Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:13

General

  • Target

    3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe

  • Size

    874KB

  • MD5

    56482e6b0c9279e0b1eb7d2a9ac7e9e5

  • SHA1

    cfdaa0219663ecd53f9e1ec44e8d367ae38f437c

  • SHA256

    3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56

  • SHA512

    e67ee98b53a56053225f4660dad0b5a959cfecd6b15e7aa0ae67d3e70179bb75d1c2405aacc63d5862163f699c40f45e28a320a4685e78e53f67a8777c3381b4

  • SSDEEP

    24576:8yYMNn2JugxjvjSLt47WFrrnE4/aJkC6K3j5JMkxF4/di:rYMt2Ju2j+JBnJaJJ93jdod

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes
  • auth_value

    a5db9b1c53c704e612bccc93ccdb5539

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe
    "C:\Users\Admin\AppData\Local\Temp\3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9119644.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9119644.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2841302.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2841302.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1689815.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1689815.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9119644.exe

    Filesize

    478KB

    MD5

    e77e5d2ffa93549ed07d886b339a035b

    SHA1

    897c50ac636484bd18515488ccea8566f8709af4

    SHA256

    9da754dd723c487d4a70108ec08c9f4ad25f85e26717a2a9c033395ce8b4dd69

    SHA512

    ebb77c6a006b6bf2f142a0e2bb524adbd8edc81f8cee56c7103966b312059a34f04ce2f6d7660f984b5e0b6ed7b21bb419dbf319945062bf420092f8d56b080b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2841302.exe

    Filesize

    306KB

    MD5

    10210e574d288acd2df9ea3fbb4dc432

    SHA1

    487e37e784742286b25477d8f23d35e88942a038

    SHA256

    3a90d3ab41b0f55f022aca9b68d2fc5280aa4d129275eb35cb292fa2d2dfbcf5

    SHA512

    e787d6012cb60dd9d3a906451cec1103873c229dd601d10729fc7925430fcdb4ee272508968f8c5630480a5da944a2e737787ef89ab09dd1bc3b5e2009251f1f

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1689815.exe

    Filesize

    145KB

    MD5

    e0aa23942605f064aea9974753c46cf6

    SHA1

    e17b26d488c7295994cb8863488c71035cfb257a

    SHA256

    dcc7473a61cc3c784108ba8229e826858b7b00d1715078a90dccdbdd8b117faf

    SHA512

    4546874e596654bc1b85bf0c9f01682080849ed8ceec232a0502201eba6f062ffafdaada26b6b39bcc7d45916099e0ad843353ac700860f6b66a67b0ef223f31

  • memory/2264-21-0x0000000000450000-0x000000000047A000-memory.dmp

    Filesize

    168KB

  • memory/2264-22-0x0000000005410000-0x0000000005A28000-memory.dmp

    Filesize

    6.1MB

  • memory/2264-23-0x0000000004F20000-0x000000000502A000-memory.dmp

    Filesize

    1.0MB

  • memory/2264-24-0x0000000004E50000-0x0000000004E62000-memory.dmp

    Filesize

    72KB

  • memory/2264-25-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

    Filesize

    240KB

  • memory/2264-26-0x0000000005030000-0x000000000507C000-memory.dmp

    Filesize

    304KB