Analysis
-
max time kernel
111s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-11-2024 06:49
General
-
Target
63c71776b7cf0ed1c5a4a62af775c5e012c9dcdfb06304952486c671a0b3ad07N.exe
-
Size
582KB
-
MD5
ba6cbff5944c4491c9e1014b88f83c0b
-
SHA1
f5d41af486c65d12c5ec1d1adfce921a34c471cf
-
SHA256
29453d1637476037fa13266e6a13b18149b80919ff892a15336bcb728568e79e
-
SHA512
45de05f8209d528bbbcdd8be0d056fb0cbbb0b07f7fd0611f2d7eb27191d7f6c708845b32327996319305a5a43e1f632cde03c8272350efb9c2e49459927f3a5
-
SSDEEP
12288:7Mr7y90WfaaVSGEgQkpRL/8/uqPXgJqrtE:oyFVigtRLk/u0XPJE
Malware Config
Extracted
redline
ronam
193.233.20.17:4139
-
auth_value
125421d19d14dd7fd211bc7f6d4aea6c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\63c71776b7cf0ed1c5a4a62af775c5e012c9dcdfb06304952486c671a0b3ad07N.exe"C:\Users\Admin\AppData\Local\Temp\63c71776b7cf0ed1c5a4a62af775c5e012c9dcdfb06304952486c671a0b3ad07N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyg83lN66.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyg83lN66.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eAD13Dl.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eAD13Dl.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
437KB
MD5733f23218e42eb3e9debb84677a5a8b5
SHA1d656f1477ac2a2207d5b7abb2b803791b7612b13
SHA256bd6923ed5005c1edbe918e037db0bca5aa313c8c6eb6d09f75fe8ad8730246f8
SHA512f1758be4cc39c305a6c449bd440ea8eb866829a7572953de9a1adbca9135a1d9840b019aac35c41634c644b3d22abc54852872fea7bc719133226f7741042f7b
-
Filesize
311KB
MD54bfdf9d989b41e197aff889080aa38f3
SHA1d0e435c2baf1d9098b15efb642e9534583bbc063
SHA256c0bfbc038e56436fa43f3d42253f0668a8cb23dea8856aae3afd99154737afe1
SHA51250ea99f870b96b694798431753eb9695ac5a4f4011e7cd560d98e94a2941de887101bb0b59aba018a85b28bb259b9cc8fde1d7e4595ab07c1dfdff0c6a2c811b
-
Filesize
1024KB
-
Filesize
312KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
312KB