Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe
Resource
win10v2004-20241007-en
General
-
Target
134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe
-
Size
479KB
-
MD5
c03a24f923d92493bdc99dfab8660886
-
SHA1
0bae07bfef8d60ee5cfa550d59135a6032dfb95c
-
SHA256
134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d
-
SHA512
80d960f58b6531963b98468fd3bc9e63f4d308c0f3f51ba55b63e49d73e58ef77ec9f3a0538c1abdab63f640715e6f0e7dac3b07f0a97b6f2c5abb49e9a4dacf
-
SSDEEP
12288:eMrcy90u4uYFMLskShKMTHmQ9SIBE2hx:OyR0FMLskmbyWSSH
Malware Config
Extracted
redline
douma
217.196.96.101:4132
-
auth_value
e7c0659b5f9d26f2f97df8d25fefbb44
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cc0-12.dat family_redline behavioral1/memory/4032-15-0x0000000000A20000-0x0000000000A4E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
x1578292.exeg5894522.exepid Process 4808 x1578292.exe 4032 g5894522.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exex1578292.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1578292.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exex1578292.exeg5894522.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x1578292.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g5894522.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exex1578292.exedescription pid Process procid_target PID 3492 wrote to memory of 4808 3492 134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe 83 PID 3492 wrote to memory of 4808 3492 134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe 83 PID 3492 wrote to memory of 4808 3492 134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe 83 PID 4808 wrote to memory of 4032 4808 x1578292.exe 84 PID 4808 wrote to memory of 4032 4808 x1578292.exe 84 PID 4808 wrote to memory of 4032 4808 x1578292.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe"C:\Users\Admin\AppData\Local\Temp\134ad9ef81867e291d97258316dbdf03aaee6e896f5e8f1ec5662caa01ca488d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1578292.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1578292.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5894522.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5894522.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5d3a978e13a4cd950b05ac570729b84ac
SHA1549eac3459014125ae3456ae65e54fd0e13e211b
SHA2561cac9336e0e71e2c5cc5fc6c9ae3eec397285a54265447edcd504bbce0d48a8b
SHA51268cdb33589e70f43b81ed7f75d37975a0cbb699135a0d4d22a012676134377d804fd77e3b012cad4d6188e4df6cdcaa4e9dc17db8763f5302d709ce10706efb9
-
Filesize
168KB
MD51680eb2a1d9625a0aa39dd7a186389da
SHA155e9806f9021fb75cb3f602da01c010ecc228021
SHA2562360c70895716ed59b94015e6a1c1e1d6d1a0da222d76a5b248d11e28872899d
SHA51283472d4295fd4d514319a2a9607326de522b61b59d6eeae06f871fbb5c73f7e322ab7e645b13c18d2ad7d1618669515b574522d1128b14d4c7362b9f0b1bc740