Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe
Resource
win10v2004-20241007-en
General
-
Target
faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe
-
Size
478KB
-
MD5
8a34ed9ca595a5f1f46dd39a248ee429
-
SHA1
7e968ad06ebf3255f25503b335b57c689ecf845a
-
SHA256
faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc
-
SHA512
d9308f820e18c263c20aee2b7ec7c2970458f747a98de35399e52ac2257c57ab4c6ea89ad438be056032237c5fc4c3745f99c18b2b8a332480102900b9319948
-
SSDEEP
12288:BMruy90CiopYjVvvhccxL+L0fvkYSiNHespGNrJD:HyLiopCVR599SiN+CyrJD
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b99-12.dat family_redline behavioral1/memory/2240-15-0x0000000000560000-0x0000000000592000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nQR38.exebEH21.exepid Process 4144 nQR38.exe 2240 bEH21.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exenQR38.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nQR38.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exenQR38.exebEH21.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nQR38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bEH21.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exenQR38.exedescription pid Process procid_target PID 3100 wrote to memory of 4144 3100 faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe 83 PID 3100 wrote to memory of 4144 3100 faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe 83 PID 3100 wrote to memory of 4144 3100 faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe 83 PID 4144 wrote to memory of 2240 4144 nQR38.exe 84 PID 4144 wrote to memory of 2240 4144 nQR38.exe 84 PID 4144 wrote to memory of 2240 4144 nQR38.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe"C:\Users\Admin\AppData\Local\Temp\faaf8710d99151b8603200611ddbe8eed7c416a8d63bf07e1d3009f76cfa0acc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQR38.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQR38.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bEH21.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bEH21.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD557647be2fc46c5b55ac14af0d85f89ce
SHA1f6f297b470313eb67e0fb4e4bb38ee3e6444add9
SHA256c51823b7a766729ef7e842a21071f426c6cb4aefa1154b45260ce118bfd4c44f
SHA512b09cebe6ac8d3d0c2be647fda1028fbf147efbf753b749d1415ad185970ad26d4f2244a58e558b48a4ee79886c712ac8647574637898b25bea06f8a2566ffb7c
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec