Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe
Resource
win10v2004-20241007-en
General
-
Target
bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe
-
Size
481KB
-
MD5
de972f1232e771cda0c61df0b3b0c7d9
-
SHA1
ea95ea045d67ea23850ce7268370f89b3123df46
-
SHA256
bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71
-
SHA512
a60d78e6b82e75df20e027de5eb36509bee3947508346b5ca15c670caaca153932682669cdc3e435ede3844689004786e1e611b0a6c569596610adbae2ecfdec
-
SSDEEP
12288:GMrry90Z4Mt6Vw+JACh1b2RSr2V4fO1kPL:1ye4MYVjJACh1b4Sr2VNiD
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b78-12.dat family_redline behavioral1/memory/4276-15-0x0000000000A70000-0x0000000000AA2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nMT27.exebKY83.exepid Process 3908 nMT27.exe 4276 bKY83.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exenMT27.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nMT27.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bKY83.exebbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exenMT27.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bKY83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nMT27.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exenMT27.exedescription pid Process procid_target PID 4764 wrote to memory of 3908 4764 bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe 83 PID 4764 wrote to memory of 3908 4764 bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe 83 PID 4764 wrote to memory of 3908 4764 bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe 83 PID 3908 wrote to memory of 4276 3908 nMT27.exe 84 PID 3908 wrote to memory of 4276 3908 nMT27.exe 84 PID 3908 wrote to memory of 4276 3908 nMT27.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe"C:\Users\Admin\AppData\Local\Temp\bbd5d61d85fc9ceda7db2334d16ef2f8f076304b92db0cd2510649453d507e71.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nMT27.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nMT27.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bKY83.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bKY83.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4276
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD540eb2a0aee4ccf655e4131f37910b014
SHA151de872f21c8d8ac217f8cf53e9442d2548da83f
SHA25617522e5ee99ac66ce4479f41207138d1c9e676177cb48279fe0bc81932bb4089
SHA5129156b6f5c279c46ab9fa8a614408050e18f9c76508ed222258a3ebc4ecf373e5147d0f8b9dcce8b4e3bf9be0c89f7a168f832898720f9a1101a6584dbb972cce
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec