Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 15:10
Static task
static1
Behavioral task
behavioral1
Sample
1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe
Resource
win10v2004-20241007-en
General
-
Target
1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe
-
Size
470KB
-
MD5
6b8405a338407cd9176c2a629f486999
-
SHA1
231de41ffce3f6f84c0b2c04bd09f92356b0e529
-
SHA256
1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766
-
SHA512
b77a09baefc248710508c9313cbd34ac6b39e2561c5a955c143c2595d4b342e6e70c883c6c99a5867ef00e8f4b629d48a56147818ccefbca29c2f5f563f2c691
-
SSDEEP
6144:K5y+bnr+Sp0yN90QELcFAXubPOr0seq7T7HrPzkE89AbYTiM8cs0U0uYHSA:vMrey90qFAXuahL/TNqAYT3sl0byA
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023ca3-12.dat family_redline behavioral1/memory/4744-15-0x0000000000F40000-0x0000000000F72000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nwh82.exebmA07.exepid Process 888 nwh82.exe 4744 bmA07.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exenwh82.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nwh82.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bmA07.exe1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exenwh82.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bmA07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nwh82.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exenwh82.exedescription pid Process procid_target PID 3068 wrote to memory of 888 3068 1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe 83 PID 3068 wrote to memory of 888 3068 1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe 83 PID 3068 wrote to memory of 888 3068 1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe 83 PID 888 wrote to memory of 4744 888 nwh82.exe 84 PID 888 wrote to memory of 4744 888 nwh82.exe 84 PID 888 wrote to memory of 4744 888 nwh82.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe"C:\Users\Admin\AppData\Local\Temp\1eb76567fc9ef8e3835e994e021fec2ce1b3fe39da63218d16286da276ac8766.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nwh82.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nwh82.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmA07.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmA07.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200KB
MD55157ce301376e857bc2c4123346e932e
SHA11c09c1944c806322d8ac37d82aa9770e79626ea3
SHA256915a8b5831d05159020ef95df87945886215061545e2ca87a743818a4d329afd
SHA5121bfdb2bd237ce0f8435166070becd764ad2c9f1122cb5ca4945a41261f859e8b3b1392e2c429bfba0b1cd164e3054ca9dd59fe3ecf907747ff61a9b9997228e7
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec