Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 10:26

General

  • Target

    d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe

  • Size

    473KB

  • MD5

    324df6b5e4049f0ed429e2daf9008c9d

  • SHA1

    8021b92690d25f2dde981d0643b1f02846f4d098

  • SHA256

    d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7

  • SHA512

    951d369788b2031abead0fd1eedf7e98fafc13eb61ee3faa309a088aad2b577d10e0b69e2600bf97713137441e763a57003b9aaefe6fd9df949868eaf7720301

  • SSDEEP

    6144:Khy+bnr+mjp0yN90QEfbUig7Qb7JQ7WfNU5euRRKkdpSlMi4PqL4D3rV3ksZS:7Mrqy90REQhpfNTunKkoMxysbKH

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe
    "C:\Users\Admin\AppData\Local\Temp\d956f8d94df631ddc48e1d55179b423bdec9b31e9ba4c677be01713f5a7dd9f7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ngH09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ngH09.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZe87.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZe87.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ngH09.exe

    Filesize

    202KB

    MD5

    2c654f781f6832aec7bea8eebaf800d6

    SHA1

    5e546c0b3bc32be5897b43fa615ac7af544ba6a4

    SHA256

    32ec10d5451900ef35b7c81b75c3598769c7beff367ecb77b3f0ee6369cecb4f

    SHA512

    31552ceded08e3a03ccb7bc0e9c9537d271144a5683e84e20a2672898bb4414f508837bbda493eb4ee6553d9ffb2e237d503701323b6173f2b4c5ac11cc67d7a

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZe87.exe

    Filesize

    175KB

    MD5

    da6f3bef8abc85bd09f50783059964e3

    SHA1

    a0f25f60ec1896c4c920ea397f40e6ce29724322

    SHA256

    e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

    SHA512

    4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

  • memory/3648-14-0x00000000744FE000-0x00000000744FF000-memory.dmp

    Filesize

    4KB

  • memory/3648-15-0x00000000005D0000-0x0000000000602000-memory.dmp

    Filesize

    200KB

  • memory/3648-16-0x0000000005410000-0x0000000005A28000-memory.dmp

    Filesize

    6.1MB

  • memory/3648-17-0x0000000004F70000-0x000000000507A000-memory.dmp

    Filesize

    1.0MB

  • memory/3648-18-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

    Filesize

    72KB

  • memory/3648-19-0x0000000004F10000-0x0000000004F4C000-memory.dmp

    Filesize

    240KB

  • memory/3648-20-0x0000000005080000-0x00000000050CC000-memory.dmp

    Filesize

    304KB

  • memory/3648-21-0x00000000744FE000-0x00000000744FF000-memory.dmp

    Filesize

    4KB