Analysis
-
max time kernel
109s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:05
Static task
static1
Behavioral task
behavioral1
Sample
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe
Resource
win10v2004-20241007-en
General
-
Target
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe
-
Size
576KB
-
MD5
4533ae1267a4dc291858357d1882f690
-
SHA1
42b3293ecd5c0a20f643f68b519716e6e81e8747
-
SHA256
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5c
-
SHA512
02ff0dbb7e3bd0d0dffea52c4842b3b421ac05a6eab54c75348df8bce4c82efadedacc329279d6b359aa2428be3159b535eb3302a3d0a5de715475c78a6e3084
-
SSDEEP
12288:T8Lx8V4JrnK6sNHpH8qaVjIRhNQLkMIFyvvp:TWx5re8pjIJWdIFix
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2644-2155-0x0000000002B50000-0x0000000002B82000-memory.dmp family_redline behavioral2/files/0x000d000000023ad8-2160.dat family_redline behavioral2/memory/5900-2169-0x00000000009D0000-0x00000000009FE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid Process 5900 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4840 2644 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exedescription pid Process Token: SeDebugPrivilege 2644 b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exedescription pid Process procid_target PID 2644 wrote to memory of 5900 2644 b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe 86 PID 2644 wrote to memory of 5900 2644 b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe 86 PID 2644 wrote to memory of 5900 2644 b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe"C:\Users\Admin\AppData\Local\Temp\b19d58f3cdb90884cd9f94eee285a38e104307a85d55f5f5d13ccec4146eee5cN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 10962⤵
- Program crash
PID:4840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2644 -ip 26441⤵PID:3708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf