Analysis

  • max time kernel
    110s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 13:12

General

  • Target

    189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe

  • Size

    4.6MB

  • MD5

    f435c670b596d1b0357a5cbc3631f868

  • SHA1

    70d31dafdf36c1f62a1bffc7133be0d1abf2fb77

  • SHA256

    189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084

  • SHA512

    7ac0c8c4021bc93c4f3fd3b070e7b1ecee8ba9fb8956f9194dc433280aacdeee66e11ae436545bdc585367417dff7be5cc455466b59a340dd46e2e7ff78a7423

  • SSDEEP

    98304:hLcsH0pPcUEG4n+yCTvqDL8b8CEvrCYdZtpnn3tHaH:APcUEdn+yMiDYYCsrtpn3laH

Malware Config

Extracted

Family

redline

Botnet

@noilase

C2

92.119.113.189:21746

Attributes
  • auth_value

    de713911efa818890ac36085c9a0fc58

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Redline family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe
    "C:\Users\Admin\AppData\Local\Temp\189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1588
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 264
      2⤵
      • Program crash
      PID:2828
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1884 -ip 1884
    1⤵
      PID:2128

    Network

    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      140.121.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.121.18.2.in-addr.arpa
      IN PTR
      Response
      140.121.18.2.in-addr.arpa
      IN PTR
      a2-18-121-140deploystaticakamaitechnologiescom
    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      53.210.109.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.210.109.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      138.121.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      138.121.18.2.in-addr.arpa
      IN PTR
      Response
      138.121.18.2.in-addr.arpa
      IN PTR
      a2-18-121-138deploystaticakamaitechnologiescom
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 92.119.113.189:21746
      AppLaunch.exe
      260 B
      5
    • 92.119.113.189:21746
      AppLaunch.exe
      260 B
      5
    • 92.119.113.189:21746
      AppLaunch.exe
      260 B
      5
    • 92.119.113.189:21746
      AppLaunch.exe
      260 B
      5
    • 92.119.113.189:21746
      AppLaunch.exe
      208 B
      4
    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      140.121.18.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      140.121.18.2.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      53.210.109.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      53.210.109.20.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      138.121.18.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      138.121.18.2.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1588-20-0x00000000747B0000-0x0000000074F60000-memory.dmp

      Filesize

      7.7MB

    • memory/1588-16-0x0000000005690000-0x0000000005CA8000-memory.dmp

      Filesize

      6.1MB

    • memory/1588-9-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/1588-23-0x00000000747BE000-0x00000000747BF000-memory.dmp

      Filesize

      4KB

    • memory/1588-21-0x00000000051C0000-0x000000000520C000-memory.dmp

      Filesize

      304KB

    • memory/1588-19-0x0000000005180000-0x00000000051BC000-memory.dmp

      Filesize

      240KB

    • memory/1588-18-0x0000000005250000-0x000000000535A000-memory.dmp

      Filesize

      1.0MB

    • memory/1588-15-0x00000000747BE000-0x00000000747BF000-memory.dmp

      Filesize

      4KB

    • memory/1588-24-0x00000000747B0000-0x0000000074F60000-memory.dmp

      Filesize

      7.7MB

    • memory/1588-17-0x00000000050E0000-0x00000000050F2000-memory.dmp

      Filesize

      72KB

    • memory/1884-4-0x0000000002860000-0x0000000002861000-memory.dmp

      Filesize

      4KB

    • memory/1884-2-0x0000000002840000-0x0000000002841000-memory.dmp

      Filesize

      4KB

    • memory/1884-22-0x0000000000C35000-0x0000000000EAE000-memory.dmp

      Filesize

      2.5MB

    • memory/1884-3-0x0000000002850000-0x0000000002851000-memory.dmp

      Filesize

      4KB

    • memory/1884-0-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

      Filesize

      4KB

    • memory/1884-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

      Filesize

      4KB

    • memory/1884-5-0x0000000002870000-0x0000000002871000-memory.dmp

      Filesize

      4KB

    • memory/1884-14-0x0000000000C00000-0x0000000001098000-memory.dmp

      Filesize

      4.6MB

    • memory/1884-7-0x0000000000C35000-0x0000000000EAE000-memory.dmp

      Filesize

      2.5MB

    • memory/1884-6-0x0000000000C00000-0x0000000001098000-memory.dmp

      Filesize

      4.6MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.