Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe
Resource
win10v2004-20241007-en
General
-
Target
b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe
-
Size
583KB
-
MD5
280649030aadf2dfb20a8601e5e2fab5
-
SHA1
22111d6f81d55ddafadf406c219bcea4985b4f04
-
SHA256
b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce
-
SHA512
3937db3438933a6c61fd6db28071bb1207f0a10dcb693250d9cb0443c1d943c5b90a339cb1c6cbd866e8552e46066a168586b767f91c0366830a539648ebafa9
-
SSDEEP
12288:RMrMy9090VFKoMqbmcPmkLwhD5qBWDmA1ue0:1yTVfjbpYD5BmGr0
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4536-19-0x00000000026B0000-0x00000000026F6000-memory.dmp family_redline behavioral1/memory/4536-21-0x00000000051E0000-0x0000000005224000-memory.dmp family_redline behavioral1/memory/4536-23-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-31-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-85-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-83-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-79-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-78-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-75-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-73-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-71-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-69-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-67-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-65-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-63-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-61-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-59-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-57-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-55-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-53-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-51-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-47-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-45-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-44-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-41-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-39-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-37-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-35-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-33-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-29-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-27-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-25-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-81-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-49-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline behavioral1/memory/4536-22-0x00000000051E0000-0x000000000521E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nYQ78Ou85.exeeVY08of.exepid process 4432 nYQ78Ou85.exe 4536 eVY08of.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exenYQ78Ou85.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nYQ78Ou85.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exenYQ78Ou85.exeeVY08of.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nYQ78Ou85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eVY08of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
eVY08of.exedescription pid process Token: SeDebugPrivilege 4536 eVY08of.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exenYQ78Ou85.exedescription pid process target process PID 3744 wrote to memory of 4432 3744 b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe nYQ78Ou85.exe PID 3744 wrote to memory of 4432 3744 b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe nYQ78Ou85.exe PID 3744 wrote to memory of 4432 3744 b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe nYQ78Ou85.exe PID 4432 wrote to memory of 4536 4432 nYQ78Ou85.exe eVY08of.exe PID 4432 wrote to memory of 4536 4432 nYQ78Ou85.exe eVY08of.exe PID 4432 wrote to memory of 4536 4432 nYQ78Ou85.exe eVY08of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe"C:\Users\Admin\AppData\Local\Temp\b03fe062bedc423b43befb7f91acd6ffb0f65ff0358d7d8e212d45c8581a71ce.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYQ78Ou85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYQ78Ou85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eVY08of.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eVY08of.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD599fb01ca4e4fb73978bdf5e11266381d
SHA1b4d47f9f73d849a3d9d9da36002a49b1be632dac
SHA2569a39c92406726e1fe2d5ae832a16c22181dcc8bbbfc3f32156079e7aad3a48f8
SHA5123f9d64c6f735828f7818d2acaf9671cc07b495b5b83db408815b38334eaadb1d58d9a1b3d48f04ecca8894fcdffa1f826ea736b94987ef38ab41588184c119b4
-
Filesize
302KB
MD53ae325b7e23ade83ec4a82f60599bbd2
SHA15dc22cc013fc250e419ac826ef7cb1fcb3728ef5
SHA256271a51784a7210356ba70dfd7e82d0c7c46316b6911925e1e6c955d5b3ecaa74
SHA512a10c5bc435513e0583d9e5227347e1e62a5b1a6a25116f3a609b8d93d797c402ecc88041156f337b66ead158d9fe1a0000b71c1f114efd14c95d28cc26e026d3