Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 13:18
Static task
static1
Behavioral task
behavioral1
Sample
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
Resource
win10v2004-20241007-en
General
-
Target
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
-
Size
14.8MB
-
MD5
9e060e31aade7ed35094092769518b80
-
SHA1
90c0b53fda6fa57f85d7fa5055cb9d36e9760633
-
SHA256
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd
-
SHA512
a5664d4a61fdcfbf0393cfab4b14c5d1ea3f5f2524fd2a9089dda53b05508b491979c5e4bca0e401c2d86483d5c294581a2317da8849415a6324930a86e12847
-
SSDEEP
196608:WcPSoOXHoAjq/S6EEdlVU09Kgp6VuQxH6Iu1rL3ETc44lGWmxuxXdCV:5P4XIAe//EEdjNS4F1SEGWvPCV
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/memory/2676-10-0x00000000000D0000-0x00000000000FE000-memory.dmp family_redline behavioral1/memory/2676-21-0x00000000000D0000-0x00000000000FE000-memory.dmp family_redline behavioral1/memory/2676-8-0x00000000000D0000-0x00000000000FE000-memory.dmp family_redline behavioral1/memory/2676-17-0x00000000000D0000-0x00000000000FE000-memory.dmp family_redline behavioral1/memory/2676-13-0x00000000000D0000-0x00000000000FE000-memory.dmp family_redline behavioral1/memory/2676-12-0x00000000000D0000-0x00000000000FE000-memory.dmp family_redline -
Redline family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2748 set thread context of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31 PID 2748 wrote to memory of 2676 2748 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe"C:\Users\Admin\AppData\Local\Temp\5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2676
-