Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe
Resource
win10v2004-20241007-en
General
-
Target
e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe
-
Size
711KB
-
MD5
b321e7f93b33486c84a909e8143339a3
-
SHA1
33fcb3c298fb9361bf98bae3465cd1868493c429
-
SHA256
e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce
-
SHA512
59d15f694147ed0d35e05366d061c3fce11c4ad30fdfb9199f8af61371542747f852c8ab07c72f262a4c9d27491ed86d5647e7e18d738ef8913aa8a955a9eb4c
-
SSDEEP
12288:zMrXy90Zh5V5ssAS7j1xALQA0VTvN19n2Upcl4FT8W3kBrxilSkaAsdruQgxFKA:0y8fVxU/qTvN192ENT8xozsdruHN
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8f-12.dat family_redline behavioral1/memory/2752-15-0x0000000000900000-0x0000000000928000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3836 x9258915.exe 2752 g1693579.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9258915.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x9258915.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g1693579.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4520 wrote to memory of 3836 4520 e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe 84 PID 4520 wrote to memory of 3836 4520 e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe 84 PID 4520 wrote to memory of 3836 4520 e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe 84 PID 3836 wrote to memory of 2752 3836 x9258915.exe 85 PID 3836 wrote to memory of 2752 3836 x9258915.exe 85 PID 3836 wrote to memory of 2752 3836 x9258915.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe"C:\Users\Admin\AppData\Local\Temp\e37547e91f440467b82bf19381652a5a0693f4230ac5ba362fa5814fc09719ce.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9258915.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9258915.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1693579.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1693579.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD55fd6d3e6fc1c155215de0c641f83df53
SHA15a3bc3af557ac85093ebd0a9ce3f8c8549b3fff7
SHA25686050d16b2d0bcf0ef79617680047f00a9161508d78c6fdebb0300bda9f632d4
SHA51204d8f8da160efa3cdc763b69c62985e826134e6e98c81b58d00379ba5a9125c2b7d2e4ab3f484e13e89b25d2ba713563472255d129f52b04e270abae97bd8ecd
-
Filesize
136KB
MD53828259ae3422b138f2044bf45b783e5
SHA1037f0c1666ef466d597ddeff604610dfcc878084
SHA2563fb9d83488c28b3ca570c66392c85a590db4448ee78158f6cffc8bcb5add15fa
SHA512d8978639a2c7405c6dc5c19f946a6a8bd958f785570a12e4f3ec6f155922335a35a64a9e644a0abbacbb3331cfe989c679b48b08af5a0ed4c30ce0e613c1c755