Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe
Resource
win10v2004-20241007-en
General
-
Target
8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe
-
Size
849KB
-
MD5
af132fadf608c73fc4ddfaa98df13520
-
SHA1
9564565d0042c039d257ef895b9978bba03d4ea4
-
SHA256
8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56
-
SHA512
d953c2f1df7bab3820452009c1b8ea094d0b6727bc4d7920a1d778251202304af5ec737b6f38214556b6e58258e74ce6313fa73354338037fd8031c23277c0f0
-
SSDEEP
12288:Wy90ervNXyqd4+B2waghPTUCqdjPLO6kDrB8dP740V5X2KE5fcCQVERQnrLORoG:WyVrRfBj2HPLO6aBsnXX2KEbQaRQ/Qt
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
dante
185.161.248.73:4164
-
auth_value
f4066af6b8a6f23125c8ee48288a3f90
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/3832-2169-0x0000000005620000-0x0000000005652000-memory.dmp family_redline behavioral1/files/0x0002000000022a9f-2174.dat family_redline behavioral1/memory/5416-2182-0x0000000000710000-0x000000000073E000-memory.dmp family_redline behavioral1/files/0x0007000000023c9f-2194.dat family_redline behavioral1/memory/6032-2196-0x00000000006C0000-0x00000000006F0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation p44394681.exe -
Executes dropped EXE 4 IoCs
pid Process 776 y04544554.exe 3832 p44394681.exe 5416 1.exe 6032 r13418861.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y04544554.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5868 3832 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p44394681.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language r13418861.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y04544554.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3832 p44394681.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3684 wrote to memory of 776 3684 8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe 83 PID 3684 wrote to memory of 776 3684 8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe 83 PID 3684 wrote to memory of 776 3684 8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe 83 PID 776 wrote to memory of 3832 776 y04544554.exe 84 PID 776 wrote to memory of 3832 776 y04544554.exe 84 PID 776 wrote to memory of 3832 776 y04544554.exe 84 PID 3832 wrote to memory of 5416 3832 p44394681.exe 88 PID 3832 wrote to memory of 5416 3832 p44394681.exe 88 PID 3832 wrote to memory of 5416 3832 p44394681.exe 88 PID 776 wrote to memory of 6032 776 y04544554.exe 92 PID 776 wrote to memory of 6032 776 y04544554.exe 92 PID 776 wrote to memory of 6032 776 y04544554.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe"C:\Users\Admin\AppData\Local\Temp\8a26a95e8e2dc5a35cd4c094da0269d9962636abd2c6c273451adb59023e7e56N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y04544554.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y04544554.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p44394681.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p44394681.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 12124⤵
- Program crash
PID:5868
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r13418861.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r13418861.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3832 -ip 38321⤵PID:1088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569KB
MD513234c5e74c0e43f146cddae0ced2f0d
SHA13507b8528bd8fd54180cd01d530e7790945f184e
SHA256e1daccbfd3e20be9f55ecaccee06dee71888a1ad875c588c6e2bca93bcc848f8
SHA5129426c8506c414018c519445592dd15185725cda3bee28a99a1d1401b4e9bebb63d16f22b435c05e45dc26f3c2511b0b61ec08d5b495401602af437e29a96eafa
-
Filesize
479KB
MD50f6733e5aa50f6ad5d385a0486de9ea0
SHA1a24f2181737b0dfd602661fc54b962f7904113ba
SHA2568841f79035f6f50151cf4262e065a2bbd3e0112cef99df1552065bfa8084fccf
SHA512f457d9383c12df8e841b00b6545e96bbbea67e4d5be77d51c79b4b8a577716e36f5aa045351cd21faa4480490c90974a175bc68ea2dcf2456387402d73c0b7c8
-
Filesize
169KB
MD5835e1665b2b9a97fdf0019af618921a5
SHA15908891aa558997c5db16757e034caf37e2bad19
SHA25654d0d427123c05e8cbd2cb6c444a4089275f14a5c4f60a9436bbb7db2bdfe38a
SHA5120b78427158933467e247de3fbb48440921c4a5cbe8588502d633ccdd95747edcd44b8da258aea15acdaa89cc1d67dd7cb89e5e09a0abcbc84a7eb7136f9cb8b5
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf