Analysis
-
max time kernel
110s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5N.exe
Resource
win10v2004-20241007-en
General
-
Target
a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5N.exe
-
Size
353KB
-
MD5
c123926b7ffbf91951c13ecda65182a0
-
SHA1
6d09fd31ba96b3b4a4eb3e10a1740cf8383b85dc
-
SHA256
a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5
-
SHA512
dd3b88f19d54b899d81223cfb24e4b217022ced246f511b2e79a86f0422292d870495cdac7ee5a24e9fab7a43cf633a86232e46de44486e46f94f3a36bb3aba7
-
SSDEEP
6144:ohubMBcCBYBTSDDPKxylSlohtwrcCSRaKQT5kTZtkjt:oYb4clS3PKxyl+ohtm+geGt
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral2/memory/2028-5-0x0000000002B00000-0x0000000002B46000-memory.dmp family_redline behavioral2/memory/2028-7-0x0000000005510000-0x0000000005554000-memory.dmp family_redline behavioral2/memory/2028-9-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-11-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-71-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-49-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-8-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-69-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-67-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-65-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-63-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-61-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-59-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-57-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-55-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-53-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-51-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-47-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-46-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-43-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-41-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-40-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-37-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-35-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-33-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-31-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-29-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-27-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-25-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-23-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-21-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-19-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-17-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-15-0x0000000005510000-0x000000000554F000-memory.dmp family_redline behavioral2/memory/2028-13-0x0000000005510000-0x000000000554F000-memory.dmp family_redline -
Redline family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2028 a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5N.exe"C:\Users\Admin\AppData\Local\Temp\a326981a61046004106b79cd4fd2735e5dd45d492cf07e8f2ed6d729d7b11df5N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2028