Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:55

General

  • Target

    1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe

  • Size

    770KB

  • MD5

    33669a058324558e3404c9fbaaac25ba

  • SHA1

    6ee052ffe69b025ee1911d417e4b2830b57022ea

  • SHA256

    1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016

  • SHA512

    339eb3bbcde7b6beff394cc086428e151473c06ba5d900f490b40dba4ed745092cbf982373a8d9dece3867383a24a88ecf759125630ed27674a776c9a08128cf

  • SSDEEP

    12288:SMrty90CwtSFbVPKgSPMa/QLJd/fxXQB9opp2UcVGbarCt3Pab30cqyWRHFVSKD:/yWtk9S0FnZABVhVDkPG0caRlVLD

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes
  • auth_value

    18c2c191aebfde5d1787ec8d805a01a8

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe
    "C:\Users\Admin\AppData\Local\Temp\1f3bc673c477297af0b2363af1662f68c8dc9923b2e2876a9a9729bf27a32016.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1960

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0808175.exe

          Filesize

          488KB

          MD5

          da50fde284558cbe419670c53aa60f8c

          SHA1

          6da56df05c9df1e23fa8719065ab892686c6479c

          SHA256

          d6d3e0992009881476610222f4ba7656745c83ebdaf40d3f7b5ee17e72d2cd7b

          SHA512

          b850e054457b7c04041336aaf34ecd369984d3f8fccb76f0a615c6d39567f3ffcfef16d94ba0f8c7f11be29f2d06611688cc40aa6ee58c310ab67fe1b69f5098

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4649219.exe

          Filesize

          316KB

          MD5

          d75a68e15a7eedab42754de0502c7619

          SHA1

          ad9e8bf0251500696926ca836585b8567f48c29e

          SHA256

          03c4a6ac507b203cd3a509c0eb36cd281153d8fd22472f94e9db7995ca8c31ad

          SHA512

          7ee1d57961d3f805cc2f32633511e35e725ea75b4c4175a96bbfb085dc7bc1857846744705f0db361a9d073d0dd7544e41d571b86885893a0adb8210e0100127

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3031760.exe

          Filesize

          168KB

          MD5

          21921b55690c5c16247fe806df039732

          SHA1

          3c8a00d69d7f460413cbaf99156893481fc66329

          SHA256

          910ece74bdb35bc0f4a0ab2b1716b1d3ffa42192b0cab65d8e5c5e7a102f0bb0

          SHA512

          86f560f879791688888b28072ffd7ddb59d78808c26e6b2b6473f3c122801597c43d78e3aeca89daff8c1e7d067559f5a8ecaddc7b903a73cd7ce912400c8f1a

        • memory/1960-21-0x0000000000160000-0x000000000018E000-memory.dmp

          Filesize

          184KB

        • memory/1960-22-0x0000000006E10000-0x0000000006E16000-memory.dmp

          Filesize

          24KB

        • memory/1960-23-0x000000000A590000-0x000000000ABA8000-memory.dmp

          Filesize

          6.1MB

        • memory/1960-24-0x000000000A110000-0x000000000A21A000-memory.dmp

          Filesize

          1.0MB

        • memory/1960-25-0x000000000A040000-0x000000000A052000-memory.dmp

          Filesize

          72KB

        • memory/1960-26-0x000000000A0A0000-0x000000000A0DC000-memory.dmp

          Filesize

          240KB

        • memory/1960-27-0x0000000004460000-0x00000000044AC000-memory.dmp

          Filesize

          304KB