Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe
Resource
win10v2004-20241007-en
General
-
Target
4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe
-
Size
581KB
-
MD5
5127153e9b8454f0b8ae554645ef3e35
-
SHA1
bee274d3c42e35d4ffbea7fef77db22b63913032
-
SHA256
4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d
-
SHA512
9bcd3f28037c71edd2ea2077dd8800d2bde56e82bfa5cbcd52654de26bffc4c4a7d9a31858eb414c40fc2ede3e7f35bf0438bcb805e376a6e63ec44cd4d5df90
-
SSDEEP
12288:aMrAy901uUAKlHvF5m8765E7Uoytyq/48U8C:eys3HvZe5mUrA8dC
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/5060-19-0x0000000002540000-0x0000000002586000-memory.dmp family_redline behavioral1/memory/5060-21-0x00000000051F0000-0x0000000005234000-memory.dmp family_redline behavioral1/memory/5060-37-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-85-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-83-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-79-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-77-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-75-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-73-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-71-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-69-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-67-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-65-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-64-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-61-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-59-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-57-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-55-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-53-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-47-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-45-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-43-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-41-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-39-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-35-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-33-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-31-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-29-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-81-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-27-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-25-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-51-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-49-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-23-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline behavioral1/memory/5060-22-0x00000000051F0000-0x000000000522E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2216 dql6294.exe 5060 nFw92ih.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dql6294.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dql6294.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nFw92ih.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5060 nFw92ih.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4296 wrote to memory of 2216 4296 4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe 85 PID 4296 wrote to memory of 2216 4296 4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe 85 PID 4296 wrote to memory of 2216 4296 4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe 85 PID 2216 wrote to memory of 5060 2216 dql6294.exe 86 PID 2216 wrote to memory of 5060 2216 dql6294.exe 86 PID 2216 wrote to memory of 5060 2216 dql6294.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe"C:\Users\Admin\AppData\Local\Temp\4f029e86dabb0f9f9f0c6b93335f05b3aa3b3f204eee24a507dc80791bda834d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dql6294.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dql6294.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nFw92ih.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nFw92ih.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436KB
MD532317a127c91358e1dc3bdbd8c902e4e
SHA15301379c92e223cb3befacc2959c45369b78130a
SHA25611f7532b3ca21ff79162ed7e4fc7808d605c0daca680ab6146944444642b2bc6
SHA5125ebb1a5d42b55b8f0bef02d74854b38fed2ecd66c621f102e7c0077a409ae280a612108a72f22c56d67e8b276a6a74cd5513499fd8f9aef8e7796ea03114bd50
-
Filesize
298KB
MD5fa1c5e70215cff72c05c8b7af6e6ba60
SHA129e5df3cf63b1e08ad816acae96a51e1ac1c093f
SHA256d5251f3ce3262ff8d883168414b81ac32d5ea48b3850400107229a6476d615f7
SHA5128b314048f50fc8e787ed1b59b94d19c455d4d62c1ed98f0cac25f590320caf2f3fa7b0126ceaa140f909ab8a254ff0cdccb685a89a1dea94e391a7f93b14a126