Analysis
-
max time kernel
105s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 05:41
Static task
static1
Behavioral task
behavioral1
Sample
d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe
Resource
win10v2004-20241007-en
General
-
Target
d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe
-
Size
551KB
-
MD5
52837851fffa2d53aa6d156ab802ffd0
-
SHA1
5d9954dcdc5e6c9701d8910d480dc0e35a874554
-
SHA256
d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0ee
-
SHA512
8ec412e5fed2220f2bb11ef35faa12baad4bf44ebe4ae855a2196791e5d627454e96401b907aa0044c7a1e14c08b0fa15071d7df66c25aa67abbf66c4eae4fa7
-
SSDEEP
12288:SMrwy90IlKVWzNKdryQl+W6AMrERFEhkiUW5/fBMj:OyDwVHdmfYTEh/F/ZMj
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023caf-12.dat family_redline behavioral1/memory/2524-15-0x00000000006C0000-0x00000000006F2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nXX45.exebDc71.exepid Process 228 nXX45.exe 2524 bDc71.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nXX45.exed9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nXX45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bDc71.exed9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exenXX45.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bDc71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nXX45.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exenXX45.exedescription pid Process procid_target PID 844 wrote to memory of 228 844 d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe 83 PID 844 wrote to memory of 228 844 d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe 83 PID 844 wrote to memory of 228 844 d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe 83 PID 228 wrote to memory of 2524 228 nXX45.exe 84 PID 228 wrote to memory of 2524 228 nXX45.exe 84 PID 228 wrote to memory of 2524 228 nXX45.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe"C:\Users\Admin\AppData\Local\Temp\d9ac33b48c2a673b2ab8d9d460b87e26340c799f6e905bffb7b8f7f9e3b6a0eeN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nXX45.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nXX45.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bDc71.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bDc71.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5da5ffbda64342b2c7184e1a7cfc1f2e3
SHA143dd0b7f05d2c23aae1c2ac10b3498ae4f952faf
SHA256a038e5a1ded14c60cb109820c021bf66727267b777cad121cb109eb13ae3c661
SHA5121f1ffe632f7cd3a918cd282bfdbab2787c9ae72ccfdb26c2900db3ccd57bec5953db9a893efecf79239b56fba709b82cc69fc132634e74da10d24779ec1e4554
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec