Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe
Resource
win10v2004-20241007-en
General
-
Target
c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe
-
Size
551KB
-
MD5
ce23ad236cc7ec99f2b5b93573fedfef
-
SHA1
0c2ab1c95657687c71dc1003def641a8d317165f
-
SHA256
c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25
-
SHA512
792a4a1a3011e8183824ed0abc871c10178713d6b00647b4bf5e4f2d080ef4125eec4b06a794fdec469300c93987889e4c936e24d9ae6de72fc2b18ce713bb50
-
SSDEEP
12288:dMrTy90AnxQhbHOgV9eB0wphXpCllG/jLY7L8XHrP2U:eyBxQhjOdPXpWYK2HreU
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b6f-12.dat family_redline behavioral1/memory/4628-15-0x0000000000BD0000-0x0000000000C02000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nus92.exebeq86.exepid Process 3436 nus92.exe 4628 beq86.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nus92.exec59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nus92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
nus92.exebeq86.exec59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nus92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language beq86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exenus92.exedescription pid Process procid_target PID 4276 wrote to memory of 3436 4276 c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe 83 PID 4276 wrote to memory of 3436 4276 c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe 83 PID 4276 wrote to memory of 3436 4276 c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe 83 PID 3436 wrote to memory of 4628 3436 nus92.exe 84 PID 3436 wrote to memory of 4628 3436 nus92.exe 84 PID 3436 wrote to memory of 4628 3436 nus92.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe"C:\Users\Admin\AppData\Local\Temp\c59dd6f9a00d585dc6c324a6a3b67bccedcf09ba726c6134486c97278fea9f25.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nus92.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nus92.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beq86.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beq86.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5f23dcbc36c17b97de8008ae6edee3fa2
SHA1e35238f82283c944c0e075e4fb84b99792d088c6
SHA256f490541dfc06acb533abdea4b67e7537ead60ac7450db935c2117a21ddfc189a
SHA512f0eca140a685f00eeae169015b57c17c387a51cc524cba1d6fb2abfd32acc2766a0ea083231f10f4d68d3ee0516e26c156c90d0d165fa70ee2ef628a9dce13df
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec