Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe
Resource
win10v2004-20241007-en
General
-
Target
9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe
-
Size
583KB
-
MD5
2ff597a7d357b503415e4e109ea8acb5
-
SHA1
2b3a11c68021aa35f6632e40f4e4371890f6e82a
-
SHA256
9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90
-
SHA512
b2333d81e9ab85854548d2623e4a67ad1b309c691b9c68193a319e9d55cc4e99dd3404ed023621ad646b40a9931da189c7f32ac4a41d2c75360ce6e0cf2212bd
-
SSDEEP
12288:yMr8y90MnJLaFesl6kN3NlOx09nXshwJYI1h/1uTCb9WPw:ey1hlsl6qua9XsuJ31h/AucY
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3608-19-0x0000000004CA0000-0x0000000004CE6000-memory.dmp family_redline behavioral1/memory/3608-21-0x0000000005310000-0x0000000005354000-memory.dmp family_redline behavioral1/memory/3608-73-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-85-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-83-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-81-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-79-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-77-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-75-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-71-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-69-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-67-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-65-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-63-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-61-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-59-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-57-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-53-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-51-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-49-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-47-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-45-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-43-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-41-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-39-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-37-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-35-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-33-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-31-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-29-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-27-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-25-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-23-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-22-0x0000000005310000-0x000000000534E000-memory.dmp family_redline behavioral1/memory/3608-55-0x0000000005310000-0x000000000534E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4120 nHK59mG47.exe 3608 eKK34sA.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nHK59mG47.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nHK59mG47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eKK34sA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3608 eKK34sA.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4052 wrote to memory of 4120 4052 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe 83 PID 4052 wrote to memory of 4120 4052 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe 83 PID 4052 wrote to memory of 4120 4052 9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe 83 PID 4120 wrote to memory of 3608 4120 nHK59mG47.exe 84 PID 4120 wrote to memory of 3608 4120 nHK59mG47.exe 84 PID 4120 wrote to memory of 3608 4120 nHK59mG47.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe"C:\Users\Admin\AppData\Local\Temp\9da8581dbafbb0379a7d3a0973bd2032ebe454403328ea685bfbf3e10aad5f90.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nHK59mG47.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nHK59mG47.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eKK34sA.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eKK34sA.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD5fae44dfa80d8195f0073ee1998110caf
SHA1c897be046e693f655fe826581cb6b21b9efa75a5
SHA2564b938cadc8fa24e4f782cddb3b4b42fe8cba9d783d987dcbbe1f580195f75f0e
SHA5128ab0899c633233ae1d7041d1b960fa6ba870c34a8f181059ff4cecc644c62a743cb3cb057aea565c2193dadcd85a385e3ed24acdd221f4ea0220e333bdf1ae8d
-
Filesize
298KB
MD556104654a290de3b309be77f180397ad
SHA1ff007a7bb24a41681b4209ae0b686fde0d29116f
SHA256ae36b4154ab3e8fddbe9427ae45003752ec3d70108fa321c9fbcd987789bf3a7
SHA512fcbf7b2b9b4c82087b667bea595d093d4f4f58e1b36ec283aeb48bd70370e5701331762b9a85613d3aae711548dc958f4b63d266f4a9e33adee625b0536e55c0