Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe
Resource
win10v2004-20241007-en
General
-
Target
934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe
-
Size
766KB
-
MD5
4329bf1344a253ff3b17a12112474ecf
-
SHA1
5e8ae400c3d0db5409be70c7831c1ce735e6b235
-
SHA256
934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1
-
SHA512
6246e8f6293379130caaadef2060182f855d1978bf661c758344fa793a9bad40460f63d76b9798e0403e7e0f18f29275539963e21caf565c9b258dbeb672dd19
-
SSDEEP
12288:RMrmy90mUDVMD2OdZctMsXmXmcJMwIYknIT1UHOQSsZzq4vFHcIlDqbh1zsDXRqu:/y4V62OAOam2cJj/knIBCZzq4vz9KVsf
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2704-22-0x0000000002AC0000-0x0000000002B06000-memory.dmp family_redline behavioral1/memory/2704-24-0x00000000054B0000-0x00000000054F4000-memory.dmp family_redline behavioral1/memory/2704-60-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-62-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-88-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-84-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-80-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-78-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-76-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-74-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-72-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-70-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-68-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-66-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-64-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-58-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-56-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-54-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-52-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-50-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-46-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-44-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-42-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-40-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-38-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-36-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-34-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-30-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-28-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-86-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-82-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-48-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-32-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-26-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline behavioral1/memory/2704-25-0x00000000054B0000-0x00000000054EE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vnk76.exevEh06.exeduW94.exepid Process 2028 vnk76.exe 4380 vEh06.exe 2704 duW94.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exevnk76.exevEh06.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vnk76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vEh06.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vnk76.exevEh06.exeduW94.exe934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnk76.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vEh06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duW94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
duW94.exedescription pid Process Token: SeDebugPrivilege 2704 duW94.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exevnk76.exevEh06.exedescription pid Process procid_target PID 4724 wrote to memory of 2028 4724 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe 83 PID 4724 wrote to memory of 2028 4724 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe 83 PID 4724 wrote to memory of 2028 4724 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe 83 PID 2028 wrote to memory of 4380 2028 vnk76.exe 85 PID 2028 wrote to memory of 4380 2028 vnk76.exe 85 PID 2028 wrote to memory of 4380 2028 vnk76.exe 85 PID 4380 wrote to memory of 2704 4380 vEh06.exe 86 PID 4380 wrote to memory of 2704 4380 vEh06.exe 86 PID 4380 wrote to memory of 2704 4380 vEh06.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe"C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD57daeacaf039d31faf12df639e1c988df
SHA1b5d6576dafee6f860760c2154a95bc1e789524c3
SHA25660f8cf69f8e1d28a45c3073477b0ac4ed90719d972eb18704eaf1d4fb952ed64
SHA5120fe286e3d29db95734d7e8c3db692285637f44de0b899af0737d42a8435c9a097e88d3cdf3d817f5416e180ccf8f99677d01cff9fc74b148ec74d901e0d6a59c
-
Filesize
516KB
MD5666c0311502a1e366cbd6fa346ef7d70
SHA190d49fff94e3fe2a00141d3b125d817c89b76601
SHA25619b36b0f715e7a191aaaa832232c01393f6b7bbc48d35bece1ad6b2e3dc95d43
SHA5128252737c17c3bf8c53b891506e09ca68232d39b4f70b3ce2b9bd88929915e889a5aac5d61916e956e7bf9782161f4550aa43c606791bc066a31edd91d2d0ef76
-
Filesize
297KB
MD5c76b024698fbf2e549cbc0515872a7b4
SHA16dd18e417c892a26a1b9eca8b4a07421e743f052
SHA256c0171f0d598f860d522908c1247e21d1325ec3d14cfda22e181d642fe1d29c20
SHA51248b8cd24779f46abd1769ac6453f4b22782b0ec34841b89e15f32e130d6b4d29eb5999f00afb9fdfc927fbc02f0ec0607c933163ff1794beba58fe3db5e3e19c