Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe
Resource
win10v2004-20241007-en
General
-
Target
b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe
-
Size
567KB
-
MD5
6664fe205bfb4e9b087164b396a1dc7d
-
SHA1
4bee550f0575b515eeab1ab7e2e7ed1c36f0fba2
-
SHA256
b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6
-
SHA512
3c76f2c4a448738f67e6177f4e38f009ea569d3615576f665d2a1e780db325d0864666ca70c8171b05441ebd94c75ef436a8a4b9c119d30d1d5a05d739c2042d
-
SSDEEP
12288:XMrny90Pi4ipY8WYU/tpmTYFMl+Oe0tAgICVt+:QyWipYJY0Z+OJgft+
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/2564-19-0x0000000004BF0000-0x0000000004C36000-memory.dmp family_redline behavioral1/memory/2564-21-0x0000000004CB0000-0x0000000004CF4000-memory.dmp family_redline behavioral1/memory/2564-73-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-57-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-53-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-37-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-27-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-23-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-22-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-81-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-85-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-83-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-79-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-77-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-75-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-71-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-69-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-67-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-65-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-63-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-61-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-59-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-55-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-51-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-49-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-47-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-45-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-43-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-41-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-39-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-35-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-33-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-31-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-30-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline behavioral1/memory/2564-25-0x0000000004CB0000-0x0000000004CEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4064 dHM6615.exe 2564 nbe89fW.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dHM6615.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dHM6615.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbe89fW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2564 nbe89fW.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3712 wrote to memory of 4064 3712 b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe 83 PID 3712 wrote to memory of 4064 3712 b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe 83 PID 3712 wrote to memory of 4064 3712 b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe 83 PID 4064 wrote to memory of 2564 4064 dHM6615.exe 84 PID 4064 wrote to memory of 2564 4064 dHM6615.exe 84 PID 4064 wrote to memory of 2564 4064 dHM6615.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe"C:\Users\Admin\AppData\Local\Temp\b9646e42c9e03ae7da396e28ffc28c80f2f4f7749a2dbd9f38c7286b5ea446b6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dHM6615.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dHM6615.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nbe89fW.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nbe89fW.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD55935a27000908a0668b0bc388684d54f
SHA1d71b6e291729268ea3a05ae6d64512fe22dd36d4
SHA2566834be1db883a8bfcfc137c2e67780eda736a6671fb56e1a10ec0b713ee482db
SHA5123ca1ebb8a3d0a855a84c9721b17d6082f6ce3e5250cd7dddd0a103ae65c23a3a8ad05ed897bec2e7e267e13987be3c3835cd23e4a36e8a36be5f217c1e841792
-
Filesize
272KB
MD5177f9dd4ae42485761283adda983c2e2
SHA148f9de93664972108466b9fd6bbe509ad1a3f882
SHA2560f316ce3a18b7930b2098f26db8be64ee8b31b36b49bada7ab15943cf7dbd882
SHA512f63d51c1d8525e70335a9580e529771edd9cc732b47aa5558dc77fbf9de76229fc6020c6a4a01dd662f925b69d63e9aacf21bd7a89766945884d010211b719e5