Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 14:11
Static task
static1
Behavioral task
behavioral1
Sample
9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe
Resource
win10v2004-20241007-en
General
-
Target
9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe
-
Size
477KB
-
MD5
df2b29d1a12c39938f873652523d3dc7
-
SHA1
757e9f9b907a43908b72eb0448502a3191d705a9
-
SHA256
9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436
-
SHA512
3e6d2f6153d762f138f4763134da230066413b1f851ff9324a1567f8fd54410698949f0a573f9a1ffa2eb6fc5fdea28d90e003d765758d98f14f76bd45ad1c31
-
SSDEEP
6144:Kqy+bnr+Ap0yN90QEXkyYivkTdzFL1bPm9H8/ZCRv+SDKL8CdT5kDWX:+MrQy90hkDzDDm9H8xCV+SDKLJ5kDw
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b98-12.dat family_redline behavioral1/memory/2872-15-0x00000000002D0000-0x0000000000302000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nYM60.exebyY29.exepid Process 2216 nYM60.exe 2872 byY29.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exenYM60.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nYM60.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
byY29.exe9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exenYM60.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byY29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nYM60.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exenYM60.exedescription pid Process procid_target PID 2116 wrote to memory of 2216 2116 9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe 83 PID 2116 wrote to memory of 2216 2116 9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe 83 PID 2116 wrote to memory of 2216 2116 9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe 83 PID 2216 wrote to memory of 2872 2216 nYM60.exe 84 PID 2216 wrote to memory of 2872 2216 nYM60.exe 84 PID 2216 wrote to memory of 2872 2216 nYM60.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe"C:\Users\Admin\AppData\Local\Temp\9f6cca84d344f59856c1d6117c43063a9830f171097f4c0af74bee2214725436.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYM60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nYM60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byY29.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byY29.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5910daa92243f22395feef9ada7e81795
SHA11e843abc49617beb65d0b99aac5cd2b6fd9c138e
SHA25662addab33384ef01a234c7f6885ef6e01f712f6f7f62ab1d100edd5e40cc2629
SHA512c2a7b3bfcf726b920f9a3841e64924cf24da1e0532559b08daf99903f304b47864b017a22546b3f95672a2b6c7880393b37e72678c77e7b7165bf834c0deb483
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec