Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe
Resource
win10v2004-20241007-en
General
-
Target
82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe
-
Size
477KB
-
MD5
1f22b90c07c5fc78ce192b75b7572355
-
SHA1
6b9f409974b6df8ff9edfb4b8e08c568ed3241e1
-
SHA256
82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5
-
SHA512
da1bc03b6ea7d71055e2d4eb7689da8ce5d11a20a9fcd26919fa3da30864d2d248220b8fa15c86bd488ba09c5bb097e24095d9e0b5ba8081f49b0bc57cc2ce79
-
SSDEEP
6144:K+y+bnr+sp0yN90QEag/Sgo7giYR3Ky5cGhB/beZZX/3pRBOeRA2K9i1SooH+:2Mrky90AuSgbxDcOB/0P3BlKySje
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c89-12.dat family_redline behavioral1/memory/3500-15-0x0000000000CF0000-0x0000000000D22000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nGb18.exebVp06.exepid Process 3340 nGb18.exe 3500 bVp06.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exenGb18.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nGb18.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exenGb18.exebVp06.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nGb18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bVp06.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exenGb18.exedescription pid Process procid_target PID 4532 wrote to memory of 3340 4532 82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe 83 PID 4532 wrote to memory of 3340 4532 82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe 83 PID 4532 wrote to memory of 3340 4532 82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe 83 PID 3340 wrote to memory of 3500 3340 nGb18.exe 84 PID 3340 wrote to memory of 3500 3340 nGb18.exe 84 PID 3340 wrote to memory of 3500 3340 nGb18.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe"C:\Users\Admin\AppData\Local\Temp\82de6be454a84543617b6f88313d6748958145e8f37bf836cc3849a2ecc272a5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGb18.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGb18.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bVp06.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bVp06.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5592d467ac54e09d7d14bdbd1e7800854
SHA1864ed0c5743a22514dfd7327dd805f356c950f81
SHA25606f95b593aa262a6492f2958b92a279842cccc83418e1be597c643041f4bc7dc
SHA5123905fe13b43b6af06083dd88f79fd5129f7bc4c9e38011ec02856b61921f9b21cbbc7f1fc7a9ca3976af71222f0c7631f2245a1a396ed50d3c68ed95a8492d00
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec