Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 01:34
General
-
Target
6e4a310fb0fc448d5053f898e0f75e2fea5304d2ec6d606e6235537e49e3f91d.exe
-
Size
584KB
-
MD5
4b3647f84b54142bd5e1fac8191fc158
-
SHA1
9e16fd5c266f3d35062a2d358efa4908323576b9
-
SHA256
6e4a310fb0fc448d5053f898e0f75e2fea5304d2ec6d606e6235537e49e3f91d
-
SHA512
295b38cba2901988d57079649f83138f648f05f1497808156b4e8a9f2e8d0a36f42c2a671ac470597ec5dffc9765e1663dd32854f319a99bfb9baff5319290a0
-
SSDEEP
12288:KMr4y90Bp5oqXewrirRlT65E+3grBBcOhn2A7FkUV4PeER6Ce:GyTqXd+rXGQh2SFJseER6J
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e4a310fb0fc448d5053f898e0f75e2fea5304d2ec6d606e6235537e49e3f91d.exe"C:\Users\Admin\AppData\Local\Temp\6e4a310fb0fc448d5053f898e0f75e2fea5304d2ec6d606e6235537e49e3f91d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTe8021.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTe8021.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ndw15Zj.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ndw15Zj.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
439KB
MD56bdd686cc5593908dbfa5af2299ebb6c
SHA1fab5e2a9af412abc02d8710026a3313991ef1dce
SHA25690802e6ba0d308288940a8f47a49d6d43390ff563070008bbb531b3a928710a5
SHA51252d8683afbb1f2259cf184da405851669095dadca26bd09b728977abbab242ae3ef172a1e7cea351875d07ab8712a204ec6e1a1476db558fce5deaea6b57a89f
-
Filesize
303KB
MD57f7228945fb15bdcd6e792cc10b4577e
SHA1c044eee37ce4c2fd72a42725179562c4acf2a93e
SHA2563bbee457fa567f17bea91ed97dfc35314b3af607008e54bf7b8e465591287f75
SHA512ffe7dd8b40cd56661a066adc257ee5a263f88d4b52a4b3bf592001c3eb43a1875adcaef3444e72a15187dda0808348d5a66734f0d481e2315f4100738a88ea95
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB