Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe
Resource
win10v2004-20241007-en
General
-
Target
620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe
-
Size
1.4MB
-
MD5
5c861fa7e8aa8e48c458ce7453352748
-
SHA1
6a131184636d6efbf0d9d705c7d5d547f1745863
-
SHA256
620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c
-
SHA512
ea89f6ec9c78136667cdc99e09d410875802d4ef586208873174cc13a990293c8afb50ee99f2ba0ae84c41540711fcb9e42ec668859eec45fe33b0cd6464f4d5
-
SSDEEP
24576:Ty3DuAnDD9qfk6ft6J/iYVhw8DIAu4YR1TtrlEy9gK8n6S83w5d4j6J3:myU/7qa1uZR1Tq56Sewjb
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b5e-33.dat family_redline behavioral1/memory/2872-35-0x0000000000510000-0x0000000000540000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4252 i89324392.exe 1612 i07777833.exe 1072 i33379376.exe 1300 i52230489.exe 2872 a40413450.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i89324392.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i07777833.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i33379376.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i52230489.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i89324392.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i07777833.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i33379376.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i52230489.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a40413450.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4360 wrote to memory of 4252 4360 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe 84 PID 4360 wrote to memory of 4252 4360 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe 84 PID 4360 wrote to memory of 4252 4360 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe 84 PID 4252 wrote to memory of 1612 4252 i89324392.exe 86 PID 4252 wrote to memory of 1612 4252 i89324392.exe 86 PID 4252 wrote to memory of 1612 4252 i89324392.exe 86 PID 1612 wrote to memory of 1072 1612 i07777833.exe 87 PID 1612 wrote to memory of 1072 1612 i07777833.exe 87 PID 1612 wrote to memory of 1072 1612 i07777833.exe 87 PID 1072 wrote to memory of 1300 1072 i33379376.exe 88 PID 1072 wrote to memory of 1300 1072 i33379376.exe 88 PID 1072 wrote to memory of 1300 1072 i33379376.exe 88 PID 1300 wrote to memory of 2872 1300 i52230489.exe 89 PID 1300 wrote to memory of 2872 1300 i52230489.exe 89 PID 1300 wrote to memory of 2872 1300 i52230489.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe"C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD556f99dcf4769ad94475b2a3e385df7d6
SHA1ed74096779e730c722936fb5d801eed8f5954690
SHA25622bfe184cfd7cdaa688996a4bd0f9905df5974f8593db8f4653b5cf067445647
SHA512c260df906606a895f848a9edad464670eca5fcc903382dfb56171e830c20a5371804e7a1da8010ed1bb224c408263ed911df2ac2d9fb174784fa0b8fd3500e20
-
Filesize
1000KB
MD530b50206b81e64e42387a3978250a621
SHA1706973766bd1ac82df56582cf7373c863d9c5968
SHA256ebc43d9668df22cdce448f429903b80039f814cca8819fcae555cb33c3e14c54
SHA51294e803afec1013ed773fb2f0c41dea46720c6c8398ed1d66ca7464634b17fa44ca9b662ef6a188a8a20d9f8e8ee90ae70514710ea17058aab0226440cbe60e1f
-
Filesize
828KB
MD51ab762700633e3d5986313b195d2f943
SHA18b072b0b0524d8550533d2197eed3ddc3a719556
SHA2563df7a12fe0e2395c6e1843ba0affbd3f1f0aaa6a73c86759eddfad9f6d66a851
SHA512154d80251596de6a4a20c40f8aa7a8c23a9533c96c156181b4dec937c1ca23e6cf12560f35554ce84598ac9db637bf11ff5efe4b757b83c0f5eda4b625d91177
-
Filesize
363KB
MD51b4f78619e0b825ec684b6ec596677b9
SHA12165630b91acbf5b4cd054fcfee91f60741fc31a
SHA256cdcddd98edcfdf812d6d135766a2c5112626a0bc55e7074f15cfca59d86c725a
SHA5125e9eb2a950549541555995ab5ddd284c50454103f74214cffb348268ebeac559d65129aff37ed2f2fddb686db1a9dd64ff3d44035260d05b0b89c2a1ae8f204d
-
Filesize
169KB
MD542c797dd79cf627f18bdafc02154aaac
SHA14bc76f54be567295d68d78bfcd766944b1229f49
SHA256922d50cb151fb9f0d087982b84bea6d9ef37879989d06146f3876222060950ee
SHA512c3328b4eae57991a4d9c3d08ecd92679758b9cb435669eeda5bfa25357acf13f8a04b085e9344b50f7df322ee1cba22b1768e128514d23a6dfc0a0f9afae411b