Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:48
Static task
static1
Behavioral task
behavioral1
Sample
9762eb306438f3e409c3aa851864c49b.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9762eb306438f3e409c3aa851864c49b.exe
Resource
win10v2004-20241007-en
General
-
Target
9762eb306438f3e409c3aa851864c49b.exe
-
Size
1.6MB
-
MD5
9762eb306438f3e409c3aa851864c49b
-
SHA1
51e37fc5211c540af24d83163b44baa816197af6
-
SHA256
68ea586b47a082031bce6c18e81f4b7a1980a698ca3bf8b355cfa9ff51f8e980
-
SHA512
d6edbdafd554ecae8c0113efa72a2d5c8b53481ffed00f09d09b8b55b09813d3d5546b003d6cef111ed1f526a55e1271e40e4bd00114abce7d1d924119b99840
-
SSDEEP
49152:/EOV4XkYUqLL4Tlt8KkI11pOenPGSm+SzKax0:/EOah5LL4Tlt9lOWQzKQ0
Malware Config
Extracted
redline
tinhieutuvutruVIP
64.52.175.252:12634
-
auth_value
5a1a5fc10437712fca433871e197d7b0
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/2504-8-0x0000000000400000-0x0000000000438000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3020 set thread context of 2504 3020 9762eb306438f3e409c3aa851864c49b.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9762eb306438f3e409c3aa851864c49b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe 3020 9762eb306438f3e409c3aa851864c49b.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2504 3020 9762eb306438f3e409c3aa851864c49b.exe 88 PID 3020 wrote to memory of 2504 3020 9762eb306438f3e409c3aa851864c49b.exe 88 PID 3020 wrote to memory of 2504 3020 9762eb306438f3e409c3aa851864c49b.exe 88 PID 3020 wrote to memory of 2504 3020 9762eb306438f3e409c3aa851864c49b.exe 88 PID 3020 wrote to memory of 2504 3020 9762eb306438f3e409c3aa851864c49b.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\9762eb306438f3e409c3aa851864c49b.exe"C:\Users\Admin\AppData\Local\Temp\9762eb306438f3e409c3aa851864c49b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2504
-