Overview
overview
10Static
static
101/0178b79b...bd.exe
windows7-x64
101/0178b79b...bd.exe
windows10-2004-x64
101/0280cde4...60.exe
windows7-x64
101/0280cde4...60.exe
windows10-2004-x64
101/08b76206...65.exe
windows7-x64
101/08b76206...65.exe
windows10-2004-x64
101/0e4fc438...91.exe
windows7-x64
31/0e4fc438...91.exe
windows10-2004-x64
101/0fb86a8b...05.exe
windows7-x64
101/0fb86a8b...05.exe
windows10-2004-x64
101/25898c73...8f.exe
windows7-x64
101/25898c73...8f.exe
windows10-2004-x64
31/2c2e9491...3c.exe
windows7-x64
31/2c2e9491...3c.exe
windows10-2004-x64
101/2ef0f582...2e.exe
windows7-x64
31/2ef0f582...2e.exe
windows10-2004-x64
101/39884fc0...82.exe
windows7-x64
101/39884fc0...82.exe
windows10-2004-x64
101/3a72ecec...8a.exe
windows7-x64
101/3a72ecec...8a.exe
windows10-2004-x64
101/3bfcb4f7...71.exe
windows7-x64
101/3bfcb4f7...71.exe
windows10-2004-x64
101/4103411f...f5.exe
windows7-x64
101/4103411f...f5.exe
windows10-2004-x64
101/4e0fdb84...95.exe
windows7-x64
31/4e0fdb84...95.exe
windows10-2004-x64
71/5297372f...33.exe
windows7-x64
51/5297372f...33.exe
windows10-2004-x64
51/68292f38...e4.exe
windows7-x64
31/68292f38...e4.exe
windows10-2004-x64
101/6da4696b...e5.exe
windows7-x64
71/6da4696b...e5.exe
windows10-2004-x64
7Resubmissions
11-12-2024 15:32
241211-sy44nssrdm 1009-08-2024 21:57
240809-1t1vfs1cpm 1006-08-2024 13:01
240806-p9f97szdlm 1006-08-2024 12:52
240806-p3672stdkg 1006-08-2024 12:29
240806-ppa8fsygqr 1006-08-2024 12:26
240806-pmc92ashlh 10Analysis
-
max time kernel
133s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 15:32
Behavioral task
behavioral1
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
-
Size
765KB
-
MD5
a8e583583122cff4ea57a3062bb4aa3f
-
SHA1
b4a4bee8dbc966624f43273a500aa0ec1bbf1790
-
SHA256
68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4
-
SHA512
3c1205a23cb737ab7d81377672954e55e3adae6858bb1ba1eaae80669ef8957487090cacf2fdb6377c9bdf0cf7af27ede3e788f1dd767ded7d16aea484ca6d91
-
SSDEEP
12288:6WgLNqLMg5tqimUsu8l5hs4PShE9EZnuKFqik7/6VVu+mvd789LjQg6xOVw:vgLNqLMJimUsu8lw4PShgOuKFqizgduE
Malware Config
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi
https://steamcommunity.com/profiles/76561199038841443
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral30/memory/2704-1-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Redline family
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1636 set thread context of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2704 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83 PID 1636 wrote to memory of 2704 1636 68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe"C:\Users\Admin\AppData\Local\Temp\1\68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-