Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:20

General

  • Target

    35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe

  • Size

    479KB

  • MD5

    4069559032ea795c8a43ccee65abb19d

  • SHA1

    718b20d02db74a8f4a16671a347fbe08e377ea5e

  • SHA256

    35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2

  • SHA512

    5160daaa7f387503e19fb207583d21d0c37b8438543382d63273b54bc3a4310f7207479fdbc7f67ba254ef8d53f3d06e5bab9427c1c23998d6ebc64a37aee23e

  • SSDEEP

    12288:bMrOy90PN2n073XJRMIn+B3SUHBG+J7XGewpOeakzA:ty440DIy+NSuB3lXRwpOeaiA

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes
  • auth_value

    8f24ed370a9b24aa28d3d634ea57912e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe
    "C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe

    Filesize

    307KB

    MD5

    1bc943f3418c4ef680705e0a51faa64d

    SHA1

    d54ec4984111bf0aeeb4f583fce4c7bc15cac760

    SHA256

    c91aeac760d8fa71e3210000774565ad493702c53935d23a27c60520a12533e6

    SHA512

    aecdfb3b31cce92a08fd312dd564a24bfa0fe1803ddc7310ef12b70250136b71714ebcd205c29e4e07468c2a86471dad3bf104e87ffdcdf5783587b417ad23ed

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe

    Filesize

    168KB

    MD5

    92a1ceb8c7a57cf57d93391b495acae2

    SHA1

    399707d1e7b2c4df189cc7baa0c07a46d485d2d5

    SHA256

    90a9e0af28a780e57606a6bb72935f64ee75ba2050c8ae376c19659821217828

    SHA512

    8bd1f3de0d1b7318a35451d6b6e53bd827b5d8f7adbb963fe5c5e718d68c8d3c2325720c9827cc6589b0d2758ca153be6e91b8fa92edebbe43b864cff1a254af

  • memory/4920-14-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

  • memory/4920-15-0x0000000000820000-0x0000000000850000-memory.dmp

    Filesize

    192KB

  • memory/4920-16-0x0000000002A10000-0x0000000002A16000-memory.dmp

    Filesize

    24KB

  • memory/4920-17-0x000000000ABC0000-0x000000000B1D8000-memory.dmp

    Filesize

    6.1MB

  • memory/4920-18-0x000000000A6B0000-0x000000000A7BA000-memory.dmp

    Filesize

    1.0MB

  • memory/4920-19-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

    Filesize

    72KB

  • memory/4920-20-0x000000000A620000-0x000000000A65C000-memory.dmp

    Filesize

    240KB

  • memory/4920-21-0x0000000074400000-0x0000000074BB0000-memory.dmp

    Filesize

    7.7MB

  • memory/4920-22-0x0000000004B60000-0x0000000004BAC000-memory.dmp

    Filesize

    304KB

  • memory/4920-23-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

  • memory/4920-24-0x0000000074400000-0x0000000074BB0000-memory.dmp

    Filesize

    7.7MB