Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe
Resource
win10v2004-20241007-en
General
-
Target
9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe
-
Size
478KB
-
MD5
72c7ac8a4b48c162659285df0e02f500
-
SHA1
a4ca273438d5a8dd414c3968d3ae777d0fea2850
-
SHA256
9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0a
-
SHA512
2dacdba87bceeeea977eafb3580075ddd249ba3c24000aa5990827982ff4c044ca679a62c0f3ee8511bfde94bd7f245282a6ceb3d437e58abfb4605d57c40819
-
SSDEEP
6144:KQy+bnr+up0yN90QEfz+MDRWWnvGmoSY9MYIDHx7LMdk4q9tBFFEB1IR6NArllOc:UMrGy90xz+WRcIDHx7LZF+58t
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca4-12.dat family_redline behavioral1/memory/4356-15-0x0000000000610000-0x0000000000642000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nsM35.exebjm52.exepid Process 1576 nsM35.exe 4356 bjm52.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exensM35.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nsM35.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exensM35.exebjm52.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsM35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjm52.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exensM35.exedescription pid Process procid_target PID 464 wrote to memory of 1576 464 9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe 83 PID 464 wrote to memory of 1576 464 9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe 83 PID 464 wrote to memory of 1576 464 9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe 83 PID 1576 wrote to memory of 4356 1576 nsM35.exe 84 PID 1576 wrote to memory of 4356 1576 nsM35.exe 84 PID 1576 wrote to memory of 4356 1576 nsM35.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe"C:\Users\Admin\AppData\Local\Temp\9efd7344a1d8e914bdd2e4052308de3427bd77dd05207b619ce4760a4acc6c0aN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsM35.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsM35.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bjm52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bjm52.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5de947540ea864821d2d5ec96cb1c064f
SHA1e000ed4d3099310b7cde6b0fd77577348267186a
SHA256dc3f106611d7ff5321de06e2582e90ddc258e691728f2437a77768626674f8e6
SHA512ca87715ae55d7d44e1351ead4d34328d5f026423ee22b6278d1524867dd2af30296351818330676c95d0380e0c6563e62ac5ef4a5f57a876197c5ac87c6ce808
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec