Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:46
General
-
Target
9a0ec5b40399889ddf61368ee848626cdc5f98fb7264ab1a504e6afd2801b64b.exe
-
Size
565KB
-
MD5
2ea6d65da71fefcf0fc423b57ca36133
-
SHA1
2fa80a4aba428ae05d45b149cd159acd7b7acf98
-
SHA256
9a0ec5b40399889ddf61368ee848626cdc5f98fb7264ab1a504e6afd2801b64b
-
SHA512
779c278e0004d188a63f95f9fc3f7238d9c99e92cd3920e2cf0e7ffdbdf750e30f58e7aec797352694076dcd7f144c5aed783598f95286907cdf2496521497fd
-
SSDEEP
12288:TMrBy903gSN714+yGXnh4S10NFABghqNstu2UYw8KOPtJaRHkf2sPlcd:OyMgSNJ4mnhl1ZNstulnQfaRtag
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a0ec5b40399889ddf61368ee848626cdc5f98fb7264ab1a504e6afd2801b64b.exe"C:\Users\Admin\AppData\Local\Temp\9a0ec5b40399889ddf61368ee848626cdc5f98fb7264ab1a504e6afd2801b64b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmU4622.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmU4622.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nbe87mb.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nbe87mb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD51f1577fc926b7e448358f223367f6fac
SHA1bf35e522de0e55713e96a518b35141bce5597ab9
SHA2569f2cd4a5a3d2a8f05a33587f31c005263518cbe1f429a1a2d6ff71d5cf72af9c
SHA512adb99ab4413e058cf8076aefd6d6206384fb8d0e698030241ee756f3718f00fe1de489d18db1bca2ed57b99b3c0ccb71edea2f771b8ef3339a674e088bdb8bbd
-
Filesize
267KB
MD5b097e9e8ba00491672d7c588f5a1dc6c
SHA1ca40fc57327e159e7f9ab633c492191896a2db6d
SHA256ea09554bb47d16149144d42b26d9022cdbe753b6026626ebd3ba99be8511777d
SHA512b9f75414a3b2ab352ca98d78f25e9c5715af6c37eb41b543c8d191c0c799ee4d482b962774b1f31dce340d780c49fa7b262da30e7e692bbb7fa98bbbac26dd63
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB