Analysis

  • max time kernel
    106s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 05:57

General

  • Target

    0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe

  • Size

    1.3MB

  • MD5

    b4f7d95528914513df2bfcb448751850

  • SHA1

    4228e418256a6e173261c274be819e2115eb53c6

  • SHA256

    0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32

  • SHA512

    04b1adec7b3b6690d4af6e1aa85f0ec2004b73f098c9367a503b6c63ac101a23a5ea9f134ce4aac098266695c0cfd0be8a921452b0436c0433e326d8332779df

  • SSDEEP

    24576:dyet4FRp41/ymFW9ulijULOmrmFp3huslbduvGB5TU4rThJPsha2Cv0E3:484D4ltFW8iQLrrmF2slbduqGwPsnCv0

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes
  • auth_value

    7da4dfa153f2919e617aa016f7c36008

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1052

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe

          Filesize

          1023KB

          MD5

          b659e8693f9c6bf3a07242f64a641643

          SHA1

          d6b9303eaf4fa66f95c4c617288ec57fc6addbe3

          SHA256

          c5c53066c9c65ea6d05fa10adcace56317f59ece80d9e756bdcbec681599fca1

          SHA512

          b0544418d253d2e1a1416b16cf52de3af6aef7f2afe96ddaccfdb622e27dd53a9ebe64595d5de106c47cfe697fd6cf8bc8fdf155b6821bd0c61ec99b6a0a7350

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe

          Filesize

          851KB

          MD5

          1881d788b8046308e1156636d4a6f8d2

          SHA1

          fb8e4d40d1a0664f13316ab23f13c050390b99b5

          SHA256

          a9b8e823d9318836368a7be00b8edccbe265282d0aaa5666d6503afff0dea74c

          SHA512

          41b780eaa441b6500b249da7767284b3cf3d7cbbdff55203461baf9808c5598a1b5ef2eca9f3692e1bf0cd954b1373695b54d2fef1eddbbb1c86cd09c6fb83bb

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe

          Filesize

          376KB

          MD5

          341ee1742a7c6cb97a6f94cb2880f72b

          SHA1

          55d67dc790192ad81761dc30ce4550b9f7e096a7

          SHA256

          5303cca9f76963e9b0a728d64f36a64bdca4f3c6ed9c6e00a85489af77b60695

          SHA512

          d0628d5e853bf87e72a399aaaf7f43af6e43bb549b39cb955cd1f74b0d31d0d1f101f357c18c8caa875cbf3ce2410e04e24a98568c042ac0d19636f8cda7aca9

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe

          Filesize

          169KB

          MD5

          375fb5fc9e409807364960c1891d2625

          SHA1

          ca904acdf5e162c8e595bb3c1dcb48ed97228ed5

          SHA256

          71d35ffc50602e0bc952a8157bbc4b07cc2dcdd47c6a01257abc3d1c47b2510f

          SHA512

          f6d7d1d6336440d69dc5debbb46ad4791bfb0f228519df264ba1f56c5227c832ef046803a28b65209f039b720f0d60dab7478d70d06036ac0df017a60248ec89

        • memory/1052-28-0x0000000000FF0000-0x0000000001020000-memory.dmp

          Filesize

          192KB

        • memory/1052-29-0x00000000034B0000-0x00000000034B6000-memory.dmp

          Filesize

          24KB

        • memory/1052-30-0x0000000006120000-0x0000000006738000-memory.dmp

          Filesize

          6.1MB

        • memory/1052-31-0x0000000005C10000-0x0000000005D1A000-memory.dmp

          Filesize

          1.0MB

        • memory/1052-32-0x0000000005990000-0x00000000059A2000-memory.dmp

          Filesize

          72KB

        • memory/1052-33-0x0000000005B00000-0x0000000005B3C000-memory.dmp

          Filesize

          240KB

        • memory/1052-34-0x0000000005B50000-0x0000000005B9C000-memory.dmp

          Filesize

          304KB