Analysis
-
max time kernel
111s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 20:02
General
-
Target
27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944.exe
-
Size
539KB
-
MD5
769fc5c0048329d9658539f21aaef663
-
SHA1
315578fe18b240c903e96549d7483c891e959c45
-
SHA256
27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944
-
SHA512
a7c02b034e34f528e19aea66a496a471fad4c9f57f45a27fb295545a85590a31af19b5063974e04fe70652dcbd3a96968eaa0013e930e032981a577448120bfb
-
SSDEEP
12288:bMrny90BmkZgQAJOBoKFqNhqNtPD6QyopnHcIQQKZ:0yNkZgQpGKVP+QXYQKZ
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944.exe"C:\Users\Admin\AppData\Local\Temp\27972e883299dc4cc4d7ad1dd81f10cda98eb5fdec8c7f80d4aa53ec91240944.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vRX40.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vRX40.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dML09.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dML09.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD5025e584798ae60c3461e43baec025ef5
SHA1d95a885de9a9e0b0cdc48f113e4fe52a7aa47160
SHA2569bc32623b541497b19257505b69de0438b3545835229b204c0b5aec7e5ebfed2
SHA51290c1b873a65e340a262abc33074f29f02eadcf3ac2ca1036a720a99bda8414cd981553279f219bd2348f5c15fcd3ca42af0503c98d372b41007a1338b2a53e17
-
Filesize
305KB
MD5a97676767e51104d57e1d0ad956e4274
SHA1518c54685f9d461424f96247c32d1d9db20fea32
SHA256c5ab3172fb7e5ced3b6d009742e00e48698714a2c54f887eb80d15c12b8a6558
SHA5120fad6360d1ac0f729181738ee02fa242ff925de13f64deea9bd0af4b2ee1e1891dfa952698fa1d8318e468c4a30908ef33ad592fb675d0521f5296828aafb87d
-
Filesize
1024KB
-
Filesize
312KB
-
Filesize
300KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB