Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 10:52

General

  • Target

    4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe

  • Size

    796KB

  • MD5

    a84c3d1c46f00a976b0db9d4c033313d

  • SHA1

    7de3b691cab9fd59eb9b8b06634f270280d90e44

  • SHA256

    4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8

  • SHA512

    7ae1e17ab2d501b82c14e87ec82fda1dc2fca2458b53086ed9d57d8f0d3ec515646746342677a0501cc6014e9a538a1ae4344bd4fd08ca34359cbceb0ce78cd0

  • SSDEEP

    12288:/Mrfy90WFAF6/VAmYjVyHw88mQxIPjHHKb1pQ1D2XWfB4ocUA9Wn3zdp:YyhUmqsHw88mQxIS1pQAyBpcB6pp

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe
    "C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe

    Filesize

    693KB

    MD5

    d03ba7baefa1d842bfde8e04aec0a381

    SHA1

    19458ed5c8e9de60e324bf8b25fb26451c0fd42c

    SHA256

    b34ef1ad7fd9466607629dd4fe87f9e55cf091584943124a2a19d54002ace614

    SHA512

    f70f93366627d01c96a06235a659c5f9f21eebb19d9b128a6a825e1b8419085b94388bd929820a0c0c36e7ee07d0e2dc59b97fb7bef5761ba3dc8de098958df2

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe

    Filesize

    286KB

    MD5

    5c73fd6c5b3127283eb7c0018f924a74

    SHA1

    934c4f9fe7145ab70a50b6a27232213cde9637c5

    SHA256

    8d3c1477b8185a75c82312e89617975a8ad503e4aecbfe7df09891efa91e39ec

    SHA512

    16d271b4a695a571f48148688592f0ba301632f9be28b631716186682074a15bec5706203d511570623ee808182542b21306743a4051016d5c8102e34fe04c6b

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe

    Filesize

    175KB

    MD5

    da6f3bef8abc85bd09f50783059964e3

    SHA1

    a0f25f60ec1896c4c920ea397f40e6ce29724322

    SHA256

    e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

    SHA512

    4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

  • memory/3676-21-0x0000000000F00000-0x0000000000F32000-memory.dmp

    Filesize

    200KB

  • memory/3676-22-0x0000000005D20000-0x0000000006338000-memory.dmp

    Filesize

    6.1MB

  • memory/3676-23-0x00000000058A0000-0x00000000059AA000-memory.dmp

    Filesize

    1.0MB

  • memory/3676-24-0x00000000057D0000-0x00000000057E2000-memory.dmp

    Filesize

    72KB

  • memory/3676-25-0x0000000005830000-0x000000000586C000-memory.dmp

    Filesize

    240KB

  • memory/3676-26-0x00000000059B0000-0x00000000059FC000-memory.dmp

    Filesize

    304KB