Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe
Resource
win10v2004-20241007-en
General
-
Target
3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe
-
Size
874KB
-
MD5
56482e6b0c9279e0b1eb7d2a9ac7e9e5
-
SHA1
cfdaa0219663ecd53f9e1ec44e8d367ae38f437c
-
SHA256
3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56
-
SHA512
e67ee98b53a56053225f4660dad0b5a959cfecd6b15e7aa0ae67d3e70179bb75d1c2405aacc63d5862163f699c40f45e28a320a4685e78e53f67a8777c3381b4
-
SSDEEP
24576:8yYMNn2JugxjvjSLt47WFrrnE4/aJkC6K3j5JMkxF4/di:rYMt2Ju2j+JBnJaJJ93jdod
Malware Config
Extracted
redline
dimas
185.161.248.75:4132
-
auth_value
a5db9b1c53c704e612bccc93ccdb5539
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000023ba1-19.dat family_redline behavioral1/memory/2264-21-0x0000000000450000-0x000000000047A000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
x9119644.exex2841302.exef1689815.exepid Process 3512 x9119644.exe 4052 x2841302.exe 2264 f1689815.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exex9119644.exex2841302.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9119644.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2841302.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exex9119644.exex2841302.exef1689815.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x9119644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2841302.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1689815.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exex9119644.exex2841302.exedescription pid Process procid_target PID 1608 wrote to memory of 3512 1608 3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe 83 PID 1608 wrote to memory of 3512 1608 3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe 83 PID 1608 wrote to memory of 3512 1608 3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe 83 PID 3512 wrote to memory of 4052 3512 x9119644.exe 84 PID 3512 wrote to memory of 4052 3512 x9119644.exe 84 PID 3512 wrote to memory of 4052 3512 x9119644.exe 84 PID 4052 wrote to memory of 2264 4052 x2841302.exe 86 PID 4052 wrote to memory of 2264 4052 x2841302.exe 86 PID 4052 wrote to memory of 2264 4052 x2841302.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe"C:\Users\Admin\AppData\Local\Temp\3a24377b9629f248ad411c6bb888d083908c802521344862f1a65b2810ae0a56.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9119644.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9119644.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2841302.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2841302.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1689815.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1689815.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478KB
MD5e77e5d2ffa93549ed07d886b339a035b
SHA1897c50ac636484bd18515488ccea8566f8709af4
SHA2569da754dd723c487d4a70108ec08c9f4ad25f85e26717a2a9c033395ce8b4dd69
SHA512ebb77c6a006b6bf2f142a0e2bb524adbd8edc81f8cee56c7103966b312059a34f04ce2f6d7660f984b5e0b6ed7b21bb419dbf319945062bf420092f8d56b080b
-
Filesize
306KB
MD510210e574d288acd2df9ea3fbb4dc432
SHA1487e37e784742286b25477d8f23d35e88942a038
SHA2563a90d3ab41b0f55f022aca9b68d2fc5280aa4d129275eb35cb292fa2d2dfbcf5
SHA512e787d6012cb60dd9d3a906451cec1103873c229dd601d10729fc7925430fcdb4ee272508968f8c5630480a5da944a2e737787ef89ab09dd1bc3b5e2009251f1f
-
Filesize
145KB
MD5e0aa23942605f064aea9974753c46cf6
SHA1e17b26d488c7295994cb8863488c71035cfb257a
SHA256dcc7473a61cc3c784108ba8229e826858b7b00d1715078a90dccdbdd8b117faf
SHA5124546874e596654bc1b85bf0c9f01682080849ed8ceec232a0502201eba6f062ffafdaada26b6b39bcc7d45916099e0ad843353ac700860f6b66a67b0ef223f31