Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 22:55
Static task
static1
Behavioral task
behavioral1
Sample
605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe
Resource
win10v2004-20241007-en
General
-
Target
605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe
-
Size
678KB
-
MD5
76a8fa127bc781d62b2184191d0c690a
-
SHA1
276e5915c03a99fc81a7cc598f93c8509d8a53b7
-
SHA256
605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc
-
SHA512
92cd1cb4c39504b44539be27ec1b9933b859c5ff40166548a6707f4e9a25ae02bc14a97e4ab85593cf04de950e7f979db5af39d4eceeb3f05189963b53cc4656
-
SSDEEP
12288:MMrfy90/JTqSMQKwNsGW3hUquZPuzdMOW9j29Ldh0LHDKqx3lEy6KwQfA:ryQJTDMQKgsHRUXPuzqFh2ddh0yqxVjY
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4840-19-0x00000000027D0000-0x0000000002816000-memory.dmp family_redline behavioral1/memory/4840-21-0x0000000002860000-0x00000000028A4000-memory.dmp family_redline behavioral1/memory/4840-51-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-53-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-85-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-83-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-81-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-77-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-75-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-73-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-71-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-69-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-67-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-65-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-61-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-59-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-57-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-55-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-49-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-47-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-43-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-41-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-39-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-37-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-35-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-33-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-31-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-29-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-27-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-25-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-79-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-23-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-22-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-63-0x0000000002860000-0x000000000289E000-memory.dmp family_redline behavioral1/memory/4840-45-0x0000000002860000-0x000000000289E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
vSr38.exedwR93.exepid Process 2508 vSr38.exe 4840 dwR93.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exevSr38.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vSr38.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exevSr38.exedwR93.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vSr38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwR93.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwR93.exedescription pid Process Token: SeDebugPrivilege 4840 dwR93.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exevSr38.exedescription pid Process procid_target PID 4104 wrote to memory of 2508 4104 605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe 83 PID 4104 wrote to memory of 2508 4104 605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe 83 PID 4104 wrote to memory of 2508 4104 605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe 83 PID 2508 wrote to memory of 4840 2508 vSr38.exe 84 PID 2508 wrote to memory of 4840 2508 vSr38.exe 84 PID 2508 wrote to memory of 4840 2508 vSr38.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe"C:\Users\Admin\AppData\Local\Temp\605076ba2b261386960619f2b9c1209ccff6d92523005a0ba93c4ab401cc01fc.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSr38.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSr38.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwR93.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dwR93.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533KB
MD59a3581b4ce390f5f78d1b2a183f42fd2
SHA1bbbf4e21fc1e2c52709355ce0632907e1a8d4048
SHA256d3ab04dca55c93fc04b21e6dc797f87070b3260cbdd385bd1c9e43f52c2a794e
SHA5126268cd2a23fd20fa9d4d2a8d491deec14fdb5d69136efe68d99639e23c61c9dd6adba0f3916dedb9e9eef9e0058a943972aaa7c0fc20e2011b2db6d95fc5ca06
-
Filesize
338KB
MD534c8db70ca3e7fa5ff713e6d0322767f
SHA1b52b7734d5deceaf101279cd98fccfc26c9614e4
SHA256dc89d449b00405be637c1c7932b01606709d7ecbc51b6c82f7c04cb1794f75f0
SHA51258727d312967aa8c54b5826cf4edf22d62a3412526a09fac606e10d6136650314fff8338811f30a4980529c58071c981abb8e70c24bd7f37a992e7a26992aa5a