Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe
Resource
win10v2004-20241007-en
General
-
Target
80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe
-
Size
551KB
-
MD5
babf53ae045c32cbd16a40195ee16ca1
-
SHA1
ca125b7a2f788abd7cdfe72f53107374f5af4cf8
-
SHA256
80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96
-
SHA512
97feac0fc972d606d437926531e5f529cf6a84a69b2d4463c0efb0734184e58047acb9a8ea3603089bb45def69ac25a87dfdbd87e4ed05bc8a8f0aebcb57a668
-
SSDEEP
12288:7Mrjy90OsHQBDVfsZlXJK1KRRr1ZEKPjA19sllsEGH7fd8DOk:gyxXBVklXpRp1ZzU9TJH7d8DR
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b82-12.dat family_redline behavioral1/memory/4464-15-0x0000000000280000-0x00000000002B2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
dNE93.exeanR38.exepid Process 3956 dNE93.exe 4464 anR38.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exedNE93.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dNE93.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dNE93.exeanR38.exe80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dNE93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anR38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exedNE93.exedescription pid Process procid_target PID 4912 wrote to memory of 3956 4912 80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe 83 PID 4912 wrote to memory of 3956 4912 80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe 83 PID 4912 wrote to memory of 3956 4912 80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe 83 PID 3956 wrote to memory of 4464 3956 dNE93.exe 84 PID 3956 wrote to memory of 4464 3956 dNE93.exe 84 PID 3956 wrote to memory of 4464 3956 dNE93.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe"C:\Users\Admin\AppData\Local\Temp\80b1524dcb88604a2598813b808005af1fbc6a64d61a56e301fec6d661c8ed96.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dNE93.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dNE93.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\anR38.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\anR38.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5ff0b6061cbf723c970c73b85a5ec7e12
SHA1d696c90fd6abfc6a4f6f705f8351760f8c297459
SHA256dcc54132667f9082ebcfc75b09faa96bcd770d798a8f6f949faf9f3842afc2d6
SHA5128be4d36062caed72874ccca78e5f1b4ad52d757bb12515f528ca59fd0350e22de8d0c9ab93388c0058270f814070ba463c455685b994bc76f13115290b1f5454
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec