Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe
Resource
win10v2004-20241007-en
General
-
Target
905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe
-
Size
1.1MB
-
MD5
8acc755fc8b92aa616b90f552712e9d4
-
SHA1
6e882859bc31cba4853c97f1a61a8a7a78a3d559
-
SHA256
905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d
-
SHA512
2db346857d597c091c2ff2e0fb2364061196a177bf27f5df16a1f341ca4d9e1689c6974265b2c9c5271bef91e1e5553ebc25c3c4f43583b9e36f4f494bae0dab
-
SSDEEP
24576:gyAcbCKygHukc/KY7LrNBKMZv69yNQJmJhG5:nvCKyuMpBKMZpnJhG
Malware Config
Extracted
redline
dedu
185.161.248.75:4132
-
auth_value
43fb2cf55df7896aeff6ce27ec070fea
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b94-19.dat family_redline behavioral1/memory/468-21-0x0000000000D80000-0x0000000000DAA000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4496 x9572884.exe 2748 x8910133.exe 468 f1556528.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9572884.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8910133.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x9572884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x8910133.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1556528.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1272 wrote to memory of 4496 1272 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe 84 PID 1272 wrote to memory of 4496 1272 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe 84 PID 1272 wrote to memory of 4496 1272 905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe 84 PID 4496 wrote to memory of 2748 4496 x9572884.exe 85 PID 4496 wrote to memory of 2748 4496 x9572884.exe 85 PID 4496 wrote to memory of 2748 4496 x9572884.exe 85 PID 2748 wrote to memory of 468 2748 x8910133.exe 87 PID 2748 wrote to memory of 468 2748 x8910133.exe 87 PID 2748 wrote to memory of 468 2748 x8910133.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe"C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:468
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD51f936525487ee3390a2f40543dd362a9
SHA19bee10624dcb45e4ab975aeb334a447da6b5673e
SHA2567df3ff2c961e5e492af90a7c100d981cd6c8ed5cd0f4714061e8826858e799aa
SHA512bcf627c4ca1bc7afededeaf8f73195e52935a9c336bbcfdcd194d1cc9b94aa87bcf11ebcd2414180822e98ea64e76401d97fa7da8b3c9df4146b23f118ceffb1
-
Filesize
305KB
MD5691b863b119613d2123e13d8a800bc49
SHA1ab2c44f0fe8efff78f0ac1c72626ffee39b7a3e7
SHA25640a1996d7687379818189391391219f55125b7c46bae19345ed9a21bb17e4503
SHA5129069b2e3728b19164a7ff4de5a35661d9f72bbce873ed637d7fd76aa593fd3b228abf33684a74c281e36c166eee481e9cd609ba996cb020af5ee273431adc657
-
Filesize
145KB
MD5f64f648b9ef280bbee7159a5f4f70182
SHA1b7a292a9eaaf559ab327606301cdcff3e3235a42
SHA256381c68a6d8555975dd16ed9d48b3fbccba8c0a84dac6b00d9ad28a9143843130
SHA512746dc58b87c8d183de27cf9a37bf478982e4b3b6f3b268d459bd1ee5d3a985fc79f30e46a328ebc22b62f52ccad22ffc0bcdef68b9e592c24b2ea3ef57f0c445