Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:37
Static task
static1
Behavioral task
behavioral1
Sample
54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe
Resource
win10v2004-20241007-en
General
-
Target
54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe
-
Size
550KB
-
MD5
550c0008e338f8348535fb8be36c7ffa
-
SHA1
b5bd66272fc6804e2c2570f751d334c54552452e
-
SHA256
54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b
-
SHA512
1952e9590ad5c1d36b20081e42039239e2e025c2be5dece1596c672b6b5e9d75ff1b380bfe120e49fc4873de141ce31db2d728fcec8fe89c35833c5b5c7fff8f
-
SSDEEP
12288:6Mrey90NMcPFIdVasycmZSE9c3YY5qdZO1mI9zz6Jb8:QyCMI2Pazvj92q/O1mI9v6e
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b61-11.dat family_redline behavioral1/memory/3020-15-0x0000000000A50000-0x0000000000A82000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nmu91.exebPc42.exepid Process 2472 nmu91.exe 3020 bPc42.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exenmu91.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nmu91.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exenmu91.exebPc42.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmu91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bPc42.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exenmu91.exedescription pid Process procid_target PID 2892 wrote to memory of 2472 2892 54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe 83 PID 2892 wrote to memory of 2472 2892 54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe 83 PID 2892 wrote to memory of 2472 2892 54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe 83 PID 2472 wrote to memory of 3020 2472 nmu91.exe 84 PID 2472 wrote to memory of 3020 2472 nmu91.exe 84 PID 2472 wrote to memory of 3020 2472 nmu91.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe"C:\Users\Admin\AppData\Local\Temp\54433eb6ed14e0a271f76bb83319f32861c7d2ed6349b734ad6ba213a371f88b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nmu91.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nmu91.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bPc42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bPc42.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5a66bb72d8fe0427b01d08565bcb08f68
SHA1db1e38041ee5e6098094ad1a3486cd34ad42e755
SHA25690e88225ec35f04f384791a27b76da9ff8412bfedc87d985ff4c23a990df954b
SHA5128b9117ebd86875d3fe0139a89b0e57c9abd75d5847bfbe14901d9d01613dda113c4cb3671477828e856f5d74484aea6bed54121c839648157d5a83f17e4838a8
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec