Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe
Resource
win10v2004-20241007-en
General
-
Target
18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe
-
Size
530KB
-
MD5
4179d4b033ebbd206832dfb3b96de95b
-
SHA1
781d88260499ded6a492c83ad95f8c1c3d51290d
-
SHA256
18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc
-
SHA512
c49697296d48ce6144ed2365dbbd060a2472f6514926ae1caaee0616c965ecf393953fd4c8bc6b3f4cf45bb57685c4736565c8d8c3d8b2275f278d8429eac6fd
-
SSDEEP
6144:Xf+tFwZ1VSpZlg5XQIt6UqUm82+jDxTMjUa+pSZWeeSyIiCsF/nNDHgI5KLQG+:PMFw92g5gi6bhqDmrUS3JAVNHgI5G2
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2896-2154-0x00000000027E0000-0x0000000002812000-memory.dmp family_redline behavioral1/files/0x0009000000015d36-2157.dat family_redline behavioral1/memory/9832-2165-0x0000000000110000-0x000000000013E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
pid Process 9832 1.exe -
Loads dropped DLL 1 IoCs
pid Process 2896 18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2896 18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2896 wrote to memory of 9832 2896 18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe 28 PID 2896 wrote to memory of 9832 2896 18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe 28 PID 2896 wrote to memory of 9832 2896 18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe 28 PID 2896 wrote to memory of 9832 2896 18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe"C:\Users\Admin\AppData\Local\Temp\18cdf8b9bdf1b74cc441cfb25129ae192440b923c4e3d1ec0216833fc1bdfcfc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf