Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:07
General
-
Target
4b0a154e63667842a1ba7b011338281f00b35b9c72a6444412de3a9afcd23552.exe
-
Size
536KB
-
MD5
817bf223240befb04b72e0ac1535d1d4
-
SHA1
ec37ecbddfd840faa0bb07db181ac65b74913313
-
SHA256
4b0a154e63667842a1ba7b011338281f00b35b9c72a6444412de3a9afcd23552
-
SHA512
1a408beb4b42410cf2f961d98d4dd48bbe3b2608f3307cf21bb62aa0306e247355baf2d5360c08705c717eda9135c9a6a0b9765885af8feeb33887987045f5ae
-
SSDEEP
12288:qMrIy902Fxt/spaPiZzYTsMs0dncPlW8xEcLoAf4rbGkhWN:ey5xt/spaPiZ2a0dcPl91LZMp8
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b0a154e63667842a1ba7b011338281f00b35b9c72a6444412de3a9afcd23552.exe"C:\Users\Admin\AppData\Local\Temp\4b0a154e63667842a1ba7b011338281f00b35b9c72a6444412de3a9afcd23552.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGx17.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGx17.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dDI73.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dDI73.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5d62b6e573ede7e7a3e324c5d860c91ba
SHA15485ad7701c230efb981925fb00ef57c42920b9f
SHA256291ad32a8a433dce1f33fa0d194ee947685e50c0205f64d7a9388c6ee7abcd73
SHA51272b07d3f01086151e8e6c7459f3dba82026bed6e95b625170293ec27b63b486fb8101b8698156378bb45edae1466eccb93eac603193ed0fae243367f4ab5cfe8
-
Filesize
292KB
MD58f3ee54e97d308acf52c687634cdb7d4
SHA1897ac33223537678c75849d57aefa851b232db09
SHA256f4c614372eb33ca63672f7a0e6c868b22626662f42bfc9b056fa38ee8e8aedc9
SHA512e1a07adfa12c535e7ced4e63e02feabb6a0ef06fcd69afaae640bcb44dc8eaebeff8fe0c70fcdb6d8134dad57987cbb0ba907efecaa075d5974601c680431df5
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB