Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe
Resource
win10v2004-20241007-en
General
-
Target
35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe
-
Size
479KB
-
MD5
4069559032ea795c8a43ccee65abb19d
-
SHA1
718b20d02db74a8f4a16671a347fbe08e377ea5e
-
SHA256
35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2
-
SHA512
5160daaa7f387503e19fb207583d21d0c37b8438543382d63273b54bc3a4310f7207479fdbc7f67ba254ef8d53f3d06e5bab9427c1c23998d6ebc64a37aee23e
-
SSDEEP
12288:bMrOy90PN2n073XJRMIn+B3SUHBG+J7XGewpOeakzA:ty440DIy+NSuB3lXRwpOeaiA
Malware Config
Extracted
redline
ditro
217.196.96.101:4132
-
auth_value
8f24ed370a9b24aa28d3d634ea57912e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca0-12.dat family_redline behavioral1/memory/4920-15-0x0000000000820000-0x0000000000850000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
x8626695.exeg5843243.exepid Process 1856 x8626695.exe 4920 g5843243.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exex8626695.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8626695.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exex8626695.exeg5843243.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x8626695.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g5843243.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exex8626695.exedescription pid Process procid_target PID 5004 wrote to memory of 1856 5004 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe 83 PID 5004 wrote to memory of 1856 5004 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe 83 PID 5004 wrote to memory of 1856 5004 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe 83 PID 1856 wrote to memory of 4920 1856 x8626695.exe 85 PID 1856 wrote to memory of 4920 1856 x8626695.exe 85 PID 1856 wrote to memory of 4920 1856 x8626695.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe"C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4920
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD51bc943f3418c4ef680705e0a51faa64d
SHA1d54ec4984111bf0aeeb4f583fce4c7bc15cac760
SHA256c91aeac760d8fa71e3210000774565ad493702c53935d23a27c60520a12533e6
SHA512aecdfb3b31cce92a08fd312dd564a24bfa0fe1803ddc7310ef12b70250136b71714ebcd205c29e4e07468c2a86471dad3bf104e87ffdcdf5783587b417ad23ed
-
Filesize
168KB
MD592a1ceb8c7a57cf57d93391b495acae2
SHA1399707d1e7b2c4df189cc7baa0c07a46d485d2d5
SHA25690a9e0af28a780e57606a6bb72935f64ee75ba2050c8ae376c19659821217828
SHA5128bd1f3de0d1b7318a35451d6b6e53bd827b5d8f7adbb963fe5c5e718d68c8d3c2325720c9827cc6589b0d2758ca153be6e91b8fa92edebbe43b864cff1a254af