Analysis

  • max time kernel
    131s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:28

General

  • Target

    d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe

  • Size

    479KB

  • MD5

    3704ce0de67a2543765cfbe5bd6feb38

  • SHA1

    a611cc9669dd97b1f2fe54ccdb39343a2692aed8

  • SHA256

    d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87

  • SHA512

    53a587fdd7d0b542d141361aa38d0c27bb4d06cd12657094800bfc85b737c67dce83d9afe8ba601492849fceeb1195028d92e2d0d8e92a170c5422402d770d21

  • SSDEEP

    12288:XMrky90FdHpGz7Jhek4ID2GSeA5OmdQJcelTim:zysNyekvSeY5Xm

Malware Config

Extracted

Family

redline

Botnet

divan

C2

217.196.96.102:4132

Attributes
  • auth_value

    b414986bebd7f5a3ec9aee0341b8e769

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe
    "C:\Users\Admin\AppData\Local\Temp\d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0845157.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0845157.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509740.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509740.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0845157.exe

    Filesize

    307KB

    MD5

    e9aa4fcc46c2afc280e00203b9e478a3

    SHA1

    7518e56bdfa365ef6aa4ddf277886cf9774c67c7

    SHA256

    e7294d3d77ec50fca6c5f43b5120de24ddf497a28ce57794b987f5036ed676e0

    SHA512

    73897b38df83e69c972f9258a003fe1225da987f235aa2a6b5fc893a5cac21129b7d730ba3121d5177993b77e7e89291dc3ec755e32f7065b3859fcbbee94c47

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509740.exe

    Filesize

    168KB

    MD5

    a208910651983098f73cc4a9bf6aa451

    SHA1

    5107760e053b68919e3217e738f0f58e53f22cd0

    SHA256

    178a145f48509fdb0fc07accaf7f7fff139c4ccc8e8cdb17906f52556225ab46

    SHA512

    26fc6a351e3d3d542aeaebfdd0320ad261f8c1d248673b94af3403a94795f9a4746094e4cf7f23f2babdcabc1fa66904ad7fcc0a252219a0e8f0ce64bf305669

  • memory/4000-14-0x000000007472E000-0x000000007472F000-memory.dmp

    Filesize

    4KB

  • memory/4000-15-0x0000000000F30000-0x0000000000F5E000-memory.dmp

    Filesize

    184KB

  • memory/4000-16-0x0000000005710000-0x0000000005716000-memory.dmp

    Filesize

    24KB

  • memory/4000-17-0x000000000B230000-0x000000000B848000-memory.dmp

    Filesize

    6.1MB

  • memory/4000-18-0x000000000ADA0000-0x000000000AEAA000-memory.dmp

    Filesize

    1.0MB

  • memory/4000-19-0x000000000ACD0000-0x000000000ACE2000-memory.dmp

    Filesize

    72KB

  • memory/4000-20-0x0000000074720000-0x0000000074ED0000-memory.dmp

    Filesize

    7.7MB

  • memory/4000-21-0x000000000AD30000-0x000000000AD6C000-memory.dmp

    Filesize

    240KB

  • memory/4000-22-0x0000000005200000-0x000000000524C000-memory.dmp

    Filesize

    304KB

  • memory/4000-23-0x000000007472E000-0x000000007472F000-memory.dmp

    Filesize

    4KB

  • memory/4000-24-0x0000000074720000-0x0000000074ED0000-memory.dmp

    Filesize

    7.7MB