Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 12:42
Static task
static1
Behavioral task
behavioral1
Sample
21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe
Resource
win10v2004-20241007-en
General
-
Target
21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe
-
Size
715KB
-
MD5
bd8353f3c56f737b4421efff1a9a44f0
-
SHA1
943a78c7141381ef9437ea3a05297cb9fff78073
-
SHA256
21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a
-
SHA512
55b58f6f96710d43505eb8927f861b8b7ed2ecf5b2eda98b4fc77001cbfa0c0f4996251bdfd6dc82a4ae7913b23dd9ca02bac14fdf0434b57cc62b92269b981c
-
SSDEEP
12288:kMrky905ZGCV7O1RYwuNDnUOierwegK88SfbIPo/jMe/ChjOR0r9EyFGL521:IyGJV7UMN4zLK88SfbI+jMe/3SREyFGC
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cea-19.dat family_redline behavioral1/memory/3320-21-0x0000000000B70000-0x0000000000BA2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
sUE95MX.exesVr87UI.exekqr85BG.exepid Process 1800 sUE95MX.exe 4080 sVr87UI.exe 3320 kqr85BG.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
sVr87UI.exe21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exesUE95MX.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sVr87UI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sUE95MX.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exesUE95MX.exesVr87UI.exekqr85BG.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sUE95MX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sVr87UI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kqr85BG.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exesUE95MX.exesVr87UI.exedescription pid Process procid_target PID 3144 wrote to memory of 1800 3144 21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe 85 PID 3144 wrote to memory of 1800 3144 21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe 85 PID 3144 wrote to memory of 1800 3144 21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe 85 PID 1800 wrote to memory of 4080 1800 sUE95MX.exe 86 PID 1800 wrote to memory of 4080 1800 sUE95MX.exe 86 PID 1800 wrote to memory of 4080 1800 sUE95MX.exe 86 PID 4080 wrote to memory of 3320 4080 sVr87UI.exe 87 PID 4080 wrote to memory of 3320 4080 sVr87UI.exe 87 PID 4080 wrote to memory of 3320 4080 sVr87UI.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe"C:\Users\Admin\AppData\Local\Temp\21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUE95MX.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUE95MX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVr87UI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVr87UI.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kqr85BG.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kqr85BG.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3320
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
611KB
MD5d7815fa16bdd7b1e7f8b5f03bd9c35d2
SHA1ea91847c7cdec2f3ad68599e6d288fd1bd60506c
SHA2562392fda629a36bbb0849d242904ec5d27d6fdd91379bdbf1277b8e6189de3c6d
SHA512ee2bbdab343a31213e608b9fcf03cdb964c88a626cbcb716793706fd736a9fe181029a99759b47cf85e47849689281046983f26da6b12e0627603c244e2fcd34
-
Filesize
286KB
MD524c09228658c2215d669712ef8c7dd32
SHA1b4fbfbca5966bbef891e30e62a032e290d51f0cf
SHA256f759a1b74e4ba5e501c5a8a1fbc794a5f3d8884891b112d3ec1e0402405836d5
SHA5120bd8251212bfe7fb5e710d377de508316588a7bcc70f08d279262d2fe78e578a941a7af57dd1f9e3d99a6b3b1aa570ea89f0059034573fe6e18c9282e5953bdf
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec