Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 05:47
Static task
static1
Behavioral task
behavioral1
Sample
552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe
Resource
win10v2004-20241007-en
General
-
Target
552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe
-
Size
474KB
-
MD5
9e021cc5045e6dc9e7b54296ed0bfcea
-
SHA1
c616d51b5e8cb15a44b999587c5d6874a6dc1882
-
SHA256
552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594
-
SHA512
07bfba53ba4d3de2529c9bcc1dc07b5b260286b6ccf290089210ee5a2c68587083a252cea8746768101bf2512c5f3826a31d4bbc91ceb7fd75abb2f2d43263d5
-
SSDEEP
12288:qMrny90F2BLA0E7k4V1+Xyqm31pdBHS/N0:lya27E7yy7zBoK
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb7-12.dat family_redline behavioral1/memory/3888-15-0x0000000000CF0000-0x0000000000D22000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nYs61.exebUb76.exepid Process 5084 nYs61.exe 3888 bUb76.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exenYs61.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nYs61.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
nYs61.exebUb76.exe552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nYs61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bUb76.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exenYs61.exedescription pid Process procid_target PID 1880 wrote to memory of 5084 1880 552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe 83 PID 1880 wrote to memory of 5084 1880 552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe 83 PID 1880 wrote to memory of 5084 1880 552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe 83 PID 5084 wrote to memory of 3888 5084 nYs61.exe 84 PID 5084 wrote to memory of 3888 5084 nYs61.exe 84 PID 5084 wrote to memory of 3888 5084 nYs61.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe"C:\Users\Admin\AppData\Local\Temp\552e917e4e5d0cf37d1b40d3995a5ab41d59a835087f306843b6f0d1f94a5594.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYs61.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYs61.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bUb76.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bUb76.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD550191e2e853459c168bcebdde689a4bd
SHA119e3b6e12e41363751c8fdb0c2e8c00ec0a41bd7
SHA2564ac99989e7c825f53351996a51c6daa17e88f63031acd85e48bc175fad487dd3
SHA512ce76dd337ea653684a2530bbb73b4b5a5e0ed2a87fe15878df48bd6802b4c2e3322c46213e5deac599a154574b2e96380585664247043c5f01318a52f22114ab
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec