Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe
Resource
win10v2004-20241007-en
General
-
Target
87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe
-
Size
677KB
-
MD5
0fe557f831089f1b4a244f74901e665b
-
SHA1
92d4a1b9f4b74e2bc3aacf0814c31ddccd89da28
-
SHA256
87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d
-
SHA512
2d34b7c4f2b1c501914e4d221db27c0a350934486112481a9c0146c1d8b78cb1f5c76f1bec9ff655f14b6435500901f2cd29781a957375bb373dd8c910a710ec
-
SSDEEP
12288:WMrTy90LbpR8dYyva3ZFRdapFjnzS8XDUYxnRA:Bykd+7fzm8TUEnRA
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-19-0x00000000028A0000-0x00000000028E6000-memory.dmp family_redline behavioral1/memory/2028-21-0x0000000004DB0000-0x0000000004DF4000-memory.dmp family_redline behavioral1/memory/2028-83-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-85-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-81-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-79-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-77-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-75-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-73-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-71-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-69-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-67-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-65-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-63-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-61-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-59-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-57-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-55-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-53-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-51-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-49-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-47-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-45-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-43-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-37-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-35-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-33-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-31-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-29-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-27-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-25-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-23-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-22-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-41-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline behavioral1/memory/2028-39-0x0000000004DB0000-0x0000000004DEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
vQe35.exedor78.exepid Process 4840 vQe35.exe 2028 dor78.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exevQe35.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vQe35.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exevQe35.exedor78.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vQe35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dor78.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dor78.exedescription pid Process Token: SeDebugPrivilege 2028 dor78.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exevQe35.exedescription pid Process procid_target PID 3868 wrote to memory of 4840 3868 87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe 83 PID 3868 wrote to memory of 4840 3868 87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe 83 PID 3868 wrote to memory of 4840 3868 87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe 83 PID 4840 wrote to memory of 2028 4840 vQe35.exe 85 PID 4840 wrote to memory of 2028 4840 vQe35.exe 85 PID 4840 wrote to memory of 2028 4840 vQe35.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe"C:\Users\Admin\AppData\Local\Temp\87bc45ce7ac1843ba3a0fc42af828df1d7a8a6dc9dce1f711e9bca945eeece2d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vQe35.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vQe35.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dor78.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dor78.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
532KB
MD5902ad6d46dbf9f919371d0f48762fd36
SHA147a00953fdc6c48beda44dbc29a703bf5f6cf043
SHA2562ac5a41a155a6181c713b92362c3346ace5693b4ff726c67a658c7cdd7cdc9b9
SHA5122d6c1c84fc455b8c8a08572936a5eb67f7719f173f6f4ecf89a38c32d3733349fe077e7bd987588b639c3632e0ae4d5379f0138c52536120954ea7476a50d948
-
Filesize
338KB
MD5cb2d93db92499f0d807e5de936216415
SHA16599f128b4914dfa7085a114f765f28ab2383366
SHA2568b784da006ef6549b3db738ed63352e81be6cf5941330388e02b72ec188c41f6
SHA512af7c64d82e6d728cbbaf73e39f3f5203a6a575e06dd8e847f937460df83aeadc1599d45e6edc1af35bef60ac899e369f96b181932e25bce850fe179a05e6ba66