Analysis

  • max time kernel
    131s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 09:00

General

  • Target

    918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe

  • Size

    550KB

  • MD5

    ba22e5c6ee0d637bacde22ecd438b440

  • SHA1

    6fb51cbf65e53f4d9fc3acd1738d844b677d38f9

  • SHA256

    918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70

  • SHA512

    6059342d227fed6135637e3824b0f4d312b4e767b20369cfc1a009ec038a1236412abd57f4ab3d920749431bf954e3de9b455c23e384a55001e8df23720196e2

  • SSDEEP

    12288:tMrEy90yV4gMtY2CDhoOqdX0GS5WBqrXRVkZ34Nygc7:py7VvMa2CDhoOqdEG2Du

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe
    "C:\Users\Admin\AppData\Local\Temp\918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njO28.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njO28.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bLF50.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bLF50.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njO28.exe

    Filesize

    202KB

    MD5

    29f29c47c6c1d58a2029ecee4e1b194f

    SHA1

    97e652d0d71214aa44dab61b49d0bd6341795157

    SHA256

    d0423217bae6dff552610d5afe42e125afd5593296b25ffe78d8f35e9ac6f9ec

    SHA512

    6a9514a71f877cea3d1a1a141e408a04d5ff0bf0a250dad710c03a7e82a1d20f666693ff2d6464b63d400d57ba0ee4f8758ee4950b4cd45407d2e83e489da320

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bLF50.exe

    Filesize

    175KB

    MD5

    da6f3bef8abc85bd09f50783059964e3

    SHA1

    a0f25f60ec1896c4c920ea397f40e6ce29724322

    SHA256

    e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

    SHA512

    4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

  • memory/4284-14-0x00000000747BE000-0x00000000747BF000-memory.dmp

    Filesize

    4KB

  • memory/4284-15-0x0000000000470000-0x00000000004A2000-memory.dmp

    Filesize

    200KB

  • memory/4284-16-0x0000000005430000-0x0000000005A48000-memory.dmp

    Filesize

    6.1MB

  • memory/4284-17-0x0000000004F50000-0x000000000505A000-memory.dmp

    Filesize

    1.0MB

  • memory/4284-18-0x0000000004E80000-0x0000000004E92000-memory.dmp

    Filesize

    72KB

  • memory/4284-19-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

    Filesize

    240KB

  • memory/4284-20-0x0000000005060000-0x00000000050AC000-memory.dmp

    Filesize

    304KB

  • memory/4284-21-0x00000000747BE000-0x00000000747BF000-memory.dmp

    Filesize

    4KB