Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:58

General

  • Target

    2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe

  • Size

    844KB

  • MD5

    7c3083066cb1e57ec9095cd9bbde40e8

  • SHA1

    7d208b9def0ac84fef25acf6175ea227259cdd0e

  • SHA256

    2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304

  • SHA512

    da724b541c9b34ac9a3ffd4b93dc47e4fb8437a620c09439c186cd24b3fb1977eda64c7f3c6828c124dfb7ef6ecb8b60dfc98302a3d1d530d41a9ab8727c65a0

  • SSDEEP

    12288:8y90mFczYkESSLRsZtRNqAqg78qOOPRL/ubyOEAsxu0ibt54eU5ccDSN:8ykEyMO8AHOgN2byOEabtqeU5kN

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes
  • auth_value

    7da4dfa153f2919e617aa016f7c36008

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe
    "C:\Users\Admin\AppData\Local\Temp\2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01775930.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01775930.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a44515302.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a44515302.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01775930.exe

          Filesize

          371KB

          MD5

          9d2532b1549e63da09d929f6190cae3e

          SHA1

          abd26bb9d8cdf96accae9d8f4248220b6718dc99

          SHA256

          6f4240bf7de5bdd09d5171c0b8fe99e473e9e84ad06e7f6e03eaad1229eb0755

          SHA512

          ce67ad2010d2d425d1676dc9ad00225264633273f98b8336be307a984279eeee6f85fbec8b90b4e223179f167b9ed4598e69cdbcf63a5f35d0c26712d210dd1f

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a44515302.exe

          Filesize

          169KB

          MD5

          4f30d45c4f13c8373a973a05149bdd88

          SHA1

          0c01217a32d9f57da818a844eb16cb9a6653d0ff

          SHA256

          0d12faa677cb5cf0a9dfd6e713664f0a5dcfd88c4fd813724288e860ffb69f0d

          SHA512

          c855b212fe29c8b091672b783fe20ed8841eafc7577e89b6d543db61d3c08c5587fdc487033f113b3ace270d8325eb10c7f3cbac9f8b4aef660b632b69185c07

        • memory/2964-14-0x000000007408E000-0x000000007408F000-memory.dmp

          Filesize

          4KB

        • memory/2964-15-0x00000000005A0000-0x00000000005D0000-memory.dmp

          Filesize

          192KB

        • memory/2964-16-0x00000000026C0000-0x00000000026C6000-memory.dmp

          Filesize

          24KB

        • memory/2964-17-0x0000000005540000-0x0000000005B58000-memory.dmp

          Filesize

          6.1MB

        • memory/2964-18-0x0000000005030000-0x000000000513A000-memory.dmp

          Filesize

          1.0MB

        • memory/2964-19-0x0000000004F20000-0x0000000004F32000-memory.dmp

          Filesize

          72KB

        • memory/2964-21-0x0000000074080000-0x0000000074830000-memory.dmp

          Filesize

          7.7MB

        • memory/2964-20-0x0000000004F80000-0x0000000004FBC000-memory.dmp

          Filesize

          240KB

        • memory/2964-22-0x0000000004FD0000-0x000000000501C000-memory.dmp

          Filesize

          304KB

        • memory/2964-23-0x000000007408E000-0x000000007408F000-memory.dmp

          Filesize

          4KB

        • memory/2964-24-0x0000000074080000-0x0000000074830000-memory.dmp

          Filesize

          7.7MB