Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe
Resource
win10v2004-20241007-en
General
-
Target
9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe
-
Size
599KB
-
MD5
a80fb2147d7eb35500533465c2744e35
-
SHA1
99e13eb5576c6b45948ec973a85c63ca23de1ee5
-
SHA256
9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac
-
SHA512
cc338cd4cc98da745caf889e641cd9e72e709359672cd08dc5a52ab322f749a6fdc842116509a74b4a304687839943bb10c49786df73f73c13c3210f97d09971
-
SSDEEP
12288:AMrSy90VkBq7s24NrQKGwXBzGXjbK8dqGuSdGRGMJTIcSVwrgS:CyOeqO/GuGjbK8dqGnMA69rgS
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb3-12.dat family_redline behavioral1/memory/4540-15-0x0000000000520000-0x000000000054E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
y2993497.exek0661165.exepid Process 4828 y2993497.exe 4540 k0661165.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exey2993497.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y2993497.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exey2993497.exek0661165.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y2993497.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k0661165.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exey2993497.exedescription pid Process procid_target PID 2752 wrote to memory of 4828 2752 9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe 83 PID 2752 wrote to memory of 4828 2752 9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe 83 PID 2752 wrote to memory of 4828 2752 9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe 83 PID 4828 wrote to memory of 4540 4828 y2993497.exe 84 PID 4828 wrote to memory of 4540 4828 y2993497.exe 84 PID 4828 wrote to memory of 4540 4828 y2993497.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe"C:\Users\Admin\AppData\Local\Temp\9c3a82bb2ec2bc90ee7d7cb8b7fe94641f52e903fd03f4e255b6854e8cfd7cac.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2993497.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2993497.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0661165.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0661165.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD5202ae23c111cf990ac571f6017062976
SHA141712a04891bce64fd857154ae17b2566b39e1b7
SHA2569e9ab6f3d93c946a4f1230d20b620d31561e3c7924a9e2bc60f54ecdf1eaaf43
SHA512e3cf68af6a44559013494f4617f179855a92d5822c19103db16b977f3e683e6fa14fc0327d0e29da4f19bf1e445e9811e375580a7999c9dfeac2648a59e3dbfc
-
Filesize
168KB
MD58ad88705fe6f875ff8df748bae571dd2
SHA119878b96c71e6015d39f1523ab9d8da158efe609
SHA2569e4ca5306371fea96fba6d7318f2ada71b3de7504b6e0f1e85004675e169d848
SHA512023580b685baf8e293a6cdafa9f2e923b71018662071a5d11243f46861059f183709e103d1ae2368e7450f07c0bba9355e5aee32c0a1b6626955de281242b58a