Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe
Resource
win10v2004-20241007-en
General
-
Target
69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe
-
Size
583KB
-
MD5
d0befca875f38c3735912ec1408cff6f
-
SHA1
8cb91e344cbea2c9d3a481b939b4aa7c2f066f11
-
SHA256
69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857
-
SHA512
55c815572c75f7e21ee4adbeb901d9c1b0b4640ff11108595ee16efa0232af6bdfdcc7a3750d6d67c124e3f4eca4372c9f52ade9563cf04126a3d77c83a78cbb
-
SSDEEP
12288:BMrKy90d7WceG12zqM3aSOx09nXshwJYI1h/1uTsLF9WP5:by9chAqMWa9XsuJ31h/AwGh
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/4724-19-0x0000000002570000-0x00000000025B6000-memory.dmp family_redline behavioral1/memory/4724-21-0x0000000004D80000-0x0000000004DC4000-memory.dmp family_redline behavioral1/memory/4724-43-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-51-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-85-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-83-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-81-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-79-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-75-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-74-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-69-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-67-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-65-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-63-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-61-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-59-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-57-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-55-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-53-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-49-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-47-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-45-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-41-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-39-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-38-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-35-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-33-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-31-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-29-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-27-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-25-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-23-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-77-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-71-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline behavioral1/memory/4724-22-0x0000000004D80000-0x0000000004DBE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2216 nIn10sj20.exe 4724 egO75XX.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nIn10sj20.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nIn10sj20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language egO75XX.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4724 egO75XX.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4916 wrote to memory of 2216 4916 69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe 83 PID 4916 wrote to memory of 2216 4916 69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe 83 PID 4916 wrote to memory of 2216 4916 69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe 83 PID 2216 wrote to memory of 4724 2216 nIn10sj20.exe 84 PID 2216 wrote to memory of 4724 2216 nIn10sj20.exe 84 PID 2216 wrote to memory of 4724 2216 nIn10sj20.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe"C:\Users\Admin\AppData\Local\Temp\69fc5861148bc1e68389f57aa764a56873ebc836d72ee0567f9b1d0ee056c857.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIn10sj20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIn10sj20.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\egO75XX.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\egO75XX.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD558488ddeaf2449b44c881eb9eda29994
SHA11b89ee6860fd4f14dd5cc8e55f38832ffc2cb508
SHA256382324b81721ab4619de9d7bbbe48841716fb95b164eced7d8a830a0c3bfbc76
SHA5129bf645fb15f5561e5b55591bcec9914595922fd4b0a973026e5ab50d3fb177a62554317eddb61bd79d5e13628bfb8529f1d835763d720a4d1410577461a84bfe
-
Filesize
298KB
MD556104654a290de3b309be77f180397ad
SHA1ff007a7bb24a41681b4209ae0b686fde0d29116f
SHA256ae36b4154ab3e8fddbe9427ae45003752ec3d70108fa321c9fbcd987789bf3a7
SHA512fcbf7b2b9b4c82087b667bea595d093d4f4f58e1b36ec283aeb48bd70370e5701331762b9a85613d3aae711548dc958f4b63d266f4a9e33adee625b0536e55c0