Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe
Resource
win10v2004-20241007-en
General
-
Target
d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe
-
Size
479KB
-
MD5
3704ce0de67a2543765cfbe5bd6feb38
-
SHA1
a611cc9669dd97b1f2fe54ccdb39343a2692aed8
-
SHA256
d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87
-
SHA512
53a587fdd7d0b542d141361aa38d0c27bb4d06cd12657094800bfc85b737c67dce83d9afe8ba601492849fceeb1195028d92e2d0d8e92a170c5422402d770d21
-
SSDEEP
12288:XMrky90FdHpGz7Jhek4ID2GSeA5OmdQJcelTim:zysNyekvSeY5Xm
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b75-12.dat family_redline behavioral1/memory/4000-15-0x0000000000F30000-0x0000000000F5E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 1668 x0845157.exe 4000 g6509740.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0845157.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x0845157.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6509740.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5112 wrote to memory of 1668 5112 d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe 83 PID 5112 wrote to memory of 1668 5112 d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe 83 PID 5112 wrote to memory of 1668 5112 d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe 83 PID 1668 wrote to memory of 4000 1668 x0845157.exe 84 PID 1668 wrote to memory of 4000 1668 x0845157.exe 84 PID 1668 wrote to memory of 4000 1668 x0845157.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe"C:\Users\Admin\AppData\Local\Temp\d4928dde1b9587e06ca1bbdf3e4a8e40ca2c424126f166194915a7e7efbb0e87.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0845157.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0845157.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509740.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6509740.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5e9aa4fcc46c2afc280e00203b9e478a3
SHA17518e56bdfa365ef6aa4ddf277886cf9774c67c7
SHA256e7294d3d77ec50fca6c5f43b5120de24ddf497a28ce57794b987f5036ed676e0
SHA51273897b38df83e69c972f9258a003fe1225da987f235aa2a6b5fc893a5cac21129b7d730ba3121d5177993b77e7e89291dc3ec755e32f7065b3859fcbbee94c47
-
Filesize
168KB
MD5a208910651983098f73cc4a9bf6aa451
SHA15107760e053b68919e3217e738f0f58e53f22cd0
SHA256178a145f48509fdb0fc07accaf7f7fff139c4ccc8e8cdb17906f52556225ab46
SHA51226fc6a351e3d3d542aeaebfdd0320ad261f8c1d248673b94af3403a94795f9a4746094e4cf7f23f2babdcabc1fa66904ad7fcc0a252219a0e8f0ce64bf305669