Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe
Resource
win10v2004-20241007-en
General
-
Target
8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe
-
Size
564KB
-
MD5
0266c4a19e5c3a993fb0e570b5de2291
-
SHA1
56f5276a2495074541ca9f9f667254b4d1a17657
-
SHA256
8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e
-
SHA512
5d25a84b8d8b7886d76e876fe99e57ab45671d03e1962a01c550e0b4d5e2e4f4ae0bdc41e0601116a76760a792e2a1a6e682b079019512386bdf56a22557b2cb
-
SSDEEP
12288:aMriy90gcPlbHYHl///vOZOrkPdS4ycV7lHa4BBS4N6u:UyOtb4F//eZP0JeJaCBS4Qu
Malware Config
Extracted
redline
ronur
193.233.20.20:4134
-
auth_value
f88f86755a528d4b25f6f3628c460965
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/644-19-0x0000000002550000-0x0000000002596000-memory.dmp family_redline behavioral1/memory/644-21-0x0000000002710000-0x0000000002754000-memory.dmp family_redline behavioral1/memory/644-23-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-31-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-85-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-83-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-79-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-77-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-73-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-71-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-70-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-65-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-63-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-62-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-59-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-57-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-55-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-53-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-51-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-49-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-47-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-45-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-43-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-41-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-39-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-37-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-35-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-29-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-27-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-25-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-81-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-75-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-67-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-33-0x0000000002710000-0x000000000274E000-memory.dmp family_redline behavioral1/memory/644-22-0x0000000002710000-0x000000000274E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 996 nyV38kC65.exe 644 eMn78sf.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nyV38kC65.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nyV38kC65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eMn78sf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 644 eMn78sf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4696 wrote to memory of 996 4696 8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe 83 PID 4696 wrote to memory of 996 4696 8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe 83 PID 4696 wrote to memory of 996 4696 8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe 83 PID 996 wrote to memory of 644 996 nyV38kC65.exe 84 PID 996 wrote to memory of 644 996 nyV38kC65.exe 84 PID 996 wrote to memory of 644 996 nyV38kC65.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe"C:\Users\Admin\AppData\Local\Temp\8d401cd9e1cfdec82daf8016e56e125b4d9103d37af45ef3042172bfb0d9e68e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyV38kC65.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyV38kC65.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eMn78sf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eMn78sf.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD5221ed3e1992bdc16eec381c7ed0bb169
SHA172622cfc9db625e261e9e03d017a6c2da82f7fe2
SHA2569324d1222da0163fb30cf09cc226c4731249e91ac8c125797bd885c4d0ebf5bb
SHA512474c2d662bd62ac6f49e4279f4839bf1220404c9123f12a2dabfbd7214d99830808dc5545fef8c5990bec681f3d3b0e2bef5c61ddf5ef1f12bd2506a9c163871
-
Filesize
265KB
MD522fa9dc8d6bb6629c530256635becb49
SHA15041d1a1d4b8c6e442ca2d5a089c1ba146f9ed21
SHA256bb9b0f0b2564e1817399025d209a51878f070a9c0370d341398cf1c4caea59c8
SHA512b99fd8e8aff01cb53668189cf751ae020d8e004278d56f4ee8db06a2f1776a4ad5015fc848cdc3de90d3bbeb8ba45b237ee426662f6a296a2cf3d976be41b549