Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe
Resource
win10v2004-20241007-en
General
-
Target
19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe
-
Size
582KB
-
MD5
39d2eede9a6d1f833faba6670c61dcba
-
SHA1
38de496e060c448ff4b78b345e0ae416dc10b2ae
-
SHA256
19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00
-
SHA512
bcab1de32fe948e1550e80a9563f76ec010f044261382ad81faece041b17ae000787de2f34da45ecb659f938b2e548c3b11b4c71f4463a7713476cb12722472c
-
SSDEEP
12288:PMrJy90Gc9qx2BdCCfSHfIL2vDzW/3nZzh+B+ePe5Lic:mym+sEFfIybzWvJ0BU1ic
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-19-0x0000000004BA0000-0x0000000004BE6000-memory.dmp family_redline behavioral1/memory/2036-21-0x0000000004C20000-0x0000000004C64000-memory.dmp family_redline behavioral1/memory/2036-23-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-25-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-59-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-53-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-22-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-85-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-83-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-81-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-79-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-77-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-75-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-73-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-71-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-69-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-67-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-65-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-63-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-61-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-57-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-56-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-51-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-49-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-47-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-45-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-43-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-41-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-39-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-37-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-35-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-33-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-31-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-29-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline behavioral1/memory/2036-27-0x0000000004C20000-0x0000000004C5E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
djN2942.exenFP91Hz.exepid Process 2520 djN2942.exe 2036 nFP91Hz.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exedjN2942.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" djN2942.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exedjN2942.exenFP91Hz.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djN2942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nFP91Hz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nFP91Hz.exedescription pid Process Token: SeDebugPrivilege 2036 nFP91Hz.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exedjN2942.exedescription pid Process procid_target PID 2680 wrote to memory of 2520 2680 19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe 83 PID 2680 wrote to memory of 2520 2680 19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe 83 PID 2680 wrote to memory of 2520 2680 19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe 83 PID 2520 wrote to memory of 2036 2520 djN2942.exe 84 PID 2520 wrote to memory of 2036 2520 djN2942.exe 84 PID 2520 wrote to memory of 2036 2520 djN2942.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe"C:\Users\Admin\AppData\Local\Temp\19e7c7c1f686ba980d05ad93ae2320bca253ae24e9a177d760a01306067c5b00.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\djN2942.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\djN2942.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nFP91Hz.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nFP91Hz.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
437KB
MD50a4ac5148e363d96482b7c8d749132f6
SHA1db18aeb867225de1045927063df2af07f5165547
SHA25611d8d7241cf41e73cdf0208dfab6ea4f111d7c7eb34fb7eeaffc2b20872b1802
SHA512a48c6575d716810d8d411a8a87da22f871df37ee02dba70dbbfff7f373ecff4a45b74151afb27740e43abd47e01dd5aa0cc70a620695ae47798b65d9c3760a29
-
Filesize
299KB
MD58861c0b8cca49f5260dbe97a317d799c
SHA1d463fd4b51d4b743784ad1e209794932452484ab
SHA256d9abb8db07eec20445916c16fb5903e445eaa12af27d6c2c871094cdc205bb9f
SHA512f923985ba675d865ead96f975a6b3c6d182eda9c2d927cd259c6c7ccc45ed2fe406c9fe0d046879184338f962ae4b2da3fee5eefffed16c9d69bfa8560752dda