Analysis
-
max time kernel
110s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 04:37
Static task
static1
Behavioral task
behavioral1
Sample
9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe
Resource
win10v2004-20241007-en
General
-
Target
9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe
-
Size
661KB
-
MD5
cc32233b09cb20f00ee3ddd4f2431080
-
SHA1
741ef255182db60805e506930429a0ff62b2e765
-
SHA256
9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0
-
SHA512
8cba0ca0ee92b78c0a5f8c3c4164c8fb1df9899d1c138f356d94ee37842b47653e9d7a69d961788f39c5dc4513283a15e487803197e3b92326430cec9dff706f
-
SSDEEP
12288:7MrDy90yKA2u6MURYyWXmribg7+yo0WwMSbK6oNyXk1gLDNyTiKwp+:EyouPbg7+ihHog0aZyThx
Malware Config
Extracted
redline
romik
193.233.20.12:4132
-
auth_value
8fb78d2889ba0ca42678b59b884e88ff
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
Processes:
resource yara_rule behavioral1/memory/4700-19-0x00000000029E0000-0x0000000002A26000-memory.dmp family_redline behavioral1/memory/4700-21-0x0000000002A60000-0x0000000002AA4000-memory.dmp family_redline behavioral1/memory/4700-51-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-85-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-83-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-79-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-77-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-75-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-73-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-71-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-69-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-67-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-65-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-63-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-61-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-59-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-55-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-53-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-49-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-47-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-45-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-43-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-41-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-39-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-37-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-35-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-33-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-31-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-29-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-81-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-27-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-25-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-57-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-23-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline behavioral1/memory/4700-22-0x0000000002A60000-0x0000000002A9E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
Processes:
vDa05.exedLT23.exepid Process 3836 vDa05.exe 4700 dLT23.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exevDa05.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vDa05.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dLT23.exe9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exevDa05.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dLT23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vDa05.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dLT23.exedescription pid Process Token: SeDebugPrivilege 4700 dLT23.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exevDa05.exedescription pid Process procid_target PID 768 wrote to memory of 3836 768 9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe 83 PID 768 wrote to memory of 3836 768 9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe 83 PID 768 wrote to memory of 3836 768 9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe 83 PID 3836 wrote to memory of 4700 3836 vDa05.exe 84 PID 3836 wrote to memory of 4700 3836 vDa05.exe 84 PID 3836 wrote to memory of 4700 3836 vDa05.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe"C:\Users\Admin\AppData\Local\Temp\9a21af2479e436cc8a43643396529352c98b4224e44f3399abd57e557f65a0d0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vDa05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vDa05.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLT23.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLT23.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD5d1a9779f3849be97f602613c3437b6de
SHA17f46f5fe2a5bc68cf6c60f0f74d4aed852ff3578
SHA25682137a5873220c2f6118fb9eb3b7dac5afe742bcd32038ba1a35e99e9b926276
SHA512ec879e1a3389ab56edafc4e7e2a918427ffe004bf14b67a0bb9152601dd5ad62c65b23d869bf3d1bb2f6010bf1bf2aed5f99474e706a64acf54f7528abcb4d0f
-
Filesize
297KB
MD54e5f11ab053ba84afdb53d293e3f0451
SHA10b1943f24b6beb1b6c5244655ef6931b79e476f8
SHA25651b6d7f9d900542f8c4329503c112c27a51be10e817762f732db63d6553831df
SHA51202b0bacc7c76e151794ae77c59bb1be3cb522f2694eda553b6bfcfddb4a6732e27799e6cb80ef378dc732bdf64fd787c0ab71a2cd043af6c685c36fc5adb8549