Analysis
-
max time kernel
111s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe
Resource
win10v2004-20241007-en
General
-
Target
294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe
-
Size
766KB
-
MD5
c97cc6de418b4968504f89f9c6c232c7
-
SHA1
2d1530bf7dde1340d6d76d8534d56cb8ce82f4d9
-
SHA256
294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113
-
SHA512
a49bebf9d833e61a45ec8e142d9088a2dda225b6cfa7cdc7db9a09ffa7ca6d654477b80b90d7c35130e9f5bceff32528d71908ac93279ee85140e43bf1fdc96b
-
SSDEEP
12288:kMrUy90T0+d7+8uqD/Y7B2o0dRRaSghuqZyFBBIlnqbt1nsciq2yN5:wyO0+5+3o/Y1mmhuqZy+RGhs3xyN5
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/3232-22-0x00000000028B0000-0x00000000028F6000-memory.dmp family_redline behavioral1/memory/3232-24-0x0000000004EC0000-0x0000000004F04000-memory.dmp family_redline behavioral1/memory/3232-56-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-72-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-88-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-86-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-84-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-82-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-80-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-78-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-74-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-70-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-68-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-66-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-64-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-62-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-60-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-58-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-54-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-52-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-51-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-48-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-46-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-44-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-42-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-40-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-38-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-36-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-32-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-30-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-76-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-34-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-28-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-26-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline behavioral1/memory/3232-25-0x0000000004EC0000-0x0000000004EFE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
Processes:
vwz99.exevgU63.exedKt28.exepid Process 2852 vwz99.exe 2864 vgU63.exe 3232 dKt28.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exevwz99.exevgU63.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vwz99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vgU63.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vgU63.exedKt28.exe294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exevwz99.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vgU63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dKt28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwz99.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dKt28.exedescription pid Process Token: SeDebugPrivilege 3232 dKt28.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exevwz99.exevgU63.exedescription pid Process procid_target PID 3760 wrote to memory of 2852 3760 294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe 83 PID 3760 wrote to memory of 2852 3760 294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe 83 PID 3760 wrote to memory of 2852 3760 294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe 83 PID 2852 wrote to memory of 2864 2852 vwz99.exe 84 PID 2852 wrote to memory of 2864 2852 vwz99.exe 84 PID 2852 wrote to memory of 2864 2852 vwz99.exe 84 PID 2864 wrote to memory of 3232 2864 vgU63.exe 85 PID 2864 wrote to memory of 3232 2864 vgU63.exe 85 PID 2864 wrote to memory of 3232 2864 vgU63.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe"C:\Users\Admin\AppData\Local\Temp\294e758276548b2d89206746c447929b854c24d218770cb986bb72581e307113.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vwz99.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vwz99.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgU63.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vgU63.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKt28.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKt28.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD53e940bd19c425d12b7ad52eaf0b038dd
SHA17f2d1488b0c8fddae9f093127cd0908eba3840c4
SHA2565c0a5272480755bb2e3b89b597d646b63bdfdffda5593ba7c8eb488fb3aabeb6
SHA512d1f95266b1d8077cd5c4be78da96a60c331f6d18b1a0b60b1cf9c9520fffd8e62bfe7cb1165e4927bfe9ca57b14ab8f7e906802c86257c8401b15dab70d0e3e0
-
Filesize
516KB
MD5c5244f9cfc7a4dff9b6cf83c73ad6fbf
SHA1d17c5dfc6182041667d4403a98ad83abe3441c5c
SHA25676344dc16173bd4e6481d3d2c052dfffcf265f3a4cbd02b9543886bf6cd86c8b
SHA512a79a741433c5d15097ab8965307a5e368915b4cb299bf13fb146390b1a52506943276e82179ce4eb1ea4f29d6cc6e81756b80da8360af02a86c4236ff3fc3c75
-
Filesize
297KB
MD5c76b024698fbf2e549cbc0515872a7b4
SHA16dd18e417c892a26a1b9eca8b4a07421e743f052
SHA256c0171f0d598f860d522908c1247e21d1325ec3d14cfda22e181d642fe1d29c20
SHA51248b8cd24779f46abd1769ac6453f4b22782b0ec34841b89e15f32e130d6b4d29eb5999f00afb9fdfc927fbc02f0ec0607c933163ff1794beba58fe3db5e3e19c