Analysis

  • max time kernel
    131s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:59

General

  • Target

    cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe

  • Size

    479KB

  • MD5

    35d90b455be565327198e14d2717ae44

  • SHA1

    c16de86fb5364615ea874319882b2aa3642bac17

  • SHA256

    cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947

  • SHA512

    989e7e8b4d6d9166ef4e5d7e23e4ab973e48aeca5b199baa44d2a5e5107196e13213582a690c043ce8a750a19375443fac7fbe24a488a4ad2fb2a90f4a9c8057

  • SSDEEP

    12288:ZMrJy90eLXOANRQfjDroGtTJmZ/j9JkNjfqoug:Iy5LXxRQfjfoeY/j961fNug

Malware Config

Extracted

Family

redline

Botnet

diwer

C2

217.196.96.101:4132

Attributes
  • auth_value

    42abfa9e4f2e290c8bdbc776fd9bb6ad

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe
    "C:\Users\Admin\AppData\Local\Temp\cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9469568.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9469568.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8769582.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8769582.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1096

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9469568.exe

          Filesize

          307KB

          MD5

          e5dd2b549d80f4f4f425a083a38f7d27

          SHA1

          1db0e0ce073e4479f25166687decd2dff26990f4

          SHA256

          12cf495a16f76d6f3d55195450475f2ab2dd21efdff1973786da5865f07afea1

          SHA512

          fb6a8ec48aade66b5fbd64ae1923447fc4cb517a60c9e9a6ff004e792a6d05f536bb0ae40fbde61bd25aea0034ccd374d49dcdbbf6370a383a5b97e2acf6e85e

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8769582.exe

          Filesize

          168KB

          MD5

          a754cfca027b30df6426c5bab4edf407

          SHA1

          7c8c3309560b7fecfdaa276b3651fc033b3cde35

          SHA256

          9f3653c1de23d9f0ea4b61e4822e13dc3272f2d1b3a83292fbfec1e3ece77d81

          SHA512

          a5761d0614ef1b06c4b45a43b090d11e346604b119ce200c4d83aacdee4ea15863fabec4ed65a0f880b26a3b4c50640f89b59081b98cc9b2f62d005759101a48

        • memory/1096-14-0x0000000073D8E000-0x0000000073D8F000-memory.dmp

          Filesize

          4KB

        • memory/1096-15-0x0000000000540000-0x0000000000570000-memory.dmp

          Filesize

          192KB

        • memory/1096-16-0x0000000002840000-0x0000000002846000-memory.dmp

          Filesize

          24KB

        • memory/1096-17-0x000000000A830000-0x000000000AE48000-memory.dmp

          Filesize

          6.1MB

        • memory/1096-18-0x000000000A3B0000-0x000000000A4BA000-memory.dmp

          Filesize

          1.0MB

        • memory/1096-19-0x000000000A2E0000-0x000000000A2F2000-memory.dmp

          Filesize

          72KB

        • memory/1096-20-0x0000000073D80000-0x0000000074530000-memory.dmp

          Filesize

          7.7MB

        • memory/1096-21-0x000000000A340000-0x000000000A37C000-memory.dmp

          Filesize

          240KB

        • memory/1096-22-0x0000000004890000-0x00000000048DC000-memory.dmp

          Filesize

          304KB

        • memory/1096-23-0x0000000073D8E000-0x0000000073D8F000-memory.dmp

          Filesize

          4KB

        • memory/1096-24-0x0000000073D80000-0x0000000074530000-memory.dmp

          Filesize

          7.7MB