Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-11-2024 03:49
General
-
Target
2f2bbc9f2e3433d8cc4f45c987b411a9955e774828ab3506e1af25ca21261f44.exe
-
Size
657KB
-
MD5
3d6832a200701888feee0bbb2dc580fb
-
SHA1
f46833d9fbf7c0df0414a4aacf2e95a3922102ad
-
SHA256
2f2bbc9f2e3433d8cc4f45c987b411a9955e774828ab3506e1af25ca21261f44
-
SHA512
7d17c63981cdcd56039b6dc15e20ac8a52eb1f799ab65bfb044ac50a3d937691f6f1e0a986a855d1a55ccb88eb718de706e6eb786f072602fd6e2a799d2838da
-
SSDEEP
12288:cMrXy90P+cWMcQC70dxGGKcs2VTKufCqAXhHxDzkFl2FOb+oJ6ZxBP:byU+cWMcQB9nsATK9qohRGcfoJkx5
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Redline family
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f2bbc9f2e3433d8cc4f45c987b411a9955e774828ab3506e1af25ca21261f44.exe"C:\Users\Admin\AppData\Local\Temp\2f2bbc9f2e3433d8cc4f45c987b411a9955e774828ab3506e1af25ca21261f44.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrB80.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrB80.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dlh76.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dlh76.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56941bad8b07135f1b181bf0b8cbb8ffb
SHA157de6025aba199fdad5ab48fde37d31ae036d936
SHA2567d12009f5d740dcbf8c5c17e9afd1be3204752e75f267674b986ebc8f711e1aa
SHA51250854a0bb12d8a23afa30de3b1c5293bd190bb3d693660fd0ef7440e00d22f819c1a3567000dd0a73398dc55fe01f5841ca85e6005adf7835d49d5957f79ac2b
-
Filesize
285KB
MD5fedf16f09251d8609500419e3c262080
SHA1ed407237b4a6f6b7145ccd97d4e830bf56b34438
SHA256b376ab7ab350cf1e8af37e54f7184c1e2c28599ef594c76d6e87e996a67e620c
SHA512158d7bdd79a609c7b3332fe5a913fb0c5f84947d3cd05b152a2aca368c6d06372e45a5d9b39789741c2ddbb70e1975cff5ad9641ebb63e028f5ad0433fcce1fc
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB
-
Filesize
3.6MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1024KB
-
Filesize
300KB
-
Filesize
312KB