Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe
Resource
win10v2004-20241007-en
General
-
Target
57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe
-
Size
478KB
-
MD5
dfb36109e626eadfcd8dc9d636d3cba3
-
SHA1
5c4d0762f48f6451f9b191295d2a8f591c0f39f2
-
SHA256
57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216
-
SHA512
80443cbd47c808363aa7b2032e0ae22d30285b4d8b47a1f1f5b2829ceabbf14ba18ead3116ace58e621e83982bcc48391a2e724d33a41e8c037291b190404f01
-
SSDEEP
12288:6Mr2y90nrX2VWchW7dxu85XpHjRgQgEt4+52Kl:sywrmVspxrjR74ITl
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b9d-12.dat family_redline behavioral1/memory/3672-15-0x0000000000CB0000-0x0000000000CE2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nTB82.exebby36.exepid Process 4632 nTB82.exe 3672 bby36.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exenTB82.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nTB82.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exenTB82.exebby36.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nTB82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bby36.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exenTB82.exedescription pid Process procid_target PID 2008 wrote to memory of 4632 2008 57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe 83 PID 2008 wrote to memory of 4632 2008 57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe 83 PID 2008 wrote to memory of 4632 2008 57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe 83 PID 4632 wrote to memory of 3672 4632 nTB82.exe 84 PID 4632 wrote to memory of 3672 4632 nTB82.exe 84 PID 4632 wrote to memory of 3672 4632 nTB82.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe"C:\Users\Admin\AppData\Local\Temp\57e60972c1324a1ff47640d2f8453245b58d47829bc78ddba1c299bf50d5c216.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nTB82.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nTB82.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bby36.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bby36.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD55c3ed2bb7ae26ffff41c560adf287814
SHA1324c11568377ad0cd5802c874eb9c58ad35a121a
SHA25671517c1b90733b2aab457f7b6f1eb1e714177e91ccddf7ffe955ae20011072f3
SHA512e7a895c4005004b49cba125d011453da130d1a3090ffb8ac4b09ea6f9d0e8359f8985af7b30bbf87b72703c15cd9704dcbd59277daae52ad091ef02bb15bef50
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec