Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 13:12
Static task
static1
Behavioral task
behavioral1
Sample
189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe
Resource
win10v2004-20241007-en
General
-
Target
189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe
-
Size
4.6MB
-
MD5
f435c670b596d1b0357a5cbc3631f868
-
SHA1
70d31dafdf36c1f62a1bffc7133be0d1abf2fb77
-
SHA256
189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084
-
SHA512
7ac0c8c4021bc93c4f3fd3b070e7b1ecee8ba9fb8956f9194dc433280aacdeee66e11ae436545bdc585367417dff7be5cc455466b59a340dd46e2e7ff78a7423
-
SSDEEP
98304:hLcsH0pPcUEG4n+yCTvqDL8b8CEvrCYdZtpnn3tHaH:APcUEdn+yMiDYYCsrtpn3laH
Malware Config
Extracted
redline
@noilase
92.119.113.189:21746
-
auth_value
de713911efa818890ac36085c9a0fc58
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1588-9-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1884 set thread context of 1588 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 86 -
Program crash 1 IoCs
pid pid_target Process procid_target 2828 1884 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1884 wrote to memory of 1588 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 86 PID 1884 wrote to memory of 1588 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 86 PID 1884 wrote to memory of 1588 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 86 PID 1884 wrote to memory of 1588 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 86 PID 1884 wrote to memory of 1588 1884 189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe"C:\Users\Admin\AppData\Local\Temp\189d4453d51c214fb933adad46d8bd13c1f5999099d6e774ba536efee4543084.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2642⤵
- Program crash
PID:2828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1884 -ip 18841⤵PID:2128
Network
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.121.18.2.in-addr.arpaIN PTRResponse140.121.18.2.in-addr.arpaIN PTRa2-18-121-140deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.121.18.2.in-addr.arpaIN PTRResponse138.121.18.2.in-addr.arpaIN PTRa2-18-121-138deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
140.121.18.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
138.121.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa