Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe
Resource
win10v2004-20241007-en
General
-
Target
9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe
-
Size
583KB
-
MD5
2ff597a7d357b503415e4e109ea8acb5
-
SHA1
2b3a11c68021aa35f6632e40f4e4371890f6e82a
-
SHA256
9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90
-
SHA512
b2333d81e9ab85854548d2623e4a67ad1b309c691b9c68193a319e9d55cc4e99dd3404ed023621ad646b40a9931da189c7f32ac4a41d2c75360ce6e0cf2212bd
-
SSDEEP
12288:yMr8y90MnJLaFesl6kN3NlOx09nXshwJYI1h/1uTCb9WPw:ey1hlsl6qua9XsuJ31h/AucY
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1576-19-0x0000000002350000-0x0000000002396000-memory.dmp family_redline behavioral1/memory/1576-21-0x0000000002710000-0x0000000002754000-memory.dmp family_redline behavioral1/memory/1576-75-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-85-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-83-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-81-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-79-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-77-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-73-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-71-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-69-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-67-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-65-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-61-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-59-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-58-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-56-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-53-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-51-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-47-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-45-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-43-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-41-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-39-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-37-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-35-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-33-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-31-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-27-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-25-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-23-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-22-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-63-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-49-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/1576-29-0x0000000002710000-0x000000000274E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 648 nHK59mG47.exe 1576 eKK34sA.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nHK59mG47.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nHK59mG47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eKK34sA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1576 eKK34sA.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1560 wrote to memory of 648 1560 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe 83 PID 1560 wrote to memory of 648 1560 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe 83 PID 1560 wrote to memory of 648 1560 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe 83 PID 648 wrote to memory of 1576 648 nHK59mG47.exe 84 PID 648 wrote to memory of 1576 648 nHK59mG47.exe 84 PID 648 wrote to memory of 1576 648 nHK59mG47.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe"C:\Users\Admin\AppData\Local\Temp\9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nHK59mG47.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nHK59mG47.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eKK34sA.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eKK34sA.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD5fae44dfa80d8195f0073ee1998110caf
SHA1c897be046e693f655fe826581cb6b21b9efa75a5
SHA2564b938cadc8fa24e4f782cddb3b4b42fe8cba9d783d987dcbbe1f580195f75f0e
SHA5128ab0899c633233ae1d7041d1b960fa6ba870c34a8f181059ff4cecc644c62a743cb3cb057aea565c2193dadcd85a385e3ed24acdd221f4ea0220e333bdf1ae8d
-
Filesize
298KB
MD556104654a290de3b309be77f180397ad
SHA1ff007a7bb24a41681b4209ae0b686fde0d29116f
SHA256ae36b4154ab3e8fddbe9427ae45003752ec3d70108fa321c9fbcd987789bf3a7
SHA512fcbf7b2b9b4c82087b667bea595d093d4f4f58e1b36ec283aeb48bd70370e5701331762b9a85613d3aae711548dc958f4b63d266f4a9e33adee625b0536e55c0