Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 05:00
General
-
Target
f2e71aa6592b015be506f0b168900798b1c1530fb246cbe51f138b7ae3108751.exe
-
Size
759KB
-
MD5
948ec53b49e9c00c8cd24af5f7b97b3c
-
SHA1
ee708548a62b3cd3332f107836227e28110038e7
-
SHA256
f2e71aa6592b015be506f0b168900798b1c1530fb246cbe51f138b7ae3108751
-
SHA512
fe53c56b581410885821d8527829447bdf0ab4fee7f7eedd20a375a5821840ebe276f7054518331ecf7adf09afdfcdf438c61c875915e5931d081dc134436106
-
SSDEEP
12288:YMrZy90LRMNJ4b2OjNUZdN8veEFKwinONsEvnom4G6VS0AEoEOyr32+C:ByIMn4r5s6v3I4OuozbSXEDOGA
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2e71aa6592b015be506f0b168900798b1c1530fb246cbe51f138b7ae3108751.exe"C:\Users\Admin\AppData\Local\Temp\f2e71aa6592b015be506f0b168900798b1c1530fb246cbe51f138b7ae3108751.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFS13.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFS13.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vLv29.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vLv29.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyV94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dyV94.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
655KB
MD5d89643e31b877a241edc5e35493a966e
SHA159e4fd3e6b182d5512f3c5c66c6652362c20c995
SHA2568974ee4384c7e66d9109c75c7af1870b0c313e18e0645f4fccaf4b401c2b057c
SHA512bb1af3275543d69094928c0dff8cf30cc3234f35552cf064ab31edf4d36b2f0d758b3b163e58963778e4b070062fd503a1c1ac07b9721182ad0e784a98a88ad2
-
Filesize
509KB
MD567a1a7cae6ea3b65bfd86312c65b2c50
SHA137e7729ae113353602a9798b3a14c13c6f669178
SHA2564ecf3f6da745d90f98134512bfb0ab0513086ce2fce33fbce968a80150ea61d3
SHA512da06322dcd2c7ea86148f731c10aa929b03178e0591e34338f2cca54204fb979d22d3fdd383cd244578b790cfc9ab9e8cad50c948d7c4b391cd94a4163b8677d
-
Filesize
281KB
MD51b3f6a341b4fa013cf3f377b3ef4f6f8
SHA1a6cf129e55830409609df13609f2656774809e20
SHA2567dab4b2c0841de1211db5d5f75e86c72efdf53fd445d4ccde2dc47f41d1ae65c
SHA512b0c2b67f97cbdb58964a34de534c1c124e3566b1292c8994d7458bfb9372eeeab88f9537bf668865dcf4fba82d467149e24c830d5d8e7362c5b10ae125387417
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB