Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:23
Static task
static1
Behavioral task
behavioral1
Sample
53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe
Resource
win10v2004-20241007-en
General
-
Target
53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe
-
Size
827KB
-
MD5
3f430cac0f05ea51024a4b6b608940be
-
SHA1
bca0b8d2ee891fd05f7b5c2ebe3f0c0213828370
-
SHA256
3dec4c657670ec036c130d0123fe57d269f23c55b91a9f3e9cabe30557e7b209
-
SHA512
761a7ce24b6261951a6083c29d415f6656fc2a8c0ac6279fd7af694314287b20653b393bf1a86e1a13ca05dc21c6c3726c9b427e59ca8ce07ad01e5c048ea851
-
SSDEEP
12288:My90KV5ujJtDWfCpHwVkbdqN+BprwSy7RpIO6KMcD1x43mjVi:Myb5StDz/d3+n7bD1xvi
Malware Config
Extracted
redline
max
185.161.248.73:4164
-
auth_value
efb1499709a5d08ed1ddf71cff71211f
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b000000023b8a-12.dat family_redline behavioral1/memory/3588-15-0x0000000000120000-0x0000000000150000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
i71032393.exea15424951.exepid Process 2184 i71032393.exe 3588 a15424951.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exei71032393.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i71032393.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exei71032393.exea15424951.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i71032393.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a15424951.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exei71032393.exedescription pid Process procid_target PID 3004 wrote to memory of 2184 3004 53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe 83 PID 3004 wrote to memory of 2184 3004 53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe 83 PID 3004 wrote to memory of 2184 3004 53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe 83 PID 2184 wrote to memory of 3588 2184 i71032393.exe 84 PID 2184 wrote to memory of 3588 2184 i71032393.exe 84 PID 2184 wrote to memory of 3588 2184 i71032393.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe"C:\Users\Admin\AppData\Local\Temp\53571a508370bdb5c62abbdb4a1dddf9e98b2403f1aabe83b9b1f0b144e6016fN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i71032393.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i71032393.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a15424951.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a15424951.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
363KB
MD59cbcb8730978c37f90330123ca539054
SHA1208d28013e3037ad8fd3ec05fefdf12c5fc6e7e4
SHA256f2a45b70111ffcf42648134724daac6b68fddd101cf6cbff971e1d496072e88c
SHA512ed81e1acd6719af2cfdee2a4a211f379fc267a59c57857514d044f8cd159c69774aac8fadb418d79d9d6fd359bfa6d6b89068d097c459409bf86d691552be01e
-
Filesize
168KB
MD53667bb8b74dbb8234e991d5b664216d2
SHA13b968dccd990609e7ec87699aa7b24f436e3e537
SHA256b0c78ae97ef3a5f91c6e17b93a97a7a3ce78fe1c3c59056e9337068cd372b6d3
SHA51267975ed945c18185ee2cf69e84e4edf2571c2a8fc3b5442965f558c274ce318ff0e955596575691385bb18dd9ed39a69c06e0951f48759ccc1cae0c9e15f4544