Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 05:04
Static task
static1
Behavioral task
behavioral1
Sample
149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe
Resource
win10v2004-20241007-en
General
-
Target
149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe
-
Size
467KB
-
MD5
3c509f1f058dc2297873ed8a2f18071a
-
SHA1
da16e369fffbdc33edd448584636f801abe8a05d
-
SHA256
149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b
-
SHA512
f9fc020d45a96a26a2001c0e2619203f944d6201c0d24813ea0bb7663bc3141c8fc4bccec6da5e58c9e2154e82fcb23c1ac4201fb6c55ae189e3ccd5b2896f47
-
SSDEEP
6144:KBy+bnr+/p0yN90QEYeGuk9lrPEfhLoIXVM4OgpcWcO/F1E3LxgRipVh0ZtQwg:jMrDy90m59t8hrXVMhtkKL+gvh0ZO/
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000023c20-12.dat family_redline behavioral1/memory/4044-15-0x0000000000C90000-0x0000000000CC2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nQA94.exebHy32.exepid Process 4984 nQA94.exe 4044 bHy32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nQA94.exe149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nQA94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exenQA94.exebHy32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nQA94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bHy32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exenQA94.exedescription pid Process procid_target PID 2236 wrote to memory of 4984 2236 149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe 83 PID 2236 wrote to memory of 4984 2236 149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe 83 PID 2236 wrote to memory of 4984 2236 149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe 83 PID 4984 wrote to memory of 4044 4984 nQA94.exe 85 PID 4984 wrote to memory of 4044 4984 nQA94.exe 85 PID 4984 wrote to memory of 4044 4984 nQA94.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe"C:\Users\Admin\AppData\Local\Temp\149f7c286c46b79c06d98f0b8298f5ab81bcf09fd905cd8d41f838fb47e9c97b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQA94.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQA94.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHy32.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHy32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5c49b45cfe793a030905e3fd61a2f7114
SHA1771f85765684463d50298ac8ad8e7c45d2ce97ff
SHA2568e303223300e04566735a227e451a927c8669168642d2c82846d283dc16d6a0f
SHA5126715703f9263809619cff2e1c50a4008b3a4ce223a56a0f1096abf100965ba0ae2a0433518d4fe47b0e06313c4e0a4487a50fe75ec69f6acfd3e134adb39184d
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec