Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe
Resource
win10v2004-20241007-en
General
-
Target
29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe
-
Size
643KB
-
MD5
94a406360fd8a4c7e86c2339205855ba
-
SHA1
cd9b546e8b177e0c98d794ac561ed0c01caf312b
-
SHA256
29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48
-
SHA512
ed68a2c60917cb49c2400e409bf1666ddf866631c6c3c184a34d65a25452191add579dd5b12b3f2397f1164473480ccfe95f6bdccb05701427cde98c68f62e49
-
SSDEEP
12288:lMrqy90l8/cFfrs1uWLdcRphuavCKHXVr7r4ukpxhNi+:jytsox+PvCKHXVr7fkpxzn
Malware Config
Extracted
redline
darm
217.196.96.56:4138
-
auth_value
d88ac8ccc04ab9979b04b46313db1648
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000023bc0-12.dat family_redline behavioral1/memory/1976-15-0x00000000006C0000-0x00000000006F0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
x7578539.exeg1238654.exepid Process 4976 x7578539.exe 1976 g1238654.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exex7578539.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7578539.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exex7578539.exeg1238654.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x7578539.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g1238654.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exex7578539.exedescription pid Process procid_target PID 3200 wrote to memory of 4976 3200 29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe 83 PID 3200 wrote to memory of 4976 3200 29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe 83 PID 3200 wrote to memory of 4976 3200 29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe 83 PID 4976 wrote to memory of 1976 4976 x7578539.exe 84 PID 4976 wrote to memory of 1976 4976 x7578539.exe 84 PID 4976 wrote to memory of 1976 4976 x7578539.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe"C:\Users\Admin\AppData\Local\Temp\29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7578539.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7578539.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1238654.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1238654.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5284e35f8dfe722bbc86a76edc828ce21
SHA108429db68815da042e9f5fc9ce23c4bafc1b2ca3
SHA25660462f5e7688f3437ee1fe1f9eda0ce061a48251c51722d68473a653a9705b99
SHA512314b6a76d8e16c71ea749c04f2cc013a169d81c174677cf706c8964f1b5f4c7ea8baa95af8d37c83f8307c267295fef8c81b4174974a215083ceb33664a57955
-
Filesize
168KB
MD5ca6b1dcf0a488e2034bb32f518f91bc0
SHA1fa8a2f472347433e982a1cc9a82eec6dcabab92e
SHA2567d4897cfb4ef83cb0316584a3b8d836555b9c3d55a8b2def6f20e3bf8e160cf8
SHA512dd2433fb18926bc480f1800afb5bb7f6e5d14cb78d3ec77761e3b55eea45275dee22fba20b5fdaed8749a0af55613aa602cfd15c16524c4c2cd48e67578e465a