Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe
Resource
win10v2004-20241007-en
General
-
Target
716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe
-
Size
478KB
-
MD5
32e48534b316448562881440bea8c3e4
-
SHA1
153eaf7cf219b9f58b54fb491b72955404b76e60
-
SHA256
716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972
-
SHA512
06d97e6f2a968544ef6413c7e789165c58dda348dc0bbe89027f3f958fdc83ac586faf531e0e40d6a2e4a7aee376d796f8e2e12ba646e9fb724cfbd9eaa356c7
-
SSDEEP
12288:nMrwy90vRveoVoMTtXgj2butHqlzXbF8mtvNO+57a:ryexXVoUFK2ytHqFbFL1OI7a
Malware Config
Extracted
redline
fusa
193.233.20.12:4132
-
auth_value
a08b2f01bd2af756e38c5dd60e87e697
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023c8e-12.dat family_redline behavioral1/memory/3588-15-0x0000000000840000-0x0000000000872000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
nBQ22.exebkx87.exepid Process 4960 nBQ22.exe 3588 bkx87.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exenBQ22.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nBQ22.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exenBQ22.exebkx87.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nBQ22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bkx87.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exenBQ22.exedescription pid Process procid_target PID 4320 wrote to memory of 4960 4320 716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe 83 PID 4320 wrote to memory of 4960 4320 716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe 83 PID 4320 wrote to memory of 4960 4320 716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe 83 PID 4960 wrote to memory of 3588 4960 nBQ22.exe 84 PID 4960 wrote to memory of 3588 4960 nBQ22.exe 84 PID 4960 wrote to memory of 3588 4960 nBQ22.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe"C:\Users\Admin\AppData\Local\Temp\716c5a41adc72a4e21ef90e4a3fc3360edde9dafc604c90916943c4f408d8972.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBQ22.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nBQ22.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bkx87.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bkx87.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5a463bd129b26cf407725780fb619e52e
SHA1d248b013a5353f165a9abb8888b18cd50bb1053f
SHA256ab5fb41d6f26de2a0ea588e5b646091e88aa555499f9479591db2ffa155e2323
SHA512ced01e1f31bfb7680e11ac8c30038d9acbc93b7f1b28754c2a94a991f4dcafd5288a2164f56b0b0863dd9b4a5b7a1beaa910761caf6496abddb9f5e1a86971ed
-
Filesize
175KB
MD5da6f3bef8abc85bd09f50783059964e3
SHA1a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA5124d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec