Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:19
Static task
static1
Behavioral task
behavioral1
Sample
fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe
Resource
win10v2004-20241007-en
General
-
Target
fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe
-
Size
494KB
-
MD5
83d42303b9a7153d56c8afd1c8829dd0
-
SHA1
27fa0bf779c3548bfa473efad1fba2fe73d511eb
-
SHA256
fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55
-
SHA512
3a6b78b3bdb2f69d90a7ad7f30c5566d079afab296c54b01816805bf1528c47d9d9ec87a95400ba2fa97858dba8bccde418edf35bb22cc0a9baff7ba0bcc2f1c
-
SSDEEP
12288:DMrNy90vgrVsa5Q+gyZq5rY6G9aqXoSnJ3sbZiW0jkk:WyPVf5Q6ZabGdoSJ3skWckk
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b91-12.dat family_redline behavioral1/memory/3272-15-0x0000000000E30000-0x0000000000E62000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
neg03.exebHP31.exepid Process 3968 neg03.exe 3272 bHP31.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
neg03.exefe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" neg03.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exeneg03.exebHP31.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neg03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bHP31.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exeneg03.exedescription pid Process procid_target PID 1872 wrote to memory of 3968 1872 fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe 83 PID 1872 wrote to memory of 3968 1872 fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe 83 PID 1872 wrote to memory of 3968 1872 fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe 83 PID 3968 wrote to memory of 3272 3968 neg03.exe 84 PID 3968 wrote to memory of 3272 3968 neg03.exe 84 PID 3968 wrote to memory of 3272 3968 neg03.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe"C:\Users\Admin\AppData\Local\Temp\fe44c51d74454ce60c94855c4431ac34bdecb1e18341f50e786fc0f7f27e6d55.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\neg03.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\neg03.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHP31.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHP31.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5b97222f753da8b19522316d2f0214752
SHA118cca22feae000454263d82337bf7a4d9724091b
SHA256a3885040e45c2d6cf9b206c3e6b93b037cf25c5653d07aff4b22dd02557ab582
SHA51277e4b3e561fa1fe85467a089bac746d3cf13ae6c3f0cfcf635c33b4e1d9972ed8592c4007e74dd5edccbc848405a8c77cb4ccef7babe7ed8485caba78a10c4b2
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec