Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 11:58
Static task
static1
Behavioral task
behavioral1
Sample
6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe
Resource
win10v2004-20241007-en
General
-
Target
6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe
-
Size
550KB
-
MD5
e57b62365defa17c26f9278be23c0c2a
-
SHA1
be899c420b105ba782e59aa9aa1a96d559b14b5f
-
SHA256
6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9
-
SHA512
9d860ab0dbe6a8a33718d3815f9abd42497fcf5ef0eee8074bd07c78023e3cfbb3b48899d0d57f1951c20ed53e0449532575864092ea913410d5b892ef8746b0
-
SSDEEP
12288:FMr5y90bvE+OsEyjWSToHI2YlsDwoYH19iiW5NyHAaNKCq:AyD+aiUHWlFocENwCp
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000c000000023bb2-12.dat family_redline behavioral1/memory/3080-15-0x0000000000FD0000-0x0000000001002000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
dYe63.exeahC38.exepid Process 2720 dYe63.exe 3080 ahC38.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exedYe63.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dYe63.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exedYe63.exeahC38.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dYe63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ahC38.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exedYe63.exedescription pid Process procid_target PID 4100 wrote to memory of 2720 4100 6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe 83 PID 4100 wrote to memory of 2720 4100 6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe 83 PID 4100 wrote to memory of 2720 4100 6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe 83 PID 2720 wrote to memory of 3080 2720 dYe63.exe 84 PID 2720 wrote to memory of 3080 2720 dYe63.exe 84 PID 2720 wrote to memory of 3080 2720 dYe63.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe"C:\Users\Admin\AppData\Local\Temp\6e6aac854c4d2c819b5aa485b0cc7d3ba959ea89967c5f59f6ee3144173ea8b9.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYe63.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYe63.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ahC38.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ahC38.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5acb2402d8949c5491868954273fc984d
SHA14ad998da0850466501913de7aa54617491514096
SHA256eda12ea03f8e50e5a371e781a8846f86225fd4175a47d90586ae973f41241070
SHA512e8aff3ff60113a9d77c9bd7c778cc832f55f3e9c95f4362c7746d12439826e326ef575fc14f52411d2c5675abaac72d5496e4611f147285e4ab27eb3245883b1
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec