Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/11/2024, 00:14
General
-
Target
70207c1fd2be3b308576f1ffe746b469398f0e043a2d1b540100f2e5e97970d5.exe
-
Size
585KB
-
MD5
a8d453e760ab21f380e96e86589923ef
-
SHA1
bfdbbe303b86e97eba49ff04e4d870647f9b504a
-
SHA256
70207c1fd2be3b308576f1ffe746b469398f0e043a2d1b540100f2e5e97970d5
-
SHA512
b61061efbd2b315ceb2ef3a7dd4c94ae3bad8a6a8ee768ee7f664ccb3bf55caf3a67f7eaa3a80caf6b0e06f1cd9b7a1a66b22e2794eeb164d2b00d6cf51de3d3
-
SSDEEP
12288:9Mrmy90+jL9+Vj5fS082Ly4WYv3EQpU1AMMEyaOAbTa3Nf38K:ryP9+VtfSA/Nv3EzNyaOAqN/n
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\70207c1fd2be3b308576f1ffe746b469398f0e043a2d1b540100f2e5e97970d5.exe"C:\Users\Admin\AppData\Local\Temp\70207c1fd2be3b308576f1ffe746b469398f0e043a2d1b540100f2e5e97970d5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stT4947.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stT4947.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGg16PW.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nGg16PW.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD5fe796cf28d88557cccd5fdb3572c10d9
SHA1b8befa70bc9c7a339318eb15ca3d9f550bef1017
SHA2569e05cb7ca1c48099815ff3763c67a9f5d20dcd2fa85eba596fdbfa0e9b4c9a1d
SHA51287b671317ec45089e675e6ac3c69d55448c9d78a7d0d167c1ba18fd0cee9a7b87415b2e93cdd8a6c16a2042c553baf1205b1f158dd69e117430963c077e7ea96
-
Filesize
313KB
MD5478141159f8781bd6901b5c2ec2a6e2f
SHA195732efeb6ff886a38cf81cd310f183587222e04
SHA256785755222a312d20469e673184727d6744809e9fadc13ed126a7c8d127f0d6f9
SHA512737611e19589fbb61b48f03a3de7cd205b73764a8b608c94c8f3eaf84afc00ededf30f7fa6dd16a9f0a1e7a60f48a7c78531b39ecb544c3dd9d94d8e978e9da9
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
312KB