Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe
Resource
win10v2004-20241007-en
General
-
Target
0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe
-
Size
796KB
-
MD5
68a7a48c361adec23c986007fa539912
-
SHA1
0f94901ccd28dd433e7e7bb93685d0d6faf1d86b
-
SHA256
0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179
-
SHA512
930b08729ea265676cda9055842d6daabd2555b3384160898230518493c54d7e0b2ec7f1ecfa2cce57d3733d9a90d82d6e20ce48181cfc0e035fd21203b556fc
-
SSDEEP
24576:+yWNeimaYimFL88CiJIzCjyx1wBAfQ95GBa:NW8/Pio88CCKCGxeBAU5G
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca6-19.dat family_redline behavioral1/memory/5020-21-0x0000000000B70000-0x0000000000BA2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
sIr73Ll.exesdI42Tf.exekRR29WT.exepid Process 388 sIr73Ll.exe 244 sdI42Tf.exe 5020 kRR29WT.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
sdI42Tf.exe0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exesIr73Ll.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sdI42Tf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sIr73Ll.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
kRR29WT.exe0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exesIr73Ll.exesdI42Tf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kRR29WT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sIr73Ll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sdI42Tf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exesIr73Ll.exesdI42Tf.exedescription pid Process procid_target PID 4880 wrote to memory of 388 4880 0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe 82 PID 4880 wrote to memory of 388 4880 0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe 82 PID 4880 wrote to memory of 388 4880 0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe 82 PID 388 wrote to memory of 244 388 sIr73Ll.exe 84 PID 388 wrote to memory of 244 388 sIr73Ll.exe 84 PID 388 wrote to memory of 244 388 sIr73Ll.exe 84 PID 244 wrote to memory of 5020 244 sdI42Tf.exe 85 PID 244 wrote to memory of 5020 244 sdI42Tf.exe 85 PID 244 wrote to memory of 5020 244 sdI42Tf.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe"C:\Users\Admin\AppData\Local\Temp\0b25dd5956483a6b505cdec73d450176d37c710b6d9b48c1d2354d8752a9f179.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sIr73Ll.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sIr73Ll.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sdI42Tf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sdI42Tf.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kRR29WT.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kRR29WT.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
692KB
MD548b717079b9e4bad2cf71aa699584b2a
SHA1816cc286a67e1938a1cf2f95b430af5128aa78f4
SHA256caf71cff91130dff2e742e16c27526379de5ecb05ef7d7864c977f93e4f6e424
SHA512e46057be5e492227e1bbcbf1c438f9050c600a0b236332b6040d1df599e8afb6ef2bc6b027e338fd59cc60fcf8da0e8e3d429a8a44254ddef2109484eeacec25
-
Filesize
286KB
MD5ee8cf6433b4d6c311dacbc99fd53ba12
SHA157e17254404cfef331b0e21556f5e1fc20fb2c18
SHA256d755f67058c96f4ab5f34f9bc1acf2fc9be88d20184c2084230d14db84863f7e
SHA512ca8e3d662d6e99c55d14e7f09294d34a988011f6c6a3103f286303c7a4f6203e716b05d53a31eab4832dafe787920db92c72be151859bb90b6b326f9e6a50bb2
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec