Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 12:42

General

  • Target

    21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe

  • Size

    715KB

  • MD5

    bd8353f3c56f737b4421efff1a9a44f0

  • SHA1

    943a78c7141381ef9437ea3a05297cb9fff78073

  • SHA256

    21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a

  • SHA512

    55b58f6f96710d43505eb8927f861b8b7ed2ecf5b2eda98b4fc77001cbfa0c0f4996251bdfd6dc82a4ae7913b23dd9ca02bac14fdf0434b57cc62b92269b981c

  • SSDEEP

    12288:kMrky905ZGCV7O1RYwuNDnUOierwegK88SfbIPo/jMe/ChjOR0r9EyFGL521:IyGJV7UMN4zLK88SfbI+jMe/3SREyFGC

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe
    "C:\Users\Admin\AppData\Local\Temp\21a520c78e32775b6f657fcad7d3a09767b82b2801f7bf22c849546dc6b5e28a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUE95MX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUE95MX.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVr87UI.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVr87UI.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4080
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kqr85BG.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kqr85BG.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sUE95MX.exe

    Filesize

    611KB

    MD5

    d7815fa16bdd7b1e7f8b5f03bd9c35d2

    SHA1

    ea91847c7cdec2f3ad68599e6d288fd1bd60506c

    SHA256

    2392fda629a36bbb0849d242904ec5d27d6fdd91379bdbf1277b8e6189de3c6d

    SHA512

    ee2bbdab343a31213e608b9fcf03cdb964c88a626cbcb716793706fd736a9fe181029a99759b47cf85e47849689281046983f26da6b12e0627603c244e2fcd34

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sVr87UI.exe

    Filesize

    286KB

    MD5

    24c09228658c2215d669712ef8c7dd32

    SHA1

    b4fbfbca5966bbef891e30e62a032e290d51f0cf

    SHA256

    f759a1b74e4ba5e501c5a8a1fbc794a5f3d8884891b112d3ec1e0402405836d5

    SHA512

    0bd8251212bfe7fb5e710d377de508316588a7bcc70f08d279262d2fe78e578a941a7af57dd1f9e3d99a6b3b1aa570ea89f0059034573fe6e18c9282e5953bdf

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kqr85BG.exe

    Filesize

    175KB

    MD5

    da6f3bef8abc85bd09f50783059964e3

    SHA1

    a0f25f60ec1896c4c920ea397f40e6ce29724322

    SHA256

    e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

    SHA512

    4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

  • memory/3320-21-0x0000000000B70000-0x0000000000BA2000-memory.dmp

    Filesize

    200KB

  • memory/3320-22-0x0000000005990000-0x0000000005FA8000-memory.dmp

    Filesize

    6.1MB

  • memory/3320-23-0x0000000005510000-0x000000000561A000-memory.dmp

    Filesize

    1.0MB

  • memory/3320-24-0x0000000005460000-0x0000000005472000-memory.dmp

    Filesize

    72KB

  • memory/3320-25-0x0000000005480000-0x00000000054BC000-memory.dmp

    Filesize

    240KB

  • memory/3320-26-0x00000000054C0000-0x000000000550C000-memory.dmp

    Filesize

    304KB