Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 10:26
General
-
Target
4db8316519d7b38dede20965b80a302b9e87ab39fa77bde38f98ca6d9973a82a.exe
-
Size
761KB
-
MD5
ccb66f8c4ea3eb03fc022ed6ad2384b7
-
SHA1
ebdb6d33e624c05f5552361217bae7c65ca44d4e
-
SHA256
4db8316519d7b38dede20965b80a302b9e87ab39fa77bde38f98ca6d9973a82a
-
SHA512
d01bcbeddf80dfa6137a72cdad0d645dbaf1571a9ae31e9aaa3f7c46dd7813db711d80c464da8c45de0f13c5ad8f1c09e35b28848de75a3112e638476afdd8dd
-
SSDEEP
12288:LMr6y90YBVVt/TPilYTYRSsUEs+MPkMGes63khgl1l8NFRxGITvBICoHPZIJd5+:ty5V//j2JRJsxkMGN5ylTUxGI9ICqIF+
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4db8316519d7b38dede20965b80a302b9e87ab39fa77bde38f98ca6d9973a82a.exe"C:\Users\Admin\AppData\Local\Temp\4db8316519d7b38dede20965b80a302b9e87ab39fa77bde38f98ca6d9973a82a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vAF01.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vAF01.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vTC30.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vTC30.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daQ53.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daQ53.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
657KB
MD5edda5d04a21397c3922365d3bacf7dd2
SHA1c970ff4acddaf769c7610e5b95e1a13d482eb24b
SHA2567d6582a914a25b7dee86f508fae2de5a321db6d265dd18f99ae324966c5c92e0
SHA5128da2303b53088dd6294446a5a9d236a74fda0bb2d10dc9184c3640824001d47c919177888bceb61014748ad6a1613b5b9dd759bec7ca243cc40184ed09164f90
-
Filesize
512KB
MD5cf9ac8c288116e56f91e1179bc5780b8
SHA1c02fae21067e69610bb0ee881f550d2dae9db147
SHA256f8a06cd0c515518dfe07c6d45731f84b522b055b495eb302a0dcea522392d2c0
SHA512cde2dfec6c0197bc1da29e6d4838648afcea811d733eb666144d2cb70db9287f7c2a30d6806f7d08ad6ade5b4d2d243dcd58853514f283404751c3c83e6a161a
-
Filesize
289KB
MD5f342f2a8fe360afdc2dc03c5d8ccc0c7
SHA1b574324d34bac92df9b656b64b25e59ac3e2e111
SHA256f10ded8a5ec704dd5bc919c2e992aa30c246b30d3e6109ab83fe7d801248f1ef
SHA512444ecb4f34553747e3581285cccb354f996e96cbb1dfc16534ad801e23ab9fba22bec06fab00cd4e96586899a93968405e4db9f064f3d9cff6d9b4ea6516479a
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB