Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 08:20

General

  • Target

    c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe

  • Size

    729KB

  • MD5

    56e8b51279f8068bcbc971c29cd423c9

  • SHA1

    8dea0cc7541bb43a31a6fd1def6dbcddc68dbb01

  • SHA256

    c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5

  • SHA512

    903c4b9094ade3dede1cc39080f5263d41e766452c6f7c8b29cdaf242127ac8dcb56aa82ce9e3e5620d7ae4f9e5d871db04b1f7d5042d18e8901523cd542bf57

  • SSDEEP

    12288:xMrny90vYSRG5vKWOFXhjewLVr88mJSIP7QWP2pL2y5xBssD1:OyuYSRG5vp0Xh3LJ88mJSIDH2tN1

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe
    "C:\Users\Admin\AppData\Local\Temp\c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYk36yl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYk36yl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOW31lP.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOW31lP.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4576
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kOg58Yw.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kOg58Yw.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYk36yl.exe

    Filesize

    625KB

    MD5

    efc61d02a053278158b3ea16917fb749

    SHA1

    13b45346bdeaa1507ad905ada98527696bcb3910

    SHA256

    9f0bb4d47069d9e465ad24b1f318178dc190ed8cd7c591f90ab9d4e32eee9964

    SHA512

    266b444bdce42131d7d7962653811381a3ca0925c9f68032c4b6865071e2bdae982354e8b2112e853c9bc0b638ed6762af62bbf5ae4ef1481ac696aed3e1a2c5

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOW31lP.exe

    Filesize

    286KB

    MD5

    32fcee552b7d30456ed6f00e37322745

    SHA1

    b5c40037772fb692a439b8cec48b2808d727dd7b

    SHA256

    abfd8122ff104edc926b3da7d5616a92466be047b4002af5cfae59a8afce463c

    SHA512

    625b96ceb571062b734494ce216a5a59158c5ddc8fc1610345066861994979594671e67e86d7e24f78743a256c0cbeb44632680eedd7fd52e08a34aae08af6f7

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kOg58Yw.exe

    Filesize

    175KB

    MD5

    da6f3bef8abc85bd09f50783059964e3

    SHA1

    a0f25f60ec1896c4c920ea397f40e6ce29724322

    SHA256

    e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

    SHA512

    4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

  • memory/1600-21-0x00000000002A0000-0x00000000002D2000-memory.dmp

    Filesize

    200KB

  • memory/1600-22-0x00000000050C0000-0x00000000056D8000-memory.dmp

    Filesize

    6.1MB

  • memory/1600-23-0x0000000004C40000-0x0000000004D4A000-memory.dmp

    Filesize

    1.0MB

  • memory/1600-24-0x0000000004B70000-0x0000000004B82000-memory.dmp

    Filesize

    72KB

  • memory/1600-25-0x0000000004BD0000-0x0000000004C0C000-memory.dmp

    Filesize

    240KB

  • memory/1600-26-0x0000000004D50000-0x0000000004D9C000-memory.dmp

    Filesize

    304KB