc038e8e0fc1f9fcb00064dcac4dc6d005ec07e1098db86d1b3772ecd17a8a279b47b76712a0de
-
Filesize
168KB
MD500d5f014502af495039408b2b6e0985f
SHA1ed65fc6632a7e86d98730adb6f9f2c070c814647
SHA256b9e7d6e2cf3913c40bdbe1bced012145bebca699285d2f2f075deb4620d7c8bf
SHA512ad64fd240e4323c8dba34ea2b821eccf6d5801ae3946a7307fe6a455ff091884a6ae688530e187fa0fcf95cfdfef2f5f97c399de2a4770929593ed2790194983