Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe
Resource
win10v2004-20241007-en
General
-
Target
1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe
-
Size
770KB
-
MD5
33669a058324558e3404c9fbaaac25ba
-
SHA1
6ee052ffe69b025ee1911d417e4b2830b57022ea
-
SHA256
1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016
-
SHA512
339eb3bbcde7b6beff394cc086428e151473c06ba5d900f490b40dba4ed745092cbf982373a8d9dece3867383a24a88ecf759125630ed27674a776c9a08128cf
-
SSDEEP
12288:SMrty90CwtSFbVPKgSPMa/QLJd/fxXQB9opp2UcVGbarCt3Pab30cqyWRHFVSKD:/yWtk9S0FnZABVhVDkPG0caRlVLD
Malware Config
Extracted
redline
debro
185.161.248.75:4132
-
auth_value
18c2c191aebfde5d1787ec8d805a01a8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b68-19.dat family_redline behavioral1/memory/1960-21-0x0000000000160000-0x000000000018E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 3184 x0808175.exe 1732 x4649219.exe 1960 f3031760.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0808175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4649219.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x4649219.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3031760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x0808175.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3784 wrote to memory of 3184 3784 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe 83 PID 3784 wrote to memory of 3184 3784 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe 83 PID 3784 wrote to memory of 3184 3784 1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe 83 PID 3184 wrote to memory of 1732 3184 x0808175.exe 84 PID 3184 wrote to memory of 1732 3184 x0808175.exe 84 PID 3184 wrote to memory of 1732 3184 x0808175.exe 84 PID 1732 wrote to memory of 1960 1732 x4649219.exe 85 PID 1732 wrote to memory of 1960 1732 x4649219.exe 85 PID 1732 wrote to memory of 1960 1732 x4649219.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe"C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD5da50fde284558cbe419670c53aa60f8c
SHA16da56df05c9df1e23fa8719065ab892686c6479c
SHA256d6d3e0992009881476610222f4ba7656745c83ebdaf40d3f7b5ee17e72d2cd7b
SHA512b850e054457b7c04041336aaf34ecd369984d3f8fccb76f0a615c6d39567f3ffcfef16d94ba0f8c7f11be29f2d06611688cc40aa6ee58c310ab67fe1b69f5098
-
Filesize
316KB
MD5d75a68e15a7eedab42754de0502c7619
SHA1ad9e8bf0251500696926ca836585b8567f48c29e
SHA25603c4a6ac507b203cd3a509c0eb36cd281153d8fd22472f94e9db7995ca8c31ad
SHA5127ee1d57961d3f805cc2f32633511e35e725ea75b4c4175a96bbfb085dc7bc1857846744705f0db361a9d073d0dd7544e41d571b86885893a0adb8210e0100127
-
Filesize
168KB
MD521921b55690c5c16247fe806df039732
SHA13c8a00d69d7f460413cbaf99156893481fc66329
SHA256910ece74bdb35bc0f4a0ab2b1716b1d3ffa42192b0cab65d8e5c5e7a102f0bb0
SHA51286f560f879791688888b28072ffd7ddb59d78808c26e6b2b6473f3c122801597c43d78e3aeca89daff8c1e7d067559f5a8ecaddc7b903a73cd7ce912400c8f1a