Analysis
-
max time kernel
110s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe
Resource
win10v2004-20241007-en
General
-
Target
4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe
-
Size
839KB
-
MD5
b234889429d64c12087c712f0feef80b
-
SHA1
e24d647fc8405fd37ffd244ae24e806aa1eb1491
-
SHA256
4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b
-
SHA512
71be17c6d1d8c737fb1d11006c025ab8ef26a6110307068b4bde6540e091fef4991c647694ce18bbb0f52c03a08d76c66e81f4ff8ae480ce5c6f00fefa0753ec
-
SSDEEP
12288:LMr9y90XvVXqdFlfGwvVnfrD1hYqx54DW10TrwfTxZn/U3hZGsOL2Q9+RDCabY:2y+VopZhfrjZOc9Z/ShYB+RDCabY
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4852-22-0x0000000002420000-0x0000000002466000-memory.dmp family_redline behavioral1/memory/4852-24-0x0000000002630000-0x0000000002674000-memory.dmp family_redline behavioral1/memory/4852-36-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-46-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-88-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-86-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-84-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-82-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-80-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-76-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-74-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-72-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-70-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-68-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-66-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-64-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-62-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-60-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-56-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-54-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-52-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-50-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-49-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-44-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-42-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-40-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-38-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-34-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-32-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-78-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-58-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-30-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-28-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-26-0x0000000002630000-0x000000000266E000-memory.dmp family_redline behavioral1/memory/4852-25-0x0000000002630000-0x000000000266E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vds58.exevmV74.exedWw49.exepid Process 2896 vds58.exe 1904 vmV74.exe 4852 dWw49.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exevds58.exevmV74.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vds58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmV74.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vds58.exevmV74.exedWw49.exe4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vds58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmV74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dWw49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dWw49.exedescription pid Process Token: SeDebugPrivilege 4852 dWw49.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exevds58.exevmV74.exedescription pid Process procid_target PID 4536 wrote to memory of 2896 4536 4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe 83 PID 4536 wrote to memory of 2896 4536 4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe 83 PID 4536 wrote to memory of 2896 4536 4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe 83 PID 2896 wrote to memory of 1904 2896 vds58.exe 84 PID 2896 wrote to memory of 1904 2896 vds58.exe 84 PID 2896 wrote to memory of 1904 2896 vds58.exe 84 PID 1904 wrote to memory of 4852 1904 vmV74.exe 85 PID 1904 wrote to memory of 4852 1904 vmV74.exe 85 PID 1904 wrote to memory of 4852 1904 vmV74.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe"C:\Users\Admin\AppData\Local\Temp\4a40ebf0b646e9cadb06461dcb353da907f161d08dc99cf328b70fde69f30b8b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vds58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vds58.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmV74.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmV74.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWw49.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWw49.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
735KB
MD5dd544a0c9127a28ebd06b73ec158fdf7
SHA103672a1e0f179633cc7d4198cc601ad59e034c9c
SHA256851a85ff1cd2cb969b3ef122df17f5e3c87a6f7360869857ac03feae668a60df
SHA51265de438d0404ef53929636bc03e8ff972f34be9d7cb2e39b2ed9864ed5d3d3ffc4b9b2073e5c24b12aa0302d5540980d7958b381bc023e0c22356d18757f64de
-
Filesize
589KB
MD5ec856571b016951c12e6871ea93ea181
SHA1e2b723955d9bf0e00ef01d08ca7dba5909a2e8cb
SHA25609d037b091b6e82b0a05f079eac45b3fc9360f1ecddb46850e6e944834f92008
SHA5128d95b5a3e55c002d8a17611e1fdba912a438f256f9eb5dea61b779f6973abbde5543f7390d1c37482e895d855dd609080a3ff2c78d6c58b97c593a71a69ad9fe
-
Filesize
481KB
MD5cad110ca2f60ecd3c9c16e973b59d3f1
SHA193c455fbd0f645c6cf56208eb34489f889866913
SHA2564e6f291cfe31f835aa30b7df5078c5ecd6cd758104b8a8a8e40cbd7257ed6ba5
SHA5123bf5bd8c9ce7f45d8c517e28df9bee44a4521d942ccfe44153ff8b4b1e55137e76c229a0a04c5b77a93ee13b397fd59883fec06ac81d93bb82645af6ee6af983