redline | 498063df1a178cf85f89062cdeca2a8f26cd93ff90d246e027d58f8972868303

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWormLoader.exe
Size

684KB
MD5

e8e0065b1cade61de10069945bd335fa
SHA1

5076539e3ff6c7daa4af5c5abce274e3d8efb1d6
SHA256

498063df1a178cf85f89062cdeca2a8f26cd93ff90d246e027d58f8972868303
SHA512

b89dee4c730480e9283759ec94e2d58c76e187e914af6382b1c630a549546bf979c1f36d751e51d32f6fc3468a382ac92a0947e05eb0f7f187b341b2d9f908cb
SSDEEP

12288:zrUQw+2uPHL2hWsL94HPkH+oG7kSKT5TKk:wVuPr2hWsL94y+oG1K5ek

Score

10^/10

redline discovery infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1592-9-0x0000000000960000-0x00000000009B6000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 1 IoCs

pid	Process
1592	build.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1592	1980	XWormLoader.exe	77
PID 1980 wrote to memory of 1592	1980	XWormLoader.exe	77
PID 1980 wrote to memory of 1592	1980	XWormLoader.exe	77

C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
memory/1592-9-0x0000000000960000-0x00000000009B6000-memory.dmp

Filesize
344KB

Download
memory/1592-13-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1592-14-0x0000000074E20000-0x00000000755D1000-memory.dmp

Filesize
7.7MB

Download
memory/1592-15-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/1592-16-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/1592-17-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/1592-18-0x0000000004F10000-0x0000000004F4C000-memory.dmp

Filesize
240KB

Download
memory/1592-19-0x0000000004F70000-0x0000000004FBC000-memory.dmp

Filesize
304KB

Download
memory/1592-20-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1592-21-0x0000000074E20000-0x00000000755D1000-memory.dmp

Filesize
7.7MB

Download
memory/1980-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download