Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe
Resource
win10v2004-20241007-en
General
-
Target
cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe
-
Size
472KB
-
MD5
73226cef261047b9f5a26941e5920b52
-
SHA1
2e9a5926e0fc548f3fe87cc58636259ac3a8df0d
-
SHA256
cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167
-
SHA512
51b2f21904d4c44b67049ee39d182cd97a48a860b2249cc751083545dcd9abcb6a7c33f1ca842cdd26197c7b983cceca3fb552ac02f0fdcde3e37a0179c88ef6
-
SSDEEP
12288:wMrzy904y2y+mADy5XW1WpAa+n3l9b3E8IhD9FJthS2R+MJ:Tyxy2y5AH18H+3DDE8IbHSwt
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b7b-12.dat family_redline behavioral1/memory/1172-15-0x00000000000E0000-0x0000000000112000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nLS77.exebYG65.exepid Process 1540 nLS77.exe 1172 bYG65.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exenLS77.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nLS77.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exenLS77.exebYG65.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nLS77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bYG65.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exenLS77.exedescription pid Process procid_target PID 2700 wrote to memory of 1540 2700 cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe 84 PID 2700 wrote to memory of 1540 2700 cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe 84 PID 2700 wrote to memory of 1540 2700 cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe 84 PID 1540 wrote to memory of 1172 1540 nLS77.exe 85 PID 1540 wrote to memory of 1172 1540 nLS77.exe 85 PID 1540 wrote to memory of 1172 1540 nLS77.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe"C:\Users\Admin\AppData\Local\Temp\cefbd0f117fb8bfbf110dee25b25517e8eff876cbb2ce9e9ab3712c647fb3167.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLS77.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLS77.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bYG65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bYG65.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5bc799b3aaeafb433461da657971a1822
SHA16e44c378f0f343da3cda52272e44220d4613608c
SHA25612b6b8ab3b576bb2d6c6e6dad7e8715ebf54683e2c1ef6852c8caebabba69c50
SHA512e64c17f47ed1f99152c80ebe3ce2f38f8e516546caa9a24313dc2fa46aa16e6e99da81ba051f98840716588d00bbbc7455d3938ad788d3aeba227c7ec1186d85
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec