Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe
Resource
win10v2004-20241007-en
General
-
Target
cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe
-
Size
479KB
-
MD5
35d90b455be565327198e14d2717ae44
-
SHA1
c16de86fb5364615ea874319882b2aa3642bac17
-
SHA256
cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947
-
SHA512
989e7e8b4d6d9166ef4e5d7e23e4ab973e48aeca5b199baa44d2a5e5107196e13213582a690c043ce8a750a19375443fac7fbe24a488a4ad2fb2a90f4a9c8057
-
SSDEEP
12288:ZMrJy90eLXOANRQfjDroGtTJmZ/j9JkNjfqoug:Iy5LXxRQfjfoeY/j961fNug
Malware Config
Extracted
redline
diwer
217.196.96.101:4132
-
auth_value
42abfa9e4f2e290c8bdbc776fd9bb6ad
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bd8-12.dat family_redline behavioral1/memory/1096-15-0x0000000000540000-0x0000000000570000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2584 x9469568.exe 1096 g8769582.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9469568.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8769582.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x9469568.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2584 2236 cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe 83 PID 2236 wrote to memory of 2584 2236 cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe 83 PID 2236 wrote to memory of 2584 2236 cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe 83 PID 2584 wrote to memory of 1096 2584 x9469568.exe 84 PID 2584 wrote to memory of 1096 2584 x9469568.exe 84 PID 2584 wrote to memory of 1096 2584 x9469568.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe"C:\Users\Admin\AppData\Local\Temp\cb21e9fa45cc2b7b6fff1878f0c1a124001bab35057f564daa44f04a86b71947.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9469568.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9469568.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8769582.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8769582.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5e5dd2b549d80f4f4f425a083a38f7d27
SHA11db0e0ce073e4479f25166687decd2dff26990f4
SHA25612cf495a16f76d6f3d55195450475f2ab2dd21efdff1973786da5865f07afea1
SHA512fb6a8ec48aade66b5fbd64ae1923447fc4cb517a60c9e9a6ff004e792a6d05f536bb0ae40fbde61bd25aea0034ccd374d49dcdbbf6370a383a5b97e2acf6e85e
-
Filesize
168KB
MD5a754cfca027b30df6426c5bab4edf407
SHA17c8c3309560b7fecfdaa276b3651fc033b3cde35
SHA2569f3653c1de23d9f0ea4b61e4822e13dc3272f2d1b3a83292fbfec1e3ece77d81
SHA512a5761d0614ef1b06c4b45a43b090d11e346604b119ce200c4d83aacdee4ea15863fabec4ed65a0f880b26a3b4c50640f89b59081b98cc9b2f62d005759101a48