Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:45
Static task
static1
Behavioral task
behavioral1
Sample
73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe
Resource
win10v2004-20241007-en
General
-
Target
73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe
-
Size
1.8MB
-
MD5
77bc2cdf3e4efcbb2cfee2c92eb4b6aa
-
SHA1
73254d4ae23a2d0478d91dab9b15d1e24cf09569
-
SHA256
b230b056eb2d38e63de99c3c1b75c1c38a5f0f067c56c8df3244ed8bf8ca8a70
-
SHA512
df135615227c4dd43c650584bdce75c3e30c59da4c4a4c35b08cd67874f951e1ba193f54caccdc4f18eadbe61ee6123ee927342c5cdc7bcf201f8c8515ce2a0e
-
SSDEEP
49152:th0Q+/Sho3uXoodFprEz+Z+yEayHoLNDQpOW:t8uXoobprEz+wyEayHQRW
Malware Config
Extracted
redline
45.9.20.70:81
-
auth_value
7e53b278a83b15f3e52ddfa119df9354
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1032-5-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3480 set thread context of 1032 3480 73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3480 wrote to memory of 1032 3480 73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe 85 PID 3480 wrote to memory of 1032 3480 73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe 85 PID 3480 wrote to memory of 1032 3480 73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe 85 PID 3480 wrote to memory of 1032 3480 73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe 85 PID 3480 wrote to memory of 1032 3480 73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe"C:\Users\Admin\AppData\Local\Temp\73254d4ae23a2d0478d91dab9b15d1e24cf09569.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1032
-