Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 06:48
Static task
static1
Behavioral task
behavioral1
Sample
b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe
Resource
win10v2004-20241007-en
General
-
Target
b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe
-
Size
481KB
-
MD5
c0580cf1b263f7251beb687651d946db
-
SHA1
98cb814310a0030809477985a7cfc09317e622ca
-
SHA256
b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005
-
SHA512
0cade4ccde024246bdcfc68a5a55e993e2b461fad1cb852b2cabe3f67c21b3cbf3cef893619048867735ce35404700c2e203b7f5e88f1a6b6d96ab9b9b382024
-
SSDEEP
6144:KSy+bnr++p0yN90QEK01g7JDYa7DYKeq4Kkxi6xIg0Hlbo9Y3TWhHu1mzgUtkNtI:mMray90pg7hYeWO0isIgKUYDIOo7+YF
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b7d-12.dat family_redline behavioral1/memory/4244-15-0x0000000000C50000-0x0000000000C82000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nPF10.exebER76.exepid Process 1700 nPF10.exe 4244 bER76.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exenPF10.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nPF10.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exenPF10.exebER76.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nPF10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bER76.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exenPF10.exedescription pid Process procid_target PID 2144 wrote to memory of 1700 2144 b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe 83 PID 2144 wrote to memory of 1700 2144 b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe 83 PID 2144 wrote to memory of 1700 2144 b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe 83 PID 1700 wrote to memory of 4244 1700 nPF10.exe 84 PID 1700 wrote to memory of 4244 1700 nPF10.exe 84 PID 1700 wrote to memory of 4244 1700 nPF10.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe"C:\Users\Admin\AppData\Local\Temp\b394bd1188623edd974ae013ecb79e618f811074eff7edf100327929fb3dd005.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nPF10.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nPF10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bER76.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bER76.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5c2df278304e747a3c9b1b3e878045dc6
SHA19e964846fac01d1ee1f5ab250e3b761e532c29fe
SHA2564dc86d5b6c35f62c632ee8734ec88a0f209dfdd9cd10edfbdea2c0e5e78fa19c
SHA51280331e5a3981a7019e4c2784215d8704304ec5078eae15f2e1d5aa26f31b211e8c9cff5c58c5814b1fa7ecedfc30f984a4924c58ecaeb4b8dd6d545899eca48b
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec