Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe
Resource
win10v2004-20241007-en
General
-
Target
0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe
-
Size
470KB
-
MD5
f9938f2e6cd6c5edf7ac9bc48cd2520e
-
SHA1
f3b0c00dffeb4610e6fea43f7fddd66a36e4cfcf
-
SHA256
0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c
-
SHA512
d6db6dd0b77efac12eac9076ad99066b51c3480cdbe564223e0df4d1ff824fb2317835f5bc2e193612ff117541ead58e87a3d24e27d618c09eb449bd208da650
-
SSDEEP
12288:tMr2y90Dg0mQzsULJJC99VIFkaJ7CwML:nyYTXLJAHVIFTmwML
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000023c9f-12.dat family_redline behavioral1/memory/756-15-0x0000000000E00000-0x0000000000E32000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nRd34.exebQF78.exepid Process 4308 nRd34.exe 756 bQF78.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exenRd34.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nRd34.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exenRd34.exebQF78.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nRd34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bQF78.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exenRd34.exedescription pid Process procid_target PID 4528 wrote to memory of 4308 4528 0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe 83 PID 4528 wrote to memory of 4308 4528 0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe 83 PID 4528 wrote to memory of 4308 4528 0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe 83 PID 4308 wrote to memory of 756 4308 nRd34.exe 85 PID 4308 wrote to memory of 756 4308 nRd34.exe 85 PID 4308 wrote to memory of 756 4308 nRd34.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe"C:\Users\Admin\AppData\Local\Temp\0c45d0f3b9b57efd296d15973fdb71b3bd739bc9cc767daa6f086a3aa7c9a54c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nRd34.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nRd34.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bQF78.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bQF78.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD547bde9c61cb9b8079960e55202276f76
SHA178c557dc0e1e0355d622f94a9ca44f5248cad639
SHA256cd8cd662378bdd7152fbc1c0319549b08d8e3f5a50dc859b8da74ff2e4bd2121
SHA512cf7a7c8673e6aca9c5fa2ee283527e0c6143e47435f728910aa99f9a409b28541a8cc1388d0c714d7580255f1280dec4ff237c3b895790263792976cb8a51b12
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec