Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:09
Static task
static1
Behavioral task
behavioral1
Sample
b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe
Resource
win10v2004-20241007-en
General
-
Target
b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe
-
Size
582KB
-
MD5
7b8fce326e96d032a015999431fcf3e0
-
SHA1
44c21222010ac6ab31ce5854d715e2c4ed2a9099
-
SHA256
b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1
-
SHA512
8f4da2017c6c30b6b0546b3971f76a3acc360532a096bdc3f829d7de3573c7fe4cb57f97e0142214deba5ac875c7ed71262b7c85b05f21761a026bfb8d8b1ece
-
SSDEEP
12288:QsLi9pW/d6CU9XVo8dY9o67hNmeKbu163q:QGiEd6CU9Fo8d67hNmeKa43q
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2532-2154-0x00000000024A0000-0x00000000024D2000-memory.dmp family_redline behavioral1/files/0x000700000001211a-2157.dat family_redline behavioral1/memory/9828-2162-0x0000000000AD0000-0x0000000000AFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
pid Process 9828 1.exe -
Loads dropped DLL 1 IoCs
pid Process 2532 b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2532 wrote to memory of 9828 2532 b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe 30 PID 2532 wrote to memory of 9828 2532 b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe 30 PID 2532 wrote to memory of 9828 2532 b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe 30 PID 2532 wrote to memory of 9828 2532 b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe"C:\Users\Admin\AppData\Local\Temp\b10ece623d591d237c2775b4ff73003076f6a9fc729f3a57f832bf938620f4d1N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf