Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:15
Static task
static1
Behavioral task
behavioral1
Sample
080d5e0df5344f34103a43c1f0e843fe4b500602.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
080d5e0df5344f34103a43c1f0e843fe4b500602.exe
Resource
win10v2004-20241007-en
General
-
Target
080d5e0df5344f34103a43c1f0e843fe4b500602.exe
-
Size
707.1MB
-
MD5
4f400459a47500d9d790c3dd3ee49ffe
-
SHA1
080d5e0df5344f34103a43c1f0e843fe4b500602
-
SHA256
75574fa51c4f64542ebfc59af5468d42a1c8cb9b60f9a4b954155f4388e5c2fa
-
SHA512
b7d4128573294b8287f3f90c29032ca08ba3a34e563c2086b13fe91432b88718705c6ef744e342ce998088bfaf8cc93f573b78a71aa43ae4c28bae44ae88acf8
-
SSDEEP
6144:wVn/17INOTnCoNiV+GAnmKW30z2psSOdAOC6gnTf7YZav7GY5uQY8gqs9TOXr8L3:wVn/1TTnjNiV+GUw6ggZiQQYpqf+3
Malware Config
Extracted
redline
2002149709_99
nordforest.xyz:28786
bayrak.top:28786
-
auth_value
a2bd7a8522ba1b2edd63001da08d94d8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/90220-3-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/90220-10-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/90220-9-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2936 set thread context of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080d5e0df5344f34103a43c1f0e843fe4b500602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31 PID 2936 wrote to memory of 90220 2936 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d5e0df5344f34103a43c1f0e843fe4b500602.exe"C:\Users\Admin\AppData\Local\Temp\080d5e0df5344f34103a43c1f0e843fe4b500602.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:90220
-