Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10/11/2024, 23:34
General
-
Target
c3d62412dfa9ecc924ced3d296c30544fdebda337ef909c9aabf265f1d732105.exe
-
Size
583KB
-
MD5
8d5ce5dbe1741ee8e955541f92ac3be5
-
SHA1
b4365d048f5be355a41537824c72b077b5a1d60d
-
SHA256
c3d62412dfa9ecc924ced3d296c30544fdebda337ef909c9aabf265f1d732105
-
SHA512
97c5f2cafc77e3ce4b4d0099530f66cb1c4e617c8419ec3e2fdd9e18b946826741ee0fa97f413969b62f232d23a319b68b06a02f87f58ef61fa16aa9f0276678
-
SSDEEP
12288:+Mr6y900KnIV/JQX378bIvxIc3Nq5H915qLD0ovQEprI1:My1VBQ78MvD3Y5H9152Djpc1
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3d62412dfa9ecc924ced3d296c30544fdebda337ef909c9aabf265f1d732105.exe"C:\Users\Admin\AppData\Local\Temp\c3d62412dfa9ecc924ced3d296c30544fdebda337ef909c9aabf265f1d732105.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOj85wX32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nOj85wX32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\euD46qg.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\euD46qg.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD51125117ab29a16c1fe6c15d591a09ff9
SHA11de76fe49d78672d1ebb43742f207ae9b04de61b
SHA2564281bad4b752fd278b9f7852118ca11cda955f68342f9dc6586eeadd4d9b2342
SHA51208a2e19f350b6ad719b279de9c80b6468ef771efe18c8f10e6393a7131631fa6f44e2055491f41da91a04c493fd24785b32c778cbd7a2c5e62abf978d23e320d
-
Filesize
301KB
MD5b7310010d403a432b2b24fbc525c2c27
SHA1b6ad682dea1b768201d9fa3d9c0a0be4df3aff8a
SHA256ac7685b8203387f790d8dab34f74a0218eb59367c86cf9467364afce9647d391
SHA512e1fe5f38e9e00f66b54e3f85c61808e7c0b4e5109368c555e0b8f20fded47fa9e05a8ac9420752128dad12bdccaa80126427b1cb15e6052018922d7ee29c2ca6
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB