Analysis
-
max time kernel
106s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:57
Static task
static1
Behavioral task
behavioral1
Sample
0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe
Resource
win10v2004-20241007-en
General
-
Target
0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe
-
Size
1.3MB
-
MD5
b4f7d95528914513df2bfcb448751850
-
SHA1
4228e418256a6e173261c274be819e2115eb53c6
-
SHA256
0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32
-
SHA512
04b1adec7b3b6690d4af6e1aa85f0ec2004b73f098c9367a503b6c63ac101a23a5ea9f134ce4aac098266695c0cfd0be8a921452b0436c0433e326d8332779df
-
SSDEEP
24576:dyet4FRp41/ymFW9ulijULOmrmFp3huslbduvGB5TU4rThJPsha2Cv0E3:484D4ltFW8iQLrrmF2slbduqGwPsnCv0
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c8b-26.dat family_redline behavioral1/memory/1052-28-0x0000000000FF0000-0x0000000001020000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 3860 i52967016.exe 4088 i84159350.exe 2204 i51748369.exe 1052 a64284449.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i52967016.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i84159350.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i51748369.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i52967016.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i84159350.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i51748369.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a64284449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3576 wrote to memory of 3860 3576 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe 85 PID 3576 wrote to memory of 3860 3576 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe 85 PID 3576 wrote to memory of 3860 3576 0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe 85 PID 3860 wrote to memory of 4088 3860 i52967016.exe 86 PID 3860 wrote to memory of 4088 3860 i52967016.exe 86 PID 3860 wrote to memory of 4088 3860 i52967016.exe 86 PID 4088 wrote to memory of 2204 4088 i84159350.exe 88 PID 4088 wrote to memory of 2204 4088 i84159350.exe 88 PID 4088 wrote to memory of 2204 4088 i84159350.exe 88 PID 2204 wrote to memory of 1052 2204 i51748369.exe 89 PID 2204 wrote to memory of 1052 2204 i51748369.exe 89 PID 2204 wrote to memory of 1052 2204 i51748369.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe"C:\Users\Admin\AppData\Local\Temp\0a876dfcee230873cc220bf447bd1ff3bd1af23521c871b6eb27d835d3b9ab32N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52967016.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i84159350.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i51748369.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a64284449.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1023KB
MD5b659e8693f9c6bf3a07242f64a641643
SHA1d6b9303eaf4fa66f95c4c617288ec57fc6addbe3
SHA256c5c53066c9c65ea6d05fa10adcace56317f59ece80d9e756bdcbec681599fca1
SHA512b0544418d253d2e1a1416b16cf52de3af6aef7f2afe96ddaccfdb622e27dd53a9ebe64595d5de106c47cfe697fd6cf8bc8fdf155b6821bd0c61ec99b6a0a7350
-
Filesize
851KB
MD51881d788b8046308e1156636d4a6f8d2
SHA1fb8e4d40d1a0664f13316ab23f13c050390b99b5
SHA256a9b8e823d9318836368a7be00b8edccbe265282d0aaa5666d6503afff0dea74c
SHA51241b780eaa441b6500b249da7767284b3cf3d7cbbdff55203461baf9808c5598a1b5ef2eca9f3692e1bf0cd954b1373695b54d2fef1eddbbb1c86cd09c6fb83bb
-
Filesize
376KB
MD5341ee1742a7c6cb97a6f94cb2880f72b
SHA155d67dc790192ad81761dc30ce4550b9f7e096a7
SHA2565303cca9f76963e9b0a728d64f36a64bdca4f3c6ed9c6e00a85489af77b60695
SHA512d0628d5e853bf87e72a399aaaf7f43af6e43bb549b39cb955cd1f74b0d31d0d1f101f357c18c8caa875cbf3ce2410e04e24a98568c042ac0d19636f8cda7aca9
-
Filesize
169KB
MD5375fb5fc9e409807364960c1891d2625
SHA1ca904acdf5e162c8e595bb3c1dcb48ed97228ed5
SHA25671d35ffc50602e0bc952a8157bbc4b07cc2dcdd47c6a01257abc3d1c47b2510f
SHA512f6d7d1d6336440d69dc5debbb46ad4791bfb0f228519df264ba1f56c5227c832ef046803a28b65209f039b720f0d60dab7478d70d06036ac0df017a60248ec89