Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe
Resource
win10v2004-20241007-en
General
-
Target
26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe
-
Size
583KB
-
MD5
de55123746b9f325aa8449dc029c264b
-
SHA1
bbb114d0d1d8d66dc8332a107c1f7710edf3bf56
-
SHA256
26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d
-
SHA512
6af7cc7f424a741d899aa214ba8dd49fe227258d2a4298a7226241ad9cfe017acd8a4b920c6bd640eb285b349952bfecdb7e37a53734ff8690db55ea2ccc9b78
-
SSDEEP
12288:hMrdy90NqpuxXekO3cTibmcJ0kLws83eJqGPVlK:gyjuJeRcTibpx833G2
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4748-19-0x0000000002760000-0x00000000027A6000-memory.dmp family_redline behavioral1/memory/4748-21-0x0000000004C40000-0x0000000004C84000-memory.dmp family_redline behavioral1/memory/4748-23-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-39-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-85-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-83-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-81-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-79-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-77-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-75-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-73-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-71-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-69-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-67-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-65-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-61-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-59-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-57-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-55-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-53-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-51-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-49-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-47-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-45-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-43-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-38-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-35-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-33-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-31-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-29-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-27-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-25-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-63-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-41-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline behavioral1/memory/4748-22-0x0000000004C40000-0x0000000004C7E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3272 dTX9541.exe 4748 npA86Iy.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dTX9541.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dTX9541.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npA86Iy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4748 npA86Iy.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2800 wrote to memory of 3272 2800 26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe 86 PID 2800 wrote to memory of 3272 2800 26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe 86 PID 2800 wrote to memory of 3272 2800 26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe 86 PID 3272 wrote to memory of 4748 3272 dTX9541.exe 87 PID 3272 wrote to memory of 4748 3272 dTX9541.exe 87 PID 3272 wrote to memory of 4748 3272 dTX9541.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe"C:\Users\Admin\AppData\Local\Temp\26ff6033f5e1f3b6189831e60a4fe806d8a28210a075159e40296919b1a66c5d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTX9541.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTX9541.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\npA86Iy.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\npA86Iy.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD5e5f30eb27b9c8f2c897031bd85672989
SHA1bbe7925ae3b0f69455e3e3ed3489d8dfa41a0a99
SHA256112399b29b7a50995ae3c73fa0ef18e4e0253edd179513b27bbf7f2d6b813bd3
SHA512979087018ab6fbd758fa019a4873e8c153334de40f876e1f64303ec8036c792b7b5f71a6360a9357996fc2f422ca791cd9635dc398490d4c1769a649276dc2aa
-
Filesize
302KB
MD53ae325b7e23ade83ec4a82f60599bbd2
SHA15dc22cc013fc250e419ac826ef7cb1fcb3728ef5
SHA256271a51784a7210356ba70dfd7e82d0c7c46316b6911925e1e6c955d5b3ecaa74
SHA512a10c5bc435513e0583d9e5227347e1e62a5b1a6a25116f3a609b8d93d797c402ecc88041156f337b66ead158d9fe1a0000b71c1f114efd14c95d28cc26e026d3