Analysis
-
max time kernel
107s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 19:41
Static task
static1
Behavioral task
behavioral1
Sample
3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe
Resource
win10v2004-20241007-en
General
-
Target
3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe
-
Size
576KB
-
MD5
bd629fcc6bc767499a841c046d8d8f7f
-
SHA1
42bd81f7104eb53c46f6a4f8dfcfd1b446f27ff2
-
SHA256
3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597
-
SHA512
b54919b22c3ae1c438f1b3df38bba6458d84c3185256f16e4ec0b6b8aaf41f53bc67a19c8d7a7365e22011b1a046815e1480ff6b66e20b796ba260f3d01e5638
-
SSDEEP
12288:u8Lx8V4JrnK6sNHpH8qaVjIRhNQLkMIFyvvp3:uWx5re8pjIJWdIFix3
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2872-2152-0x0000000005540000-0x0000000005572000-memory.dmp family_redline behavioral1/files/0x000b000000012029-2155.dat family_redline behavioral1/memory/4788-2161-0x0000000000FF0000-0x000000000101E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
pid Process 4788 1.exe -
Loads dropped DLL 1 IoCs
pid Process 2872 3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2872 3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4788 2872 3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe 28 PID 2872 wrote to memory of 4788 2872 3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe 28 PID 2872 wrote to memory of 4788 2872 3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe 28 PID 2872 wrote to memory of 4788 2872 3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe"C:\Users\Admin\AppData\Local\Temp\3a2178b2153c1a601003c7b8c569a9a94853b589a4a8eca244189b5afd073597.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf