Overview
overview
10Static
static
101/0178b79b...bd.exe
windows7-x64
101/0178b79b...bd.exe
windows10-2004-x64
101/0280cde4...60.exe
windows7-x64
101/0280cde4...60.exe
windows10-2004-x64
101/08b76206...65.exe
windows7-x64
101/08b76206...65.exe
windows10-2004-x64
101/0e4fc438...91.exe
windows7-x64
31/0e4fc438...91.exe
windows10-2004-x64
101/0fb86a8b...05.exe
windows7-x64
101/0fb86a8b...05.exe
windows10-2004-x64
101/25898c73...8f.exe
windows7-x64
101/25898c73...8f.exe
windows10-2004-x64
31/2c2e9491...3c.exe
windows7-x64
31/2c2e9491...3c.exe
windows10-2004-x64
101/2ef0f582...2e.exe
windows7-x64
31/2ef0f582...2e.exe
windows10-2004-x64
101/39884fc0...82.exe
windows7-x64
101/39884fc0...82.exe
windows10-2004-x64
101/3a72ecec...8a.exe
windows7-x64
101/3a72ecec...8a.exe
windows10-2004-x64
101/3bfcb4f7...71.exe
windows7-x64
101/3bfcb4f7...71.exe
windows10-2004-x64
101/4103411f...f5.exe
windows7-x64
101/4103411f...f5.exe
windows10-2004-x64
101/4e0fdb84...95.exe
windows7-x64
31/4e0fdb84...95.exe
windows10-2004-x64
71/5297372f...33.exe
windows7-x64
51/5297372f...33.exe
windows10-2004-x64
51/68292f38...e4.exe
windows7-x64
31/68292f38...e4.exe
windows10-2004-x64
101/6da4696b...e5.exe
windows7-x64
71/6da4696b...e5.exe
windows10-2004-x64
7Resubmissions
11-12-2024 15:32
241211-sy44nssrdm 1009-08-2024 21:57
240809-1t1vfs1cpm 1006-08-2024 13:01
240806-p9f97szdlm 1006-08-2024 12:52
240806-p3672stdkg 1006-08-2024 12:29
240806-ppa8fsygqr 1006-08-2024 12:26
240806-pmc92ashlh 10Analysis
-
max time kernel
127s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 15:32
Behavioral task
behavioral1
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
-
Size
338KB
-
MD5
6f1e400bcf79c773832b3ca2aab94d3d
-
SHA1
8a1724e7f0df1b8bb22413751908b76f72498121
-
SHA256
2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c
-
SHA512
2459d2e2b39987ebcf635a2867b67d8b5ae7c865157fe1ad32513fb0dcae0d226532d2416d4fc23c347add8a9d741ba3d15e662c3e2a01cf316046b1fab1254a
-
SSDEEP
6144:mY1jumalKcYdvkMEdRE29UHYOhQWr6vSuwgeBNsCri5rg/73LM+L2di8bEO:maEKc+kMcIOauwgeBPi5rgz3L4i8bEO
Malware Config
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi
https://steamcommunity.com/profiles/76561199038841443
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral14/memory/4436-1-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Redline family
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5116 set thread context of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe 4436 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4436 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83 PID 5116 wrote to memory of 4436 5116 2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe"C:\Users\Admin\AppData\Local\Temp\1\2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-