Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 06:12
Static task
static1
Behavioral task
behavioral1
Sample
2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe
Resource
win10v2004-20241007-en
General
-
Target
2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe
-
Size
434KB
-
MD5
d8526325dc246427aa7ac9c31fbff861
-
SHA1
00acf42ba37adbfe5b53cc527aacc284fa7b75bf
-
SHA256
2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a
-
SHA512
2a93d9059a975a2da6bf458ee04db65709a92ce865c0b0ea6e0da06fc2d369937a8ce107f3b26443cb09a38184d3680f8b97d0e3d10eefcf4681ad9e0870347f
-
SSDEEP
6144:KZy+bnr+jp0yN90QEBkpPP5sL+lpt/jJeYArEL+Gc8c7P2fgcXVWlg0wa:fMr/y90Ul59lXYjpn8cr2fbkN
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-11-0x0000000007160000-0x00000000071A6000-memory.dmp family_redline behavioral1/memory/2564-13-0x00000000077C0000-0x0000000007804000-memory.dmp family_redline behavioral1/memory/2564-14-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-35-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-77-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-76-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-73-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-71-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-69-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-68-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-65-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-63-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-62-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-59-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-57-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-56-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-51-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-49-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-47-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-45-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-43-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-41-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-39-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-37-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-33-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-31-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-29-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-27-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-25-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-23-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-21-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-19-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-17-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-15-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline behavioral1/memory/2564-53-0x00000000077C0000-0x00000000077FF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
Processes:
eWZ44qf86.exepid Process 2564 eWZ44qf86.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exeeWZ44qf86.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eWZ44qf86.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
eWZ44qf86.exedescription pid Process Token: SeDebugPrivilege 2564 eWZ44qf86.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exedescription pid Process procid_target PID 2320 wrote to memory of 2564 2320 2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe 83 PID 2320 wrote to memory of 2564 2320 2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe 83 PID 2320 wrote to memory of 2564 2320 2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe"C:\Users\Admin\AppData\Local\Temp\2175c8e0a8bfd871643694dc0566fb3828c9dcdd610a10e9a3d027341b5f055a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eWZ44qf86.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eWZ44qf86.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD55a4ff96d0686fbf07f65e4fb559c3142
SHA1a5605cc33f133613507d0417a24e0849a0a7792a
SHA256936572d2ce48bdaab44b98e18e0a34caad9fd438f7b5c1a1fb27e658bdb4e8ae
SHA5122dbde50807b566ec2c0c3ba8f47232e63e1f0dae31c462bc7365f3a0c3681df91b733ffb5ce32bc06cb43e8f9e666a421d59b0481aca07f86e93b8a386775580