Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 15:37
Static task
static1
Behavioral task
behavioral1
Sample
de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe
Resource
win10v2004-20241007-en
General
-
Target
de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe
-
Size
480KB
-
MD5
1e14f3a19e4cec2932ed1cadbc99fdb2
-
SHA1
92ba48f4f66bd46da84a10768cf23b4abf23572e
-
SHA256
de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6
-
SHA512
0418b48e245e1e856566aa2014f87b09be48d50d5115ce3df79bd8718c9e9557e0e8245a1c0d8b234229071401d949c667d6933eac8a087ccfbe9abcea6cd0c0
-
SSDEEP
12288:yMrky90FRzYVI2ncL9qABIke54L36IKEjbgf:WyaRzYVLGgkeQ6IKy0f
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cc5-12.dat family_redline behavioral1/memory/2316-15-0x0000000000BA0000-0x0000000000BD2000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nWM56.exebWh32.exepid Process 4112 nWM56.exe 2316 bWh32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exenWM56.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nWM56.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exenWM56.exebWh32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nWM56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bWh32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exenWM56.exedescription pid Process procid_target PID 1312 wrote to memory of 4112 1312 de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe 83 PID 1312 wrote to memory of 4112 1312 de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe 83 PID 1312 wrote to memory of 4112 1312 de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe 83 PID 4112 wrote to memory of 2316 4112 nWM56.exe 84 PID 4112 wrote to memory of 2316 4112 nWM56.exe 84 PID 4112 wrote to memory of 2316 4112 nWM56.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe"C:\Users\Admin\AppData\Local\Temp\de41a09330148f95de4e44908b74c72b232fca2a53f5421a5a7f5dbabe9e2fd6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nWM56.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nWM56.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bWh32.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bWh32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD54e3b47af02414b5278e517779a866eb9
SHA1b3797dab736106849408e8621913d97edbeea480
SHA256230df651e6339e854e43d4dfc11bab042e0438df78c3726e22920c77661cb1b6
SHA512459df969d1c694c0dbf472c6e7a63c5512cb7306de232ce75162c0b1a9a491b0c1dc950b158f23d3258094b4bd2c9a100831a3bd5138a84718baf8caa2bfc5a8
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec