Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 07:09
Static task
static1
Behavioral task
behavioral1
Sample
118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe
Resource
win10v2004-20241007-en
General
-
Target
118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe
-
Size
550KB
-
MD5
f059aaf21e7f3f3222cefdad237d3b72
-
SHA1
14fef842b554ef105321cf1b46b95b773444b254
-
SHA256
118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0
-
SHA512
4e2cfeba87226026d4d431b8f6bab77db32e36be86149dfc3f6638a9e85c4ef4880de6a15c37907debc2dbec2362f9b1747ce1fabb1b5ea72bfc27c494a8157d
-
SSDEEP
12288:vMrFy90tQel0MH9mh9d6cW91jiqg+aMivum6hW7JbOo:2y0J06khVC0R4Wp7
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c97-12.dat family_redline behavioral1/memory/3268-15-0x0000000000070000-0x00000000000A2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
naD73.exebEs27.exepid Process 116 naD73.exe 3268 bEs27.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exenaD73.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" naD73.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bEs27.exe118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exenaD73.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bEs27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language naD73.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exenaD73.exedescription pid Process procid_target PID 2720 wrote to memory of 116 2720 118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe 83 PID 2720 wrote to memory of 116 2720 118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe 83 PID 2720 wrote to memory of 116 2720 118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe 83 PID 116 wrote to memory of 3268 116 naD73.exe 84 PID 116 wrote to memory of 3268 116 naD73.exe 84 PID 116 wrote to memory of 3268 116 naD73.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe"C:\Users\Admin\AppData\Local\Temp\118f99aafa48ae5abbee5d1819658ce11487d9ce7eb8bbc4af7f7ffd7daecbe0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\naD73.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\naD73.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bEs27.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bEs27.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5d4e6eb7ad4f953c04f4f719d4672ff8c
SHA129e72834de4e9dc69f8f05c376ca4dddd7e90953
SHA2565616c42dfa51a9f62e21c769c4c97a6e106067c5e789052aef318b67d058febf
SHA512a8e4fed0be8c67d9b756807884dd9a67fbbf782e01345310af03f4a3a5ffea5449b22bf3c1f60348c4715d4349bc2d15152e935e682b5d4969cef8a6327d5853
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec