Analysis
-
max time kernel
132s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe
Resource
win10v2004-20241007-en
General
-
Target
cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe
-
Size
479KB
-
MD5
6d22d7adc20db40e855f646cb686b7e6
-
SHA1
c0b1dbb953410c19d3787cb07bb970fa968510db
-
SHA256
cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8
-
SHA512
7a540234d66e46bbff94fce6ef48fcda0a16bc9e3b2c491e36b4e03adce7192e049ebf9c1e21bc6b8551c22f35eaecea5fca751667ff933c8e5e048d16142b18
-
SSDEEP
12288:xMrey90N7xyQ/WVSV4jObrROMoz4Kv7ogqwr0m3:LyI7xyQewrbrROMozXohwwG
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b76-12.dat family_redline behavioral1/memory/4360-15-0x0000000000230000-0x0000000000260000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3968 x1154784.exe 4360 g2844484.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1154784.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x1154784.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2844484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5112 wrote to memory of 3968 5112 cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe 83 PID 5112 wrote to memory of 3968 5112 cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe 83 PID 5112 wrote to memory of 3968 5112 cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe 83 PID 3968 wrote to memory of 4360 3968 x1154784.exe 84 PID 3968 wrote to memory of 4360 3968 x1154784.exe 84 PID 3968 wrote to memory of 4360 3968 x1154784.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe"C:\Users\Admin\AppData\Local\Temp\cf292d8efe307ac63bd086070db358d427d32e3f6add0c8d5a4e5f59075ba4c8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1154784.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1154784.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2844484.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2844484.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD50b197173cfcb4ad5ac8d1a08d342fc4e
SHA1add252164daba293ced6e8ac2b94857120187fac
SHA2560449f11c2ad8ffad72d177d166deeb61ce29f21b644b8f6872c03425790399f1
SHA512a0396abb5391bec1b188bb2602ef749aaddcc81f1d734601f1207053126db4cee2164341307cdc4c56737567beb615dee170cf10077ad7edc3220c16528c6c04
-
Filesize
168KB
MD53bc8ab9e9ee5875998ac2f25d925bce2
SHA170d27b1251213dcfa250673a0cb4090c14c95303
SHA2568474f895e4cf9ee78e567c7d23daf8f4f07b5835e8e949e277dfda8cda2187b0
SHA5120e4ecb4adb713822b64eb145d1ecff4c4763253a0827ab11c9da66f512f154ea8c5c33ee615314b1ae50bb8b6de6c2c694ed9c1c67fedc60f5e71ad89ca80069