Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 22:11
Static task
static1
Behavioral task
behavioral1
Sample
521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe
Resource
win10v2004-20241007-en
General
-
Target
521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe
-
Size
1.5MB
-
MD5
fda6daba8e865ac24624230dda71df1c
-
SHA1
a86711dda19c0a43146ad9ee281fbcae56651a1f
-
SHA256
521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77
-
SHA512
68126f14622b5ca9d1b7f8ea8b87d23e8b7d012c2bc2ef6af370e8f045513a00cfcd8fd2f250504b663f4b0542504da1bd2274d5410c186911f0a90e30a86953
-
SSDEEP
24576:KyVZb3hePQxZ3vRbtd1JdIDd6BexRukPKtiVM3tq+HkGwYnzShhkB:RVZ78POZ/RNJj4uuG6CbkjUeh
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a79097386.exe family_redline behavioral1/memory/800-35-0x0000000000890000-0x00000000008C0000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
Processes:
i40215570.exei88473867.exei78528976.exei69662949.exea79097386.exepid process 2432 i40215570.exe 1048 i88473867.exe 1464 i78528976.exe 1628 i69662949.exe 800 a79097386.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exei40215570.exei88473867.exei78528976.exei69662949.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i40215570.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i88473867.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i78528976.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i69662949.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
i88473867.exei78528976.exei69662949.exea79097386.exe521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exei40215570.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i88473867.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i78528976.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i69662949.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a79097386.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i40215570.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exei40215570.exei88473867.exei78528976.exei69662949.exedescription pid process target process PID 1304 wrote to memory of 2432 1304 521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe i40215570.exe PID 1304 wrote to memory of 2432 1304 521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe i40215570.exe PID 1304 wrote to memory of 2432 1304 521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe i40215570.exe PID 2432 wrote to memory of 1048 2432 i40215570.exe i88473867.exe PID 2432 wrote to memory of 1048 2432 i40215570.exe i88473867.exe PID 2432 wrote to memory of 1048 2432 i40215570.exe i88473867.exe PID 1048 wrote to memory of 1464 1048 i88473867.exe i78528976.exe PID 1048 wrote to memory of 1464 1048 i88473867.exe i78528976.exe PID 1048 wrote to memory of 1464 1048 i88473867.exe i78528976.exe PID 1464 wrote to memory of 1628 1464 i78528976.exe i69662949.exe PID 1464 wrote to memory of 1628 1464 i78528976.exe i69662949.exe PID 1464 wrote to memory of 1628 1464 i78528976.exe i69662949.exe PID 1628 wrote to memory of 800 1628 i69662949.exe a79097386.exe PID 1628 wrote to memory of 800 1628 i69662949.exe a79097386.exe PID 1628 wrote to memory of 800 1628 i69662949.exe a79097386.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe"C:\Users\Admin\AppData\Local\Temp\521026402dabb896f318cc07941de8a50ca9625bb2b24b324dff57c0fdd2bc77.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i40215570.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i40215570.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88473867.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88473867.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78528976.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78528976.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69662949.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69662949.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a79097386.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a79097386.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD511112e6bd3ad4b8e69dbe04df93545ae
SHA1b0df5e98083254d2b9238d6bb600a4f73ee3ca48
SHA25646f0404750b7b1e951bca700a02a888f20ffb59b2d9d6a89205e77f5055232f4
SHA5122964e7b012b116c2f7a1be2741b81e7f2e1df1ebc906f1a18e6559fc6d2060bbd1bafeea0c5b4f34b40ffce073ced6ea57d0a8ef972b532fd3d956735a60aa89
-
Filesize
1015KB
MD5d252b1c797fb68acffa8c35e1d24c82f
SHA1cd28c96e35fe075f35635365e5e0b20d337c5c2f
SHA256e15a29964e5767f78c308f7d0b1424ce1fbf10dacd3e53fc495de77b848fcdb8
SHA512895e4e5e523d74bf02e16987a80749edbdcdc9905a9f9551751dc32d14d66288421a4d9df4a6cb78fdaf4dc1000abe8532e3a97e940c787839ba47961f30b091
-
Filesize
844KB
MD50665aa1a6aae95d4b56b3734adb74610
SHA1ca0c08196159e2561062924a6f76e6e6576d4c9b
SHA25618d438ab0130e0a99682b5adf88ad22706c7037a7bc55fc92c33dd92dd684998
SHA512e8af0112cffeb09c719ad8e1d419e10fe27606634ac4cde05167fe8a712484cc697b401a01ba9506f09504d738f97cf3e42e01c96a9ea0876aee8030d467a076
-
Filesize
371KB
MD548020f9a01ece42c5cf7b6ebe8f0df01
SHA1151dfb8318658e8696990151ba9e1d4e0a86c686
SHA25685ac1a595a290b079d1c1eb9dd937b7a578d834dfa29414183cdaac8da34e316
SHA512367d0828887da2d59285dc10e47e6223c45e990cdf49a8288f5969a425a241d0034a2f88875025bbee59c62c92f46e1ccc23b59c56f475cd73f65d0b50158cf6
-
Filesize
169KB
MD5c6abfdfaa7c769281dbcb6de2be3d275
SHA1cfe672018f856676573bde5f13770498ad922900
SHA25667588f075e5a17c58d7b6e10e7e3e7bbb3aedcf913eb4fe9be74d639c2029ca1
SHA5128abb5a69c5cca865ddd1784685406eb9b89741420c6402e884a91b0797ab74ea0146b33a7b0c461b407f491f7e86da27410e471bfdc8091d3bc492c3b14eea26