Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe
Resource
win10v2004-20241007-en
General
-
Target
1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe
-
Size
536KB
-
MD5
a7d47adead152f09ccdce43297a43889
-
SHA1
fbbef4811ec40015960f243056102b7d651efd64
-
SHA256
1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7
-
SHA512
347ad6450d031dcc2573de25ade3d552e2cd1b304f04bab7aa805f5630a29dd08ed44aa127946acec02f9260af4fc0e620801b3b4291bc79bb70b54992f7adcb
-
SSDEEP
12288:3MrBy90mi8aInDBsRVr97oR0TNlXojaUQJXft+:OyjbnDBs3xRPXojaX7+
Malware Config
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2320-19-0x0000000004CF0000-0x0000000004D36000-memory.dmp family_redline behavioral1/memory/2320-21-0x0000000005320000-0x0000000005364000-memory.dmp family_redline behavioral1/memory/2320-59-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-57-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-85-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-83-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-81-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-79-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-77-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-75-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-73-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-71-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-69-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-67-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-65-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-63-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-61-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-55-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-53-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-51-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-49-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-47-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-45-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-43-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-41-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-39-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-37-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-35-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-33-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-31-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-29-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-27-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-25-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-23-0x0000000005320000-0x000000000535E000-memory.dmp family_redline behavioral1/memory/2320-22-0x0000000005320000-0x000000000535E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
vcL85.exedaG44.exepid Process 1000 vcL85.exe 2320 daG44.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exevcL85.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vcL85.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
daG44.exe1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exevcL85.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daG44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcL85.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
daG44.exedescription pid Process Token: SeDebugPrivilege 2320 daG44.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exevcL85.exedescription pid Process procid_target PID 2160 wrote to memory of 1000 2160 1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe 84 PID 2160 wrote to memory of 1000 2160 1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe 84 PID 2160 wrote to memory of 1000 2160 1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe 84 PID 1000 wrote to memory of 2320 1000 vcL85.exe 85 PID 1000 wrote to memory of 2320 1000 vcL85.exe 85 PID 1000 wrote to memory of 2320 1000 vcL85.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe"C:\Users\Admin\AppData\Local\Temp\1fe28479e42351ecb3ae531321e56803d7aba556c51e79a9c99ae8cd002706d7.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcL85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daG44.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5f741776c71c86f4a34323ded9602a4d5
SHA1292ce158bdfae3117bb2be35625608999d18f63e
SHA2565265966f5f0074df5a240ef6caf46e977fc03495f14baf9c57c4fb7f88b31137
SHA51287feda7e09956e900ffd4461435466c2281052b0219bef74a3f81f859c93a27c3713e6249f07f5af1fa01286c8dfc91e5fdc3ac6f4d9e702e44b3b96c332fb96
-
Filesize
293KB
MD57cf461732cf9d151aed5ca9f15c9d689
SHA116308873863f9231638b81abe04b80afd0b98c18
SHA256971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f
SHA5121b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75