Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe
Resource
win10v2004-20241007-en
General
-
Target
2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe
-
Size
844KB
-
MD5
7c3083066cb1e57ec9095cd9bbde40e8
-
SHA1
7d208b9def0ac84fef25acf6175ea227259cdd0e
-
SHA256
2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304
-
SHA512
da724b541c9b34ac9a3ffd4b93dc47e4fb8437a620c09439c186cd24b3fb1977eda64c7f3c6828c124dfb7ef6ecb8b60dfc98302a3d1d530d41a9ab8727c65a0
-
SSDEEP
12288:8y90mFczYkESSLRsZtRNqAqg78qOOPRL/ubyOEAsxu0ibt54eU5ccDSN:8ykEyMO8AHOgN2byOEabtqeU5kN
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c77-12.dat family_redline behavioral1/memory/2964-15-0x00000000005A0000-0x00000000005D0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1668 i01775930.exe 2964 a44515302.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i01775930.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i01775930.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a44515302.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4904 wrote to memory of 1668 4904 2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe 83 PID 4904 wrote to memory of 1668 4904 2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe 83 PID 4904 wrote to memory of 1668 4904 2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe 83 PID 1668 wrote to memory of 2964 1668 i01775930.exe 84 PID 1668 wrote to memory of 2964 1668 i01775930.exe 84 PID 1668 wrote to memory of 2964 1668 i01775930.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe"C:\Users\Admin\AppData\Local\Temp\2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01775930.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01775930.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a44515302.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a44515302.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
371KB
MD59d2532b1549e63da09d929f6190cae3e
SHA1abd26bb9d8cdf96accae9d8f4248220b6718dc99
SHA2566f4240bf7de5bdd09d5171c0b8fe99e473e9e84ad06e7f6e03eaad1229eb0755
SHA512ce67ad2010d2d425d1676dc9ad00225264633273f98b8336be307a984279eeee6f85fbec8b90b4e223179f167b9ed4598e69cdbcf63a5f35d0c26712d210dd1f
-
Filesize
169KB
MD54f30d45c4f13c8373a973a05149bdd88
SHA10c01217a32d9f57da818a844eb16cb9a6653d0ff
SHA2560d12faa677cb5cf0a9dfd6e713664f0a5dcfd88c4fd813724288e860ffb69f0d
SHA512c855b212fe29c8b091672b783fe20ed8841eafc7577e89b6d543db61d3c08c5587fdc487033f113b3ace270d8325eb10c7f3cbac9f8b4aef660b632b69185c07