Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 14:56

General

  • Target

    82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe

  • Size

    477KB

  • MD5

    1f22b90c07c5fc78ce192b75b7572355

  • SHA1

    6b9f409974b6df8ff9edfb4b8e08c568ed3241e1

  • SHA256

    82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5

  • SHA512

    da1bc03b6ea7d71055e2d4eb7689da8ce5d11a20a9fcd26919fa3da30864d2d248220b8fa15c86bd488ba09c5bb097e24095d9e0b5ba8081f49b0bc57cc2ce79

  • SSDEEP

    6144:K+y+bnr+sp0yN90QEag/Sgo7giYR3Ky5cGhB/beZZX/3pRBOeRA2K9i1SooH+:2Mrky90AuSgbxDcOB/0P3BlKySje

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe
    "C:\Users\Admin\AppData\Local\Temp\82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGb18.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGb18.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bVp06.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bVp06.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGb18.exe

    Filesize

    202KB

    MD5

    592d467ac54e09d7d14bdbd1e7800854

    SHA1

    864ed0c5743a22514dfd7327dd805f356c950f81

    SHA256

    06f95b593aa262a6492f2958b92a279842cccc83418e1be597c643041f4bc7dc

    SHA512

    3905fe13b43b6af06083dd88f79fd5129f7bc4c9e38011ec02856b61921f9b21cbbc7f1fc7a9ca3976af71222f0c7631f2245a1a396ed50d3c68ed95a8492d00

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bVp06.exe

    Filesize

    175KB

    MD5

    da6f3bef8abc85bd09f50783059964e3

    SHA1

    a0f25f60ec1896c4c920ea397f40e6ce29724322

    SHA256

    e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

    SHA512

    4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

  • memory/3500-14-0x00000000747BE000-0x00000000747BF000-memory.dmp

    Filesize

    4KB

  • memory/3500-15-0x0000000000CF0000-0x0000000000D22000-memory.dmp

    Filesize

    200KB

  • memory/3500-16-0x0000000005C70000-0x0000000006288000-memory.dmp

    Filesize

    6.1MB

  • memory/3500-17-0x00000000057C0000-0x00000000058CA000-memory.dmp

    Filesize

    1.0MB

  • memory/3500-18-0x00000000056F0000-0x0000000005702000-memory.dmp

    Filesize

    72KB

  • memory/3500-19-0x0000000005750000-0x000000000578C000-memory.dmp

    Filesize

    240KB

  • memory/3500-20-0x00000000058D0000-0x000000000591C000-memory.dmp

    Filesize

    304KB

  • memory/3500-21-0x00000000747BE000-0x00000000747BF000-memory.dmp

    Filesize

    4KB