Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe
Resource
win10v2004-20241007-en
General
-
Target
3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe
-
Size
376KB
-
MD5
59555455a4edc16c024b181286dac991
-
SHA1
8897a9f154c9756244e788a09d78201c2483190e
-
SHA256
3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f
-
SHA512
a1736c2eedb0f1da51c7a228b1a04414f78bef362603ac715580040bee03d36b1769bd601c8b2844f16a51f7f2726510f2ee132480a8058be3d0d6fdfbdd9014
-
SSDEEP
6144:Kxy+bnr+vp0yN90QEFPzqt0cNad1k2DVmM8wV/Ib/QRmdt8rGci3iX:HMrzy90LLigTk5SmdirG8
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b8b-12.dat family_redline behavioral1/memory/3308-15-0x00000000005F0000-0x0000000000618000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 3288 x0475817.exe 3308 g5101603.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0475817.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x0475817.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g5101603.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4000 wrote to memory of 3288 4000 3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe 83 PID 4000 wrote to memory of 3288 4000 3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe 83 PID 4000 wrote to memory of 3288 4000 3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe 83 PID 3288 wrote to memory of 3308 3288 x0475817.exe 84 PID 3288 wrote to memory of 3308 3288 x0475817.exe 84 PID 3288 wrote to memory of 3308 3288 x0475817.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe"C:\Users\Admin\AppData\Local\Temp\3bfffc50ccfccb6523fe6b7843aba354a4afc966f0d91450ed230ab202a7e77f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0475817.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0475817.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5101603.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5101603.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3308
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD54a3fd447278c32624cd0d0462b80c349
SHA111a5966dc7362a249339145a30d17af85f181b1d
SHA2561da8a3e8e2e09f73d015ab1b0fdd12c26c1d696f3f092e1e28584c5ccf3cf80d
SHA512c3ec010faa09374bf927bf2ed5b572adfd1e57082b9d34cb39ec7e50893d2649930d6db30e6e0468ad822c9a5ce2aa59dc557b26b1afe41c38cdcfb38ae6509e
-
Filesize
136KB
MD56521194b2317000f093b04ba7fbbffd0
SHA14f620c004c01e27d61d942b0e66389aa66c78c8a
SHA2565d90a59417436cf7d964832ec195fa0379801c385df6449146602f60665cd0d7
SHA512e54a8e6aa9aa1976a3577a3ead4fd9aba34b0c65ab7c25a33fa0ffcc2d50b021b6e5342b4e300336ba5c465983abc124a87b9e8fc9113a53ba09078d5d1943b0