Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe
Resource
win10v2004-20241007-en
General
-
Target
ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe
-
Size
442KB
-
MD5
ecfc84b0498815c15e43d6111712b548
-
SHA1
b1ea921870bee4873e348e34b88d5d279990e4d3
-
SHA256
ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c
-
SHA512
03589d719d8a9f6d0899b70f407cb9f9e201547a1a9487047bedeaca453633bc6a50bcfb8661f00d03563eec9d78e3fe2ee70f2292a4fa1429bbb73efaf24264
-
SSDEEP
12288:1MrRy909xQih1l5eJwD7ob0ZR0DC/oaz0oHINx:QyQh1HeJwD7oocpa4RP
Malware Config
Extracted
redline
rodik
193.233.20.23:4124
-
auth_value
59b6e22e7cfd9b5fa0c99d1942f7c85d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4836-10-0x0000000004DA0000-0x0000000004DE6000-memory.dmp family_redline behavioral1/memory/4836-13-0x00000000071A0000-0x00000000071E4000-memory.dmp family_redline behavioral1/memory/4836-53-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-29-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-67-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-77-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-75-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-73-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-71-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-65-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-63-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-61-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-59-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-57-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-55-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-51-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-49-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-47-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-45-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-43-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-41-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-39-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-37-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-35-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-33-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-31-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-27-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-25-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-23-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-21-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-19-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-17-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-69-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-15-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline behavioral1/memory/4836-14-0x00000000071A0000-0x00000000071DF000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
Processes:
lfX64DM02.exepid Process 4836 lfX64DM02.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exelfX64DM02.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfX64DM02.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lfX64DM02.exedescription pid Process Token: SeDebugPrivilege 4836 lfX64DM02.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exedescription pid Process procid_target PID 2224 wrote to memory of 4836 2224 ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe 83 PID 2224 wrote to memory of 4836 2224 ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe 83 PID 2224 wrote to memory of 4836 2224 ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe"C:\Users\Admin\AppData\Local\Temp\ceb9b80dd23aed01d86e6239010aa9f4f37b926c5e70b73020cb984a42019b4c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lfX64DM02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lfX64DM02.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376KB
MD5443c71caec6bed37a71ecd59cb978302
SHA1540e05954bfa11903221e910e469294f86c07f3a
SHA256df2d8bfb601197ca4fc0336b2d1c64984e12f399fa4a6a1269e306b008e8e61c
SHA51253fea4974fb51b019a74287a7c46e9cabb47a8069029d80070c63c5b78b674efc7826a0cab1e40e5298b711a38e36f28677896585ef5729212eaec9928b74308