redline | a63b37d9592cda82d3f14761c40c2504b86c97b1b73714613e7ddae4cae76250

Analysis

max time kernel
129s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update Script.exe
Size

2.6MB
MD5

9ccbfc90de4e19383e1b236e2e659f75
SHA1

81bdcb475210ff4731ce0e0b3239b497f9f70015
SHA256

82a4239f459b3569ad8c4e608e38c520b5c50ffb5dec97034c3924e594662c39
SHA512

56d7825804c4439ef42b1f473d9fcc758aa089c3a35cb38728a128e3509f2c210a711e80087e31b18ca28ec0f5a208e061aae15e778edd48049af34fc76d9d8e
SSDEEP

24576:CVwd9AvyVIp6i5+GOUYMY3XdyA1Mm/9s4dl41lLH9zgMPZYRDkTEuLl8UN3jl3Rw:CVwd9AKVIp64+rmT8mZYJkTEurBl3a

Score

10^/10

redline @sanchekkkkk discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@Sanchekkkkk

79.137.192.20:7466

Attributes

auth_value
10817a38e602b1d9bb93ced603d37fc5

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral3/memory/2524-9-0x0000000000400000-0x0000000000436000-memory.dmp	family_redline
behavioral3/memory/2524-8-0x0000000000400000-0x0000000000436000-memory.dmp	family_redline
behavioral3/memory/2524-2-0x0000000000400000-0x0000000000436000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 2524	432	Update Script.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update Script.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30
PID 432 wrote to memory of 2524	432	Update Script.exe	30

C:\Users\Admin\AppData\Local\Temp\Update Script.exe
"C:\Users\Admin\AppData\Local\Temp\Update Script.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-10-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2524-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download