Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:47

General

  • Target

    905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe

  • Size

    1.1MB

  • MD5

    8acc755fc8b92aa616b90f552712e9d4

  • SHA1

    6e882859bc31cba4853c97f1a61a8a7a78a3d559

  • SHA256

    905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d

  • SHA512

    2db346857d597c091c2ff2e0fb2364061196a177bf27f5df16a1f341ca4d9e1689c6974265b2c9c5271bef91e1e5553ebc25c3c4f43583b9e36f4f494bae0dab

  • SSDEEP

    24576:gyAcbCKygHukc/KY7LrNBKMZv69yNQJmJhG5:nvCKyuMpBKMZpnJhG

Malware Config

Extracted

Family

redline

Botnet

dedu

C2

185.161.248.75:4132

Attributes
  • auth_value

    43fb2cf55df7896aeff6ce27ec070fea

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe
    "C:\Users\Admin\AppData\Local\Temp\905ce9e975075c5fdfb7951fa41f2c8e56eb97e773a8fd269fceac85d03d371d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:468

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9572884.exe

          Filesize

          750KB

          MD5

          1f936525487ee3390a2f40543dd362a9

          SHA1

          9bee10624dcb45e4ab975aeb334a447da6b5673e

          SHA256

          7df3ff2c961e5e492af90a7c100d981cd6c8ed5cd0f4714061e8826858e799aa

          SHA512

          bcf627c4ca1bc7afededeaf8f73195e52935a9c336bbcfdcd194d1cc9b94aa87bcf11ebcd2414180822e98ea64e76401d97fa7da8b3c9df4146b23f118ceffb1

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8910133.exe

          Filesize

          305KB

          MD5

          691b863b119613d2123e13d8a800bc49

          SHA1

          ab2c44f0fe8efff78f0ac1c72626ffee39b7a3e7

          SHA256

          40a1996d7687379818189391391219f55125b7c46bae19345ed9a21bb17e4503

          SHA512

          9069b2e3728b19164a7ff4de5a35661d9f72bbce873ed637d7fd76aa593fd3b228abf33684a74c281e36c166eee481e9cd609ba996cb020af5ee273431adc657

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1556528.exe

          Filesize

          145KB

          MD5

          f64f648b9ef280bbee7159a5f4f70182

          SHA1

          b7a292a9eaaf559ab327606301cdcff3e3235a42

          SHA256

          381c68a6d8555975dd16ed9d48b3fbccba8c0a84dac6b00d9ad28a9143843130

          SHA512

          746dc58b87c8d183de27cf9a37bf478982e4b3b6f3b268d459bd1ee5d3a985fc79f30e46a328ebc22b62f52ccad22ffc0bcdef68b9e592c24b2ea3ef57f0c445

        • memory/468-21-0x0000000000D80000-0x0000000000DAA000-memory.dmp

          Filesize

          168KB

        • memory/468-22-0x0000000005CD0000-0x00000000062E8000-memory.dmp

          Filesize

          6.1MB

        • memory/468-23-0x0000000005850000-0x000000000595A000-memory.dmp

          Filesize

          1.0MB

        • memory/468-24-0x0000000005780000-0x0000000005792000-memory.dmp

          Filesize

          72KB

        • memory/468-25-0x00000000057E0000-0x000000000581C000-memory.dmp

          Filesize

          240KB

        • memory/468-26-0x0000000005960000-0x00000000059AC000-memory.dmp

          Filesize

          304KB