Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 09:00
Static task
static1
Behavioral task
behavioral1
Sample
918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe
Resource
win10v2004-20241007-en
General
-
Target
918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe
-
Size
550KB
-
MD5
ba22e5c6ee0d637bacde22ecd438b440
-
SHA1
6fb51cbf65e53f4d9fc3acd1738d844b677d38f9
-
SHA256
918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70
-
SHA512
6059342d227fed6135637e3824b0f4d312b4e767b20369cfc1a009ec038a1236412abd57f4ab3d920749431bf954e3de9b455c23e384a55001e8df23720196e2
-
SSDEEP
12288:tMrEy90yV4gMtY2CDhoOqdX0GS5WBqrXRVkZ34Nygc7:py7VvMa2CDhoOqdEG2Du
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000023c32-12.dat family_redline behavioral1/memory/4284-15-0x0000000000470000-0x00000000004A2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
njO28.exebLF50.exepid Process 1596 njO28.exe 4284 bLF50.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exenjO28.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" njO28.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exenjO28.exebLF50.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njO28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bLF50.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exenjO28.exedescription pid Process procid_target PID 4116 wrote to memory of 1596 4116 918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe 83 PID 4116 wrote to memory of 1596 4116 918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe 83 PID 4116 wrote to memory of 1596 4116 918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe 83 PID 1596 wrote to memory of 4284 1596 njO28.exe 84 PID 1596 wrote to memory of 4284 1596 njO28.exe 84 PID 1596 wrote to memory of 4284 1596 njO28.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe"C:\Users\Admin\AppData\Local\Temp\918cf290f7dceb2753f76eaea2f2de72d4c3af109028c49f901cef7bd1106d70.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njO28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\njO28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bLF50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bLF50.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD529f29c47c6c1d58a2029ecee4e1b194f
SHA197e652d0d71214aa44dab61b49d0bd6341795157
SHA256d0423217bae6dff552610d5afe42e125afd5593296b25ffe78d8f35e9ac6f9ec
SHA5126a9514a71f877cea3d1a1a141e408a04d5ff0bf0a250dad710c03a7e82a1d20f666693ff2d6464b63d400d57ba0ee4f8758ee4950b4cd45407d2e83e489da320
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec