Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe
Resource
win10v2004-20241007-en
General
-
Target
4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe
-
Size
796KB
-
MD5
a84c3d1c46f00a976b0db9d4c033313d
-
SHA1
7de3b691cab9fd59eb9b8b06634f270280d90e44
-
SHA256
4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8
-
SHA512
7ae1e17ab2d501b82c14e87ec82fda1dc2fca2458b53086ed9d57d8f0d3ec515646746342677a0501cc6014e9a538a1ae4344bd4fd08ca34359cbceb0ce78cd0
-
SSDEEP
12288:/Mrfy90WFAF6/VAmYjVyHw88mQxIPjHHKb1pQ1D2XWfB4ocUA9Wn3zdp:YyhUmqsHw88mQxIS1pQAyBpcB6pp
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cb4-19.dat family_redline behavioral1/memory/3676-21-0x0000000000F00000-0x0000000000F32000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
skh73pn.exesIp36jU.exekZl49NG.exepid Process 1440 skh73pn.exe 1268 sIp36jU.exe 3676 kZl49NG.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
sIp36jU.exe4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exeskh73pn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sIp36jU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" skh73pn.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exeskh73pn.exesIp36jU.exekZl49NG.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skh73pn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sIp36jU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kZl49NG.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exeskh73pn.exesIp36jU.exedescription pid Process procid_target PID 3356 wrote to memory of 1440 3356 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe 83 PID 3356 wrote to memory of 1440 3356 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe 83 PID 3356 wrote to memory of 1440 3356 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe 83 PID 1440 wrote to memory of 1268 1440 skh73pn.exe 85 PID 1440 wrote to memory of 1268 1440 skh73pn.exe 85 PID 1440 wrote to memory of 1268 1440 skh73pn.exe 85 PID 1268 wrote to memory of 3676 1268 sIp36jU.exe 86 PID 1268 wrote to memory of 3676 1268 sIp36jU.exe 86 PID 1268 wrote to memory of 3676 1268 sIp36jU.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe"C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
693KB
MD5d03ba7baefa1d842bfde8e04aec0a381
SHA119458ed5c8e9de60e324bf8b25fb26451c0fd42c
SHA256b34ef1ad7fd9466607629dd4fe87f9e55cf091584943124a2a19d54002ace614
SHA512f70f93366627d01c96a06235a659c5f9f21eebb19d9b128a6a825e1b8419085b94388bd929820a0c0c36e7ee07d0e2dc59b97fb7bef5761ba3dc8de098958df2
-
Filesize
286KB
MD55c73fd6c5b3127283eb7c0018f924a74
SHA1934c4f9fe7145ab70a50b6a27232213cde9637c5
SHA2568d3c1477b8185a75c82312e89617975a8ad503e4aecbfe7df09891efa91e39ec
SHA51216d271b4a695a571f48148688592f0ba301632f9be28b631716186682074a15bec5706203d511570623ee808182542b21306743a4051016d5c8102e34fe04c6b
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec