Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 08:20
Static task
static1
Behavioral task
behavioral1
Sample
c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe
Resource
win10v2004-20241007-en
General
-
Target
c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe
-
Size
729KB
-
MD5
56e8b51279f8068bcbc971c29cd423c9
-
SHA1
8dea0cc7541bb43a31a6fd1def6dbcddc68dbb01
-
SHA256
c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5
-
SHA512
903c4b9094ade3dede1cc39080f5263d41e766452c6f7c8b29cdaf242127ac8dcb56aa82ce9e3e5620d7ae4f9e5d871db04b1f7d5042d18e8901523cd542bf57
-
SSDEEP
12288:xMrny90vYSRG5vKWOFXhjewLVr88mJSIP7QWP2pL2y5xBssD1:OyuYSRG5vp0Xh3LJ88mJSIDH2tN1
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca8-19.dat family_redline behavioral1/memory/1600-21-0x00000000002A0000-0x00000000002D2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
sYk36yl.exesOW31lP.exekOg58Yw.exepid Process 3080 sYk36yl.exe 4576 sOW31lP.exe 1600 kOg58Yw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exesYk36yl.exesOW31lP.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sYk36yl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sOW31lP.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exesYk36yl.exesOW31lP.exekOg58Yw.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sYk36yl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sOW31lP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kOg58Yw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exesYk36yl.exesOW31lP.exedescription pid Process procid_target PID 4432 wrote to memory of 3080 4432 c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe 85 PID 4432 wrote to memory of 3080 4432 c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe 85 PID 4432 wrote to memory of 3080 4432 c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe 85 PID 3080 wrote to memory of 4576 3080 sYk36yl.exe 86 PID 3080 wrote to memory of 4576 3080 sYk36yl.exe 86 PID 3080 wrote to memory of 4576 3080 sYk36yl.exe 86 PID 4576 wrote to memory of 1600 4576 sOW31lP.exe 87 PID 4576 wrote to memory of 1600 4576 sOW31lP.exe 87 PID 4576 wrote to memory of 1600 4576 sOW31lP.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe"C:\Users\Admin\AppData\Local\Temp\c8e9dcef5fd43d388a8126778a0e53d4543b4f07816a1a57d125d30b603323c5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYk36yl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sYk36yl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOW31lP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sOW31lP.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kOg58Yw.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kOg58Yw.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
625KB
MD5efc61d02a053278158b3ea16917fb749
SHA113b45346bdeaa1507ad905ada98527696bcb3910
SHA2569f0bb4d47069d9e465ad24b1f318178dc190ed8cd7c591f90ab9d4e32eee9964
SHA512266b444bdce42131d7d7962653811381a3ca0925c9f68032c4b6865071e2bdae982354e8b2112e853c9bc0b638ed6762af62bbf5ae4ef1481ac696aed3e1a2c5
-
Filesize
286KB
MD532fcee552b7d30456ed6f00e37322745
SHA1b5c40037772fb692a439b8cec48b2808d727dd7b
SHA256abfd8122ff104edc926b3da7d5616a92466be047b4002af5cfae59a8afce463c
SHA512625b96ceb571062b734494ce216a5a59158c5ddc8fc1610345066861994979594671e67e86d7e24f78743a256c0cbeb44632680eedd7fd52e08a34aae08af6f7
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec