Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe
Resource
win10v2004-20241007-en
General
-
Target
a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe
-
Size
580KB
-
MD5
bfa4e38f98c8e7b668fb1fffe9fa9f20
-
SHA1
45c9a7ce8a466ddf3318fa8f05d75abd20f86a74
-
SHA256
a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508
-
SHA512
f8db9ebd09d93cedc3c06271f7ffb17ea0d878dbe34daf6005e621dfb86bb5fb2d8e58aa38fcdc6ab3389af279fe1b69b05b3829e1878232a96d1fd62bbf6b2e
-
SSDEEP
12288:6Mrmy907kqJ/FXZVRrbSuWY/T9oVBLfHh/TmXx7j81:kyBqJ/n3Fbr9oVFh/qB7s
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/5080-19-0x0000000002550000-0x0000000002596000-memory.dmp family_redline behavioral1/memory/5080-21-0x0000000002710000-0x0000000002754000-memory.dmp family_redline behavioral1/memory/5080-37-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-39-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-85-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-83-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-81-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-79-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-77-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-75-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-73-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-71-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-69-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-65-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-63-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-61-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-59-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-57-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-55-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-53-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-51-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-49-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-47-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-45-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-43-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-41-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-35-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-33-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-31-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-29-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-67-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-22-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-27-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-25-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/5080-23-0x0000000002710000-0x000000000274E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 436 nlH11zv32.exe 5080 ehA04NY.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nlH11zv32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlH11zv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ehA04NY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5080 ehA04NY.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4244 wrote to memory of 436 4244 a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe 84 PID 4244 wrote to memory of 436 4244 a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe 84 PID 4244 wrote to memory of 436 4244 a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe 84 PID 436 wrote to memory of 5080 436 nlH11zv32.exe 86 PID 436 wrote to memory of 5080 436 nlH11zv32.exe 86 PID 436 wrote to memory of 5080 436 nlH11zv32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe"C:\Users\Admin\AppData\Local\Temp\a18d6a041e8f7ce734b9d8510249388371d10ae70cbb302f90e60d0e98a82508.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlH11zv32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlH11zv32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ehA04NY.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ehA04NY.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD5d70a93d69ee72a803d17df7a586de40f
SHA1e0c9242a472523ae0e3ffef002e53a1c38f33e51
SHA256fa07a8313b7610b5d423a2257ef3c3da393e496f8594998cd1d34294049e4877
SHA5125149dba94516bc926ac1c02a23106c7c848ef5f4f9ac9a94d890a53902b4d46bd97739a7952b0c76dc1c5d9d51e5f085e2597417667dc799ec2ee91667a12f85
-
Filesize
295KB
MD50c1547605d82f907188fbcc47f6d12ab
SHA11a1f1041be168dac7caadfc52e95ba998264cffc
SHA25654bb6fe69892b3621e9f576880e0a202834a621c408f9da69c04c169039dfb9e
SHA512e62e52a2afa4a4cc4fb99b6c52b34d669c80ffa781a902866b593741b3fcb182a58d25748464e3ca192e64af31c333b17e9c430af3d1a8e946513957d8555849