Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:16

General

  • Target

    29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe

  • Size

    643KB

  • MD5

    94a406360fd8a4c7e86c2339205855ba

  • SHA1

    cd9b546e8b177e0c98d794ac561ed0c01caf312b

  • SHA256

    29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48

  • SHA512

    ed68a2c60917cb49c2400e409bf1666ddf866631c6c3c184a34d65a25452191add579dd5b12b3f2397f1164473480ccfe95f6bdccb05701427cde98c68f62e49

  • SSDEEP

    12288:lMrqy90l8/cFfrs1uWLdcRphuavCKHXVr7r4ukpxhNi+:jytsox+PvCKHXVr7fkpxzn

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe
    "C:\Users\Admin\AppData\Local\Temp\29657fee94ce91b10dfd3b24186f9ea51172dc32b1a687f344a984a108257a48.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7578539.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7578539.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1238654.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1238654.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7578539.exe

    Filesize

    384KB

    MD5

    284e35f8dfe722bbc86a76edc828ce21

    SHA1

    08429db68815da042e9f5fc9ce23c4bafc1b2ca3

    SHA256

    60462f5e7688f3437ee1fe1f9eda0ce061a48251c51722d68473a653a9705b99

    SHA512

    314b6a76d8e16c71ea749c04f2cc013a169d81c174677cf706c8964f1b5f4c7ea8baa95af8d37c83f8307c267295fef8c81b4174974a215083ceb33664a57955

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1238654.exe

    Filesize

    168KB

    MD5

    ca6b1dcf0a488e2034bb32f518f91bc0

    SHA1

    fa8a2f472347433e982a1cc9a82eec6dcabab92e

    SHA256

    7d4897cfb4ef83cb0316584a3b8d836555b9c3d55a8b2def6f20e3bf8e160cf8

    SHA512

    dd2433fb18926bc480f1800afb5bb7f6e5d14cb78d3ec77761e3b55eea45275dee22fba20b5fdaed8749a0af55613aa602cfd15c16524c4c2cd48e67578e465a

  • memory/1976-14-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

    Filesize

    4KB

  • memory/1976-15-0x00000000006C0000-0x00000000006F0000-memory.dmp

    Filesize

    192KB

  • memory/1976-16-0x0000000005120000-0x0000000005126000-memory.dmp

    Filesize

    24KB

  • memory/1976-17-0x000000000AB10000-0x000000000B128000-memory.dmp

    Filesize

    6.1MB

  • memory/1976-18-0x000000000A670000-0x000000000A77A000-memory.dmp

    Filesize

    1.0MB

  • memory/1976-19-0x000000000A5A0000-0x000000000A5B2000-memory.dmp

    Filesize

    72KB

  • memory/1976-21-0x0000000073C20000-0x00000000743D0000-memory.dmp

    Filesize

    7.7MB

  • memory/1976-20-0x000000000A600000-0x000000000A63C000-memory.dmp

    Filesize

    240KB

  • memory/1976-22-0x00000000029A0000-0x00000000029EC000-memory.dmp

    Filesize

    304KB

  • memory/1976-23-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

    Filesize

    4KB

  • memory/1976-24-0x0000000073C20000-0x00000000743D0000-memory.dmp

    Filesize

    7.7MB