Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
Resource
win10v2004-20241007-en
General
-
Target
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
-
Size
14.8MB
-
MD5
9e060e31aade7ed35094092769518b80
-
SHA1
90c0b53fda6fa57f85d7fa5055cb9d36e9760633
-
SHA256
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd
-
SHA512
a5664d4a61fdcfbf0393cfab4b14c5d1ea3f5f2524fd2a9089dda53b05508b491979c5e4bca0e401c2d86483d5c294581a2317da8849415a6324930a86e12847
-
SSDEEP
196608:WcPSoOXHoAjq/S6EEdlVU09Kgp6VuQxH6Iu1rL3ETc44lGWmxuxXdCV:5P4XIAe//EEdjNS4F1SEGWvPCV
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/memory/1688-22-0x0000000000080000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/1688-17-0x0000000000080000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/1688-13-0x0000000000080000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/1688-12-0x0000000000080000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/1688-9-0x0000000000080000-0x00000000000AE000-memory.dmp family_redline behavioral1/memory/1688-7-0x0000000000080000-0x00000000000AE000-memory.dmp family_redline -
Redline family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1148 set thread context of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28 PID 1148 wrote to memory of 1688 1148 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe"C:\Users\Admin\AppData\Local\Temp\5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1688
-