Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:15
Static task
static1
Behavioral task
behavioral1
Sample
080d5e0df5344f34103a43c1f0e843fe4b500602.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
080d5e0df5344f34103a43c1f0e843fe4b500602.exe
Resource
win10v2004-20241007-en
General
-
Target
080d5e0df5344f34103a43c1f0e843fe4b500602.exe
-
Size
707.1MB
-
MD5
4f400459a47500d9d790c3dd3ee49ffe
-
SHA1
080d5e0df5344f34103a43c1f0e843fe4b500602
-
SHA256
75574fa51c4f64542ebfc59af5468d42a1c8cb9b60f9a4b954155f4388e5c2fa
-
SHA512
b7d4128573294b8287f3f90c29032ca08ba3a34e563c2086b13fe91432b88718705c6ef744e342ce998088bfaf8cc93f573b78a71aa43ae4c28bae44ae88acf8
-
SSDEEP
6144:wVn/17INOTnCoNiV+GAnmKW30z2psSOdAOC6gnTf7YZav7GY5uQY8gqs9TOXr8L3:wVn/1TTnjNiV+GUw6ggZiQQYpqf+3
Malware Config
Extracted
redline
2002149709_99
nordforest.xyz:28786
bayrak.top:28786
-
auth_value
a2bd7a8522ba1b2edd63001da08d94d8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/98296-1-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3364 set thread context of 98296 3364 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 93 -
Program crash 1 IoCs
pid pid_target Process procid_target 98428 3364 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080d5e0df5344f34103a43c1f0e843fe4b500602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3364 wrote to memory of 98296 3364 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 93 PID 3364 wrote to memory of 98296 3364 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 93 PID 3364 wrote to memory of 98296 3364 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 93 PID 3364 wrote to memory of 98296 3364 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 93 PID 3364 wrote to memory of 98296 3364 080d5e0df5344f34103a43c1f0e843fe4b500602.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d5e0df5344f34103a43c1f0e843fe4b500602.exe"C:\Users\Admin\AppData\Local\Temp\080d5e0df5344f34103a43c1f0e843fe4b500602.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:98296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 948042⤵
- Program crash
PID:98428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3364 -ip 33641⤵PID:98368