Analysis
-
max time kernel
106s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:19
Static task
static1
Behavioral task
behavioral1
Sample
3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe
Resource
win10v2004-20241007-en
General
-
Target
3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe
-
Size
202KB
-
MD5
bfc4502948ae341d9a3f9cc2e2ba8f10
-
SHA1
b5a7b1cb11cd4e5fea9157f59ea9ca84247eb3e4
-
SHA256
3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdf
-
SHA512
c4ff48cab682a6711408c6e383a65d44d24e2d12afcd87dd75b63e2dab35c1a15ac0693914bc8d99a42c10ff3c442a388336df0414678df3c0c7ed8dcf101829
-
SSDEEP
3072:KBy+bnr+O1M5GWp1icKAArDZz4N9GhbkrNEk6IzacxnZSxZ5dnlYD:KBy+bnr+zp0yN90QESzZxnZSxZ3i
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000023c76-5.dat family_redline behavioral1/memory/4420-8-0x00000000008A0000-0x00000000008D2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
Processes:
bKb33.exepid Process 4420 bKb33.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exebKb33.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bKb33.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exedescription pid Process procid_target PID 1296 wrote to memory of 4420 1296 3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe 83 PID 1296 wrote to memory of 4420 1296 3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe 83 PID 1296 wrote to memory of 4420 1296 3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe"C:\Users\Admin\AppData\Local\Temp\3a1edbef555c5ce3766518f0a6f40e59bee869894abe027b4555bf0342521bdfN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bKb33.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bKb33.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec