Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe
Resource
win10v2004-20241007-en
General
-
Target
3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe
-
Size
551KB
-
MD5
6a0caaa002a92f0478bc35069b153df8
-
SHA1
9c982b4ca6373325930defac346bbb9b7c15186d
-
SHA256
3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d
-
SHA512
1041d65ba321f53a0fab3103e30379cb605a5d120a4215bee36a4bebd009e574ec78685b605d4a7ddbcf881b6a5661c2036f920d3a6c5f95cf0d8cee6fb3c70d
-
SSDEEP
12288:/Mrmy90GrtIoVVCzcfzU/EBaXlZzHxl9TKhS1x:9yJZNVmcf7BaXL9kS1x
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b8b-12.dat family_redline behavioral1/memory/1888-15-0x0000000000D40000-0x0000000000D72000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nsP35.exebgR87.exepid Process 4228 nsP35.exe 1888 bgR87.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exensP35.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nsP35.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exensP35.exebgR87.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsP35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bgR87.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exensP35.exedescription pid Process procid_target PID 4932 wrote to memory of 4228 4932 3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe 83 PID 4932 wrote to memory of 4228 4932 3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe 83 PID 4932 wrote to memory of 4228 4932 3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe 83 PID 4228 wrote to memory of 1888 4228 nsP35.exe 84 PID 4228 wrote to memory of 1888 4228 nsP35.exe 84 PID 4228 wrote to memory of 1888 4228 nsP35.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe"C:\Users\Admin\AppData\Local\Temp\3a33d4be6e0de9c96f00fe327b2f3e55abe715cd0bbc2fe1cae53b6fd946b27d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsP35.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsP35.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bgR87.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bgR87.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5e8d0b66056d6578f43a307009bf9255a
SHA1538cd57c220c7beef6b50a448854afdb0e8cdacb
SHA2564e6c6f386eb530fc42fcceddcbab57f20d2ba38a1b29e90cb43461c6941ab02f
SHA5124a03be706f1d040b799ace54f9ded7e741ab0037bac87522038723feba7eea7159ca875680cfecf1a0612cc2cb68257bced814c9839a02f13f24057e50ec7459
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec