Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 06:11
Static task
static1
Behavioral task
behavioral1
Sample
f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe
Resource
win10v2004-20241007-en
General
-
Target
f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe
-
Size
478KB
-
MD5
ecb4f498727f14dfb7a4b3e398500d55
-
SHA1
2ffd3b25b096ab0e33a43d52757526922cf708ea
-
SHA256
f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f
-
SHA512
1aa2d9e2859c7f86a706f1fba4a5110391a7daec1a3dedf6fed174834ca5ad097d177d4ffec9b10cf3323a6fc23de0fa74710242432b656ba82d30e8da2be2d4
-
SSDEEP
6144:Koy+bnr+Sp0yN90QEW0ilVMInRB3Ne+EzKgOMV2cU9W4itC5LxJg2MSGz04FHqCm:MMray90s0ilVb8+sKgO+89WPUxW/1CB
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c9e-13.dat family_redline behavioral1/memory/2984-15-0x0000000000F40000-0x0000000000F72000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nlk69.exebZh75.exepid Process 4996 nlk69.exe 2984 bZh75.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exenlk69.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nlk69.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exenlk69.exebZh75.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlk69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bZh75.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exenlk69.exedescription pid Process procid_target PID 1208 wrote to memory of 4996 1208 f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe 83 PID 1208 wrote to memory of 4996 1208 f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe 83 PID 1208 wrote to memory of 4996 1208 f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe 83 PID 4996 wrote to memory of 2984 4996 nlk69.exe 85 PID 4996 wrote to memory of 2984 4996 nlk69.exe 85 PID 4996 wrote to memory of 2984 4996 nlk69.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe"C:\Users\Admin\AppData\Local\Temp\f30edb49328c9ae62de66c17a55d29f4c4025f47a337fa7ae0fdb2c2a9252d8f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlk69.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nlk69.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZh75.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZh75.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5f46207910f82dd37806e85c4dab897fe
SHA1645f7ca9499892f23b10c2548ca66238ac2c19de
SHA25610ca045c0b189cf5863407d3f5ff3c8238aca407706f3c6ca472edbe13f1b00b
SHA5121d71cf737af3f773807b577b845bf08d448a045c05b2cb6b85f3232294c66c6643bbdcfef70d9e25111760bec43e518926f037abb3c9a9fb7551aa085def5d42
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec