Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 06:53
Static task
static1
Behavioral task
behavioral1
Sample
22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe
Resource
win10v2004-20241007-en
General
-
Target
22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe
-
Size
474KB
-
MD5
e3e1952c13b28de0a788a548d5403aca
-
SHA1
d6197de83657d75786dbd9fa53fe482526847a67
-
SHA256
22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c
-
SHA512
ec15cb99d9d903f0ca44582bf6c7b4d8b3a4c391768844dab79948c3da57255ccd9afc7315e0348b529c88af0b877b9f6cd69abc97b983a716e4421fbe0fb4bc
-
SSDEEP
12288:JMrGy90DAGghTCy4U0eUjBhyeyWPZehw:3yGgh2y1UjBhyeycYw
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c8f-12.dat family_redline behavioral1/memory/2960-15-0x0000000000100000-0x0000000000132000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nBI79.exebAU16.exepid Process 1924 nBI79.exe 2960 bAU16.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exenBI79.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nBI79.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exenBI79.exebAU16.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nBI79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bAU16.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exenBI79.exedescription pid Process procid_target PID 4928 wrote to memory of 1924 4928 22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe 86 PID 4928 wrote to memory of 1924 4928 22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe 86 PID 4928 wrote to memory of 1924 4928 22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe 86 PID 1924 wrote to memory of 2960 1924 nBI79.exe 87 PID 1924 wrote to memory of 2960 1924 nBI79.exe 87 PID 1924 wrote to memory of 2960 1924 nBI79.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe"C:\Users\Admin\AppData\Local\Temp\22cbdde6a17885acf732a0f71738569009c6c93ccd74134aad5c14248b7ad92c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBI79.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBI79.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bAU16.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bAU16.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD5d3bb1c8ae114862bddd1f05adf051500
SHA19688685541aae8ed3101a32d0fedafc335cdbcf8
SHA25605a5375bdf77586bc19ec619ada401175f2e190b86e6540740f66fb13879b03a
SHA5121fe1d2845cc9d0f90daf702356adac8b23c889c885f8b641d38e880cd1b88931cbd06494ce045fff3dc372e54466cce801b9ba0d66c2892a77340d2ee02e6b40
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec