Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 20:05
Static task
static1
Behavioral task
behavioral1
Sample
196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe
Resource
win10v2004-20241007-en
General
-
Target
196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe
-
Size
424KB
-
MD5
d6be788ce9a46ab76facbde4eb6adeca
-
SHA1
e29bcb9ebd025b0e087d0db65f21e8ba77bbe90f
-
SHA256
196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f
-
SHA512
b9d51402c668fac718f406dc3938d8156f6d084c1812aab2b94b16d44ead0e8c6ac0224c609369cf8400905cf444ce56c7348bea25c1f0ffc6b822a8a26b00a1
-
SSDEEP
6144:YMjrkdSCFNVLHqgQyg9FuCuyqwdsBWTvTFMJYkL9SlWL1KEq2ZQuRWxwXT:YkJCrVTeL9FuCurwdswTrFZkZ/njBj
Malware Config
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/1224-2088-0x00000000021C0000-0x00000000021F2000-memory.dmp family_redline behavioral1/files/0x0009000000016f97-2091.dat family_redline behavioral1/memory/8700-2101-0x0000000000380000-0x00000000003B0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 1 IoCs
pid Process 8700 1.exe -
Loads dropped DLL 1 IoCs
pid Process 1224 196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1224 196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1224 wrote to memory of 8700 1224 196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe 31 PID 1224 wrote to memory of 8700 1224 196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe 31 PID 1224 wrote to memory of 8700 1224 196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe 31 PID 1224 wrote to memory of 8700 1224 196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe"C:\Users\Admin\AppData\Local\Temp\196a02b61169606da253979ddbc7c0b8a42a76a42e909dff96d2e8de5e58b82f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0