Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe
Resource
win10v2004-20241007-en
General
-
Target
457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe
-
Size
472KB
-
MD5
f6654c5e1513f344abd7a513bfe18709
-
SHA1
e3ee93c8cfa0298d6bb7fcd94af5a25e9009a449
-
SHA256
457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656
-
SHA512
3da799d849645b1896aff7eca240722c0dbf2d8e9a494ac232d27b1c16f09fae35e73cd630421d43b7ceb0a17488d486e29cbd2711cb593e4c6dcbcba81b3fb6
-
SSDEEP
12288:vMrmy90T8yrgVtzJ0p5Zz4PSEP0I08JtWO8:FyWUVfHqEP0I00K
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000023ba4-12.dat family_redline behavioral1/memory/2176-15-0x0000000000680000-0x00000000006B2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nUl15.exebIf97.exepid Process 3008 nUl15.exe 2176 bIf97.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nUl15.exe457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nUl15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exenUl15.exebIf97.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nUl15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bIf97.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exenUl15.exedescription pid Process procid_target PID 524 wrote to memory of 3008 524 457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe 83 PID 524 wrote to memory of 3008 524 457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe 83 PID 524 wrote to memory of 3008 524 457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe 83 PID 3008 wrote to memory of 2176 3008 nUl15.exe 84 PID 3008 wrote to memory of 2176 3008 nUl15.exe 84 PID 3008 wrote to memory of 2176 3008 nUl15.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe"C:\Users\Admin\AppData\Local\Temp\457c79c40a6f3c7994b62b131932c227cba316ed0c25fb36d15022b427c1c656.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUl15.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nUl15.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bIf97.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bIf97.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5d0218c42104ef8055b850785461b22ae
SHA1a3d76c9dc6e8299a7cbdb1866bd72e9d239c9507
SHA25694c3096bd80f50cabda0be7193afcffd6bbe23cbfb1a905496dc69f8c22bebb2
SHA51245fc1b137ed9fd3905ad90c31e0a63c11278fc04a192e8b675556995ff2fefe82272b5c1b1e9ea25b242c693a38f5415d849c74ca4dedae62eeb207c42d2d405
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec