Analysis
-
max time kernel
111s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 21:12
Static task
static1
Behavioral task
behavioral1
Sample
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
Resource
win10v2004-20241007-en
General
-
Target
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe
-
Size
764KB
-
MD5
7b7eb5ed4e95761d238ca801ebc188a0
-
SHA1
8c3ceb819085fa73ab7f42cab0be0851daca7058
-
SHA256
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4
-
SHA512
beed4dc47d7f006bf5f9424fba6b33b95eadb8d5d33ffad452569fbbad6ef6c1c5aecf2731fc0ba8a3a66d4014512d287d7ec26f4cdecc9aeaa5e376c2290750
-
SSDEEP
12288:RMr1y90eBOZx9EADWO06D4TnL83mYJN7O1JyAtzFTLz6olmjBAG0rtsZsP:cywZx9j6O0kYnL8BfoUAlN/ulA/1P
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/5052-22-0x00000000026D0000-0x0000000002716000-memory.dmp family_redline behavioral1/memory/5052-24-0x0000000005350000-0x0000000005394000-memory.dmp family_redline behavioral1/memory/5052-25-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-26-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-88-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-84-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-82-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-80-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-78-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-77-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-74-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-72-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-70-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-68-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-66-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-64-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-62-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-60-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-58-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-56-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-54-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-52-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-50-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-48-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-46-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-42-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-40-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-39-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-34-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-32-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-30-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-28-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-86-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-44-0x0000000005350000-0x000000000538E000-memory.dmp family_redline behavioral1/memory/5052-36-0x0000000005350000-0x000000000538E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vHP13.exevaK52.exedVU43.exepid Process 4344 vHP13.exe 3332 vaK52.exe 5052 dVU43.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exevHP13.exevaK52.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vHP13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vaK52.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exevHP13.exevaK52.exedVU43.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vHP13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vaK52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dVU43.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dVU43.exedescription pid Process Token: SeDebugPrivilege 5052 dVU43.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exevHP13.exevaK52.exedescription pid Process procid_target PID 3528 wrote to memory of 4344 3528 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe 83 PID 3528 wrote to memory of 4344 3528 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe 83 PID 3528 wrote to memory of 4344 3528 06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe 83 PID 4344 wrote to memory of 3332 4344 vHP13.exe 84 PID 4344 wrote to memory of 3332 4344 vHP13.exe 84 PID 4344 wrote to memory of 3332 4344 vHP13.exe 84 PID 3332 wrote to memory of 5052 3332 vaK52.exe 85 PID 3332 wrote to memory of 5052 3332 vaK52.exe 85 PID 3332 wrote to memory of 5052 3332 vaK52.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe"C:\Users\Admin\AppData\Local\Temp\06a906dce9f19a4684d627900528b3fa00c8c9962cb75273130ab85e32a28de4N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHP13.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vaK52.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dVU43.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660KB
MD593860c2c2672eacddfc695b8312650b1
SHA134cf958777cbfe1668475dded84c535c452979cf
SHA2562cd7da4c69d1511e1113be693474eff0eca51706bccee5ee68fa1a362c7b6b8b
SHA5124c8d1811d355990e4a7ddcf6f4a6cd0e03534a6ebeecc86e31549c7e8cf5fa23de896014cf25c0b730385bd41473c7a15533e763f05d5dad16f1c23c6433038b
-
Filesize
515KB
MD57ec5066b38d5b604c7fc69b4a631bf4f
SHA1ab662c22af32755be901e08ef023113011167767
SHA256763697e0615cd208407ca80dd06aee987f65280ab2a89c2d700ae7cd022f5fa5
SHA5121ce1ddc0eb4b117765ff8909fbf4dd6048a3734c06c2281feb29ee441cb9d4024f0e66154184cd150555534c093482c33890f4e6694db015fcd4ae87814a1830
-
Filesize
296KB
MD5b8c8132fcf9800ed3598f7cb2e9a5057
SHA193f3d94687f59a038d407dae0d80e6a573be1874
SHA256d8e83015464713166e2a7580cf8c04d346c72624affc3839ae204093548fd9b4
SHA5123688bcf4cb99717716e34cf6c2607f974e6662ad8c1a980da3bad66b8ae6f7cfa957ea58937f3a1927ccd5844c10fb9566e715869d766b70dbc16dc8c0bec6e6