Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 15:29

General

  • Target

    716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe

  • Size

    478KB

  • MD5

    32e48534b316448562881440bea8c3e4

  • SHA1

    153eaf7cf219b9f58b54fb491b72955404b76e60

  • SHA256

    716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972

  • SHA512

    06d97e6f2a968544ef6413c7e789165c58dda348dc0bbe89027f3f958fdc83ac586faf531e0e40d6a2e4a7aee376d796f8e2e12ba646e9fb724cfbd9eaa356c7

  • SSDEEP

    12288:nMrwy90vRveoVoMTtXgj2butHqlzXbF8mtvNO+57a:ryexXVoUFK2ytHqFbFL1OI7a

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe
    "C:\Users\Admin\AppData\Local\Temp\716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBQ22.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBQ22.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bkx87.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bkx87.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBQ22.exe

    Filesize

    202KB

    MD5

    a463bd129b26cf407725780fb619e52e

    SHA1

    d248b013a5353f165a9abb8888b18cd50bb1053f

    SHA256

    ab5fb41d6f26de2a0ea588e5b646091e88aa555499f9479591db2ffa155e2323

    SHA512

    ced01e1f31bfb7680e11ac8c30038d9acbc93b7f1b28754c2a94a991f4dcafd5288a2164f56b0b0863dd9b4a5b7a1beaa910761caf6496abddb9f5e1a86971ed

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bkx87.exe

    Filesize

    175KB

    MD5

    da6f3bef8abc85bd09f50783059964e3

    SHA1

    a0f25f60ec1896c4c920ea397f40e6ce29724322

    SHA256

    e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

    SHA512

    4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

  • memory/3588-14-0x000000007473E000-0x000000007473F000-memory.dmp

    Filesize

    4KB

  • memory/3588-15-0x0000000000840000-0x0000000000872000-memory.dmp

    Filesize

    200KB

  • memory/3588-16-0x0000000005670000-0x0000000005C88000-memory.dmp

    Filesize

    6.1MB

  • memory/3588-17-0x00000000051E0000-0x00000000052EA000-memory.dmp

    Filesize

    1.0MB

  • memory/3588-18-0x0000000005120000-0x0000000005132000-memory.dmp

    Filesize

    72KB

  • memory/3588-19-0x0000000005180000-0x00000000051BC000-memory.dmp

    Filesize

    240KB

  • memory/3588-20-0x00000000052F0000-0x000000000533C000-memory.dmp

    Filesize

    304KB

  • memory/3588-21-0x000000007473E000-0x000000007473F000-memory.dmp

    Filesize

    4KB