Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe
Resource
win10v2004-20241007-en
General
-
Target
38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe
-
Size
1015KB
-
MD5
0474cefe821eaa7c98ca36028b4698b1
-
SHA1
09c71e7bb7d3e420649970b477cf908989281aa8
-
SHA256
38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923
-
SHA512
472dd8564925866535f6a8d5b5d2d7f2e38379112fd56aeaa114663190b7b2db0c7c8075fc4f8d4dd19fd8037500c3ccbeebeadf41f18ec519e2a4924f85d5a0
-
SSDEEP
24576:CyntmEEIdvvRmeZrOTzVVs9HV6reK3mSk/RS2Esd5j:ptiI1pmeUVs6aYiJtEW
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b81-19.dat family_redline behavioral1/memory/4284-21-0x0000000000740000-0x0000000000770000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 4840 i19703148.exe 4012 i55206354.exe 4284 a17825952.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i19703148.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i55206354.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i19703148.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i55206354.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a17825952.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2420 wrote to memory of 4840 2420 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe 83 PID 2420 wrote to memory of 4840 2420 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe 83 PID 2420 wrote to memory of 4840 2420 38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe 83 PID 4840 wrote to memory of 4012 4840 i19703148.exe 84 PID 4840 wrote to memory of 4012 4840 i19703148.exe 84 PID 4840 wrote to memory of 4012 4840 i19703148.exe 84 PID 4012 wrote to memory of 4284 4012 i55206354.exe 85 PID 4012 wrote to memory of 4284 4012 i55206354.exe 85 PID 4012 wrote to memory of 4284 4012 i55206354.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe"C:\Users\Admin\AppData\Local\Temp\38b2f087885ad02ba55a3635b06fbc8d7368a997f63ec10d96ea3e1c01481923.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i19703148.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55206354.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a17825952.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
843KB
MD5282f2a5eb18dce9ba508f0bb62e53d8c
SHA15ce9da3d71af2b74c49447de61e26d951b43720d
SHA2568044726d78b8d4acaa7fd0dd819472076c2f605d81f8502a5747b6d08174790f
SHA51283bdc61b2cde4701a25e27f656549d782ae28b085e1801833a5a373f3f5d85b0d3f4dce732114960d4e2d6a4e15e964946edabbc765bc72f0703385e0c11e804
-
Filesize
371KB
MD55549989438ee6c704a23a7a637178750
SHA1f1efbe87eed0cd040541491811c8a6142ef9e4ec
SHA256c62c223e1d2cae23de64ebf545fc091c7fac3b1bb4aae9473645dc566f379812
SHA512f1eabc7457b0773b22d745c401db2b67d4430590433778896b5bbcbcc7c4b08d174e7599a25585f710b1aafd68a00a4756ff604e16d6af4644c135725b06a2e9
-
Filesize
169KB
MD53835fb0e49c8bd776b55f96534aa9bb9
SHA163118ed0b06d166440837cebacf528dc9c325816
SHA256302cb0e099bb50eedf0cad27654917c7311a4662e52888f54116ca2ce008f579
SHA512da4411146bf120646348a5ca965ecea68f2ecc2cc5bcb67a61919e88e22bc1bdb2d761a6e06104e0e345d7100eb5c4c0d1641d292c7c21df59f083df5b7a359b