Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:01
Static task
static1
Behavioral task
behavioral1
Sample
3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe
Resource
win10v2004-20241007-en
General
-
Target
3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe
-
Size
1.5MB
-
MD5
df389d190d443e2f884fdf737e4a552c
-
SHA1
bb1892a991517f5e01023c10e614890303baec1e
-
SHA256
3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd
-
SHA512
aa1b7eede3637248ac231a3b678f969b809c9d73adc1c5ffc02ec9e217d7db71a1d2bd79df20b07b31d4abdf288bb94a7387cc389144fddc99282a6ef75fa815
-
SSDEEP
24576:Ky5UE1d1k0mLmHxIZqCHNtzshORNXwqB1xw4pLXjKrB2CHZHOHM:Rbv1n2mHx+JN1NXJB1xwqLIgC5
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b95-33.dat family_redline behavioral1/memory/3608-35-0x0000000000D70000-0x0000000000DA0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 1012 i23121391.exe 1324 i92806119.exe 1940 i28294998.exe 3800 i45511230.exe 3608 a56915735.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i23121391.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i92806119.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i28294998.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i45511230.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i23121391.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i92806119.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i28294998.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i45511230.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56915735.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4740 wrote to memory of 1012 4740 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe 83 PID 4740 wrote to memory of 1012 4740 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe 83 PID 4740 wrote to memory of 1012 4740 3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe 83 PID 1012 wrote to memory of 1324 1012 i23121391.exe 84 PID 1012 wrote to memory of 1324 1012 i23121391.exe 84 PID 1012 wrote to memory of 1324 1012 i23121391.exe 84 PID 1324 wrote to memory of 1940 1324 i92806119.exe 85 PID 1324 wrote to memory of 1940 1324 i92806119.exe 85 PID 1324 wrote to memory of 1940 1324 i92806119.exe 85 PID 1940 wrote to memory of 3800 1940 i28294998.exe 86 PID 1940 wrote to memory of 3800 1940 i28294998.exe 86 PID 1940 wrote to memory of 3800 1940 i28294998.exe 86 PID 3800 wrote to memory of 3608 3800 i45511230.exe 88 PID 3800 wrote to memory of 3608 3800 i45511230.exe 88 PID 3800 wrote to memory of 3608 3800 i45511230.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe"C:\Users\Admin\AppData\Local\Temp\3b9b5703ef9d3f1021a41464998550b6b71b924ec2849f948e240de6a34d51cd.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23121391.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92806119.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28294998.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i45511230.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56915735.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5200533d1407ff660c8e21d85a9eb5f6c
SHA1894fc5f6090622dc8feb40137f40499eec677a16
SHA256dcd95d79bb84de407d7d77cc5273215662ca9a56255e06cd116d899b7dfe15c3
SHA5121df15c2d7bd057e21c4d4a463abde82b2b63ab784c1e327ac18972d70bd240d76a72fb6ca2031913a806ed3d96ca61ae743c1a76271d8cb0ef7fd4c540b4818e
-
Filesize
1001KB
MD585990274efa48f8b8b2a1ecf2a6413d4
SHA16bee2a00f480eeae5dfe361a22297759fc03d208
SHA25668b75c9b9d2824559d2af7ef28f8c010f77ec043ca24acf2183f6a3921a65b42
SHA51294f1cb9ffad045f155c8e95312d6bd189d868353e43c04550611ada4f66dab1656529600a2194877ae936e30a5b1bde56c3a0aac03c3c191ab35976edc6d3412
-
Filesize
829KB
MD53fb432179a28faff938f7f1ad7ffc3d8
SHA1211284485081f7bf0a09b44acdec233a78f65ac8
SHA256771557411c0021f2d495b72a49a020c277ba4658a646fd31507f3b0b715efc0e
SHA51217b5f88144542fded42f5df13b875ae24ce40a27a4d3ebe71a9fdf9892e70e1d756f47125facabc64ec3b95b2517de29f84f29a279d2db3676d877836d8face1
-
Filesize
363KB
MD57c0a1c10a357abeb0fb484968abd087e
SHA171aa532533c1fbc2cb51f69f5c21293ccea72425
SHA2567a5893d45095dc0e14f9035780b21a977cbab589c556b7b8f705bf83c5ca0dd9
SHA512f26ece118abea3d065715d09a735023da9af1c86770e613cdff8cfc8761e9a2cd723210e2021945024ad5c9f849acc161b1cc5a825a9f639000fa77d306cd8cf
-
Filesize
170KB
MD592ce95e0808338e0da10c041498d7c75
SHA1b81e71fa22f23e0148d25cb618ba89dbcdb74b3d
SHA256f345244e2698b4074cc6b7a988c3aaee9a902f381712299aad6381cb99121387
SHA512056336fdabbc9f260f170ec773b98590c0c75d0e0b173633116fe2c1ec4260d9a2a3a3477b920ab6273694a96c396e98cfff24c8d6985b0e6d201c299bd9a011