Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 07:21
Static task
static1
Behavioral task
behavioral1
Sample
400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe
Resource
win10v2004-20241007-en
General
-
Target
400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe
-
Size
481KB
-
MD5
3524a785527eb064a14c7a386a8760af
-
SHA1
40b746a915df6c493090a1c96fd63e873093c350
-
SHA256
400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a
-
SHA512
8df09da0e8b50971aa044add2eecd233a39d62dfebbd0b507971be5638d4035dde39ef557e0f856b1c1b310934cb2de27b760f7b6b5a3ab15023ce8ddfe7cc2f
-
SSDEEP
6144:Kpy+bnr+pp0yN90QE1q6jPXRukBFTiA2LnJokOZa2NYQEPzwHztisxcsDnL4udku:HMrBy90u6LX/z+o5nYQhHhiCzLVTozW
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ccd-12.dat family_redline behavioral1/memory/508-15-0x0000000000AF0000-0x0000000000B22000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nrP56.exebfl52.exepid Process 2068 nrP56.exe 508 bfl52.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nrP56.exe400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nrP56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bfl52.exe400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exenrP56.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfl52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrP56.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exenrP56.exedescription pid Process procid_target PID 4152 wrote to memory of 2068 4152 400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe 84 PID 4152 wrote to memory of 2068 4152 400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe 84 PID 4152 wrote to memory of 2068 4152 400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe 84 PID 2068 wrote to memory of 508 2068 nrP56.exe 85 PID 2068 wrote to memory of 508 2068 nrP56.exe 85 PID 2068 wrote to memory of 508 2068 nrP56.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe"C:\Users\Admin\AppData\Local\Temp\400980f5bc2f7565b323bf3688e024ee054505140113321bdb74b718a2f9544a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrP56.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrP56.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfl52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfl52.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5dab1a8b060d4d6c59dccb98ba1b1c871
SHA1557bc5949d4ace60d2d560533d1b8bb19c3b8890
SHA256645281707463d71d80ea2271c72b1863bbe23b7abb8552532dde7b74f6bd98d8
SHA512e114f8a956869467f2f64afffc7e0b7372b2274eb665355e8282183a6ccc2d9f06c9fe200aa82c14c6d4e228db89883c17d63330c5483f206a3b55b4ce2d6f8f
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec