Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe
Resource
win10v2004-20241007-en
General
-
Target
c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe
-
Size
477KB
-
MD5
48323158894b3f834f814cc1c1d2903e
-
SHA1
69b1e00b1af2b9fbdfd78ddbea1d7db6569fbc81
-
SHA256
c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd
-
SHA512
da0be7b87c9fe3ead0dddf3917a3a4769241f46fbe3da7b19c973406aa6fde00cd393fbbc7680fad71e36f6e2fb48f62608d11cf8f6d412228596a5e72f69ccc
-
SSDEEP
12288:EMr9y908i2/CTHmirIfJdYk+ToxtSEsrANc:ZynixGiQPYk4xt
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b88-12.dat family_redline behavioral1/memory/1236-15-0x0000000000DA0000-0x0000000000DD2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nnz21.exebka82.exepid Process 3544 nnz21.exe 1236 bka82.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exennz21.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nnz21.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exennz21.exebka82.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnz21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bka82.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exennz21.exedescription pid Process procid_target PID 2264 wrote to memory of 3544 2264 c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe 83 PID 2264 wrote to memory of 3544 2264 c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe 83 PID 2264 wrote to memory of 3544 2264 c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe 83 PID 3544 wrote to memory of 1236 3544 nnz21.exe 84 PID 3544 wrote to memory of 1236 3544 nnz21.exe 84 PID 3544 wrote to memory of 1236 3544 nnz21.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe"C:\Users\Admin\AppData\Local\Temp\c3af3b3e257b6b95fc595e537c878958a95dcfacdaa2bd9bf269777066b02dbd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnz21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nnz21.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bka82.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bka82.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5629d91287b7be666838d252779ceb061
SHA102ced8fd1a05a21b12ac35a50079ec2f9244eeab
SHA256a0c060e633d10124acc72f47266b26da5d3235c417a981e510f6886b0ca31b46
SHA51280b105baf2f055be8c89d2d9a19715ac3682559116c09550c618e14e1276405a721e9a36e8d4e7f43a3d3f164b75e93babe46f5f39ac85a6dc4cb3f1952f753f
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec