Analysis
-
max time kernel
111s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 10:57
Static task
static1
Behavioral task
behavioral1
Sample
9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe
Resource
win10v2004-20241007-en
General
-
Target
9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe
-
Size
733KB
-
MD5
5a954455a5ce586a2e657f118ed04606
-
SHA1
3c908e5c9fbf97c78b0d1322a8cc6aec6ee4ed71
-
SHA256
9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797
-
SHA512
4360138612beff8606e8994f8c7e965b588722d4e65d9caa9add42052b28c0495570ed76db783b58f203042936412cbb9aaa56147de2960f31ba2fd812f03e3c
-
SSDEEP
12288:NMrKy90WGUha0TiyFqnaUW8DSV6VRVs7Nq9Xgyf6vZ7gtVjCH1TSNGDF0g/6M0rP:jyxa0TtqnHXDSV6xsI9Xgb9gfCVTSUne
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3616-19-0x0000000002470000-0x00000000024B6000-memory.dmp family_redline behavioral1/memory/3616-21-0x0000000002610000-0x0000000002654000-memory.dmp family_redline behavioral1/memory/3616-27-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-67-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-83-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-81-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-79-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-75-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-73-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-71-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-69-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-65-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-63-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-61-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-59-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-57-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-53-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-51-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-49-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-47-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-45-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-43-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-41-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-39-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-37-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-35-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-33-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-31-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-86-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-77-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-29-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-25-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-55-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-23-0x0000000002610000-0x000000000264E000-memory.dmp family_redline behavioral1/memory/3616-22-0x0000000002610000-0x000000000264E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
vSO32.exedKp28.exepid Process 4384 vSO32.exe 3616 dKp28.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exevSO32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vSO32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exevSO32.exedKp28.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vSO32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dKp28.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dKp28.exedescription pid Process Token: SeDebugPrivilege 3616 dKp28.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exevSO32.exedescription pid Process procid_target PID 780 wrote to memory of 4384 780 9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe 83 PID 780 wrote to memory of 4384 780 9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe 83 PID 780 wrote to memory of 4384 780 9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe 83 PID 4384 wrote to memory of 3616 4384 vSO32.exe 84 PID 4384 wrote to memory of 3616 4384 vSO32.exe 84 PID 4384 wrote to memory of 3616 4384 vSO32.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe"C:\Users\Admin\AppData\Local\Temp\9648d1a181869f6a817e32b1d5a955f4f1f38afce2d89b4605d52f1aedd50797.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSO32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vSO32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKp28.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKp28.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588KB
MD5845059f2de1914f6714e4556b13a9bc8
SHA1bddef6e6feb852ce3fb2fdc46d58cb1242a074a2
SHA25605bb1f2daf53a35f345d08436307293133373e124524a69cc817dd1261551683
SHA512ea88e0c2dcddbd52500a5621bc0b8e37bf9d021bc063d6b4a3efb4272f7204fbb45fe68fc1560fa31ef3420ec667fbc109148f658eca88de9973b0b3d113c232
-
Filesize
473KB
MD54935a1c3f7b324d4181b56458d1d2e07
SHA1f7773acb609d2865fd852f29d05f7ee698c1a4c3
SHA256da5ee96b2a068b7258c34264c5f8f545f982b34dcafc4ae7c209eceb53f80607
SHA5122a7845cc02ff8cc0f6659a6a13c0051c15bb6153b4189004ed5c996b5b1efd3a6bf00f62d729a8af8be1b4925b9f835c01027d1ea5937876752e451cd91c268c