Analysis
-
max time kernel
109s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 01:56 UTC
Static task
static1
Behavioral task
behavioral1
Sample
6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe
Resource
win10v2004-20241007-en
General
-
Target
6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe
-
Size
435KB
-
MD5
641409e8e5cba9035c7a6f6afeec3770
-
SHA1
898a8b533a37eaa46a3359349011ab0c8f9e3734
-
SHA256
6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1f
-
SHA512
5559aa7b9bcf5e7587d8336d2f55ea2fe038704800f50c3bc423d5ec8c6ba01886ca109f2f59838f19e8af95e04fa3a80e162fe63faa08c1c22926f2774d7f15
-
SSDEEP
12288:ZzcQNw0UZSjBf6KytxYz72p0SzctJM0C:XK0UZSjBwaf2p0E2Mf
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/memory/3776-2089-0x0000000004E80000-0x0000000004EB2000-memory.dmp family_redline behavioral2/files/0x000d000000023b76-2094.dat family_redline behavioral2/memory/5416-2103-0x0000000000420000-0x0000000000450000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe -
Executes dropped EXE 1 IoCs
pid Process 5416 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4608 3776 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3776 6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3776 wrote to memory of 5416 3776 6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe 87 PID 3776 wrote to memory of 5416 3776 6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe 87 PID 3776 wrote to memory of 5416 3776 6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe"C:\Users\Admin\AppData\Local\Temp\6ba239ded124b5ea070ecea3aea98db7c8e4ee2260c3f23feaf1fb9dee541a1fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5416
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 13042⤵
- Program crash
PID:4608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3776 -ip 37761⤵PID:1344
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
73.209.201.84.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0