Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 02:18
General
-
Target
012ac082d2af1fa8e20baac2d255039dce7f9620d76d2392697224b3926c9772.exe
-
Size
564KB
-
MD5
61a2114f0dcdf4043c7b1fa2cbf9c9ec
-
SHA1
fe67a175ef4b48eb89504df57f5f6c42656d13c7
-
SHA256
012ac082d2af1fa8e20baac2d255039dce7f9620d76d2392697224b3926c9772
-
SHA512
1aaa279fd94168a9cbbfb041ac427854394f17b77b38f673dbaa1dc63410a5fb66255fe6be5998194efc37a099d6cc28912e0443752a715e2a3989f452a5eb02
-
SSDEEP
12288:mMr9y906mBSApNFXzHc5bmkPDlzALocJ8SKTKCnHWLl:zypm/FIbmkOLrJ8SKGCHWLl
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\012ac082d2af1fa8e20baac2d255039dce7f9620d76d2392697224b3926c9772.exe"C:\Users\Admin\AppData\Local\Temp\012ac082d2af1fa8e20baac2d255039dce7f9620d76d2392697224b3926c9772.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dje3142.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dje3142.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmD19ry.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmD19ry.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD5a44253842b29e9d22d23e61d4e1a2b71
SHA1a0be868ee1e8b9cd643c0d5bd2504726e43db248
SHA256ae6df813321a9114ccc9961754b1ef84f0d274ed647ea14cd2de31289630bd9d
SHA512d381845c53a5959de431b773881a3840fd1c74a53bc72d952b8b2e8d8cdee7fc1be9af8748a4ddde09b757f177fe252c560e59f55f444bb3b84d585c6e84f663
-
Filesize
265KB
MD5f742494575da0401667b01c1f3e67001
SHA10660eabc4bf3eca706bbf55025c5a3824afe8c95
SHA25660897f881b155dfa9e9547aa0dcea82336b3a84e795e1bf7ae0fdd1a78176ccd
SHA512d3540ee2d0479738972b5e2b441fac6c2bf259dd83d8e666b65a5f3204c3f306297c4ae9e966d080fe7fa4bd3ad1ebf1bcae6a31f5507acfead4dda6ef700392
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB