Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
Resource
win10v2004-20241007-en
General
-
Target
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe
-
Size
14.8MB
-
MD5
9e060e31aade7ed35094092769518b80
-
SHA1
90c0b53fda6fa57f85d7fa5055cb9d36e9760633
-
SHA256
5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd
-
SHA512
a5664d4a61fdcfbf0393cfab4b14c5d1ea3f5f2524fd2a9089dda53b05508b491979c5e4bca0e401c2d86483d5c294581a2317da8849415a6324930a86e12847
-
SSDEEP
196608:WcPSoOXHoAjq/S6EEdlVU09Kgp6VuQxH6Iu1rL3ETc44lGWmxuxXdCV:5P4XIAe//EEdjNS4F1SEGWvPCV
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3628-5-0x0000000000400000-0x000000000042E000-memory.dmp family_redline -
Redline family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3528 set thread context of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85 PID 3528 wrote to memory of 3628 3528 5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe"C:\Users\Admin\AppData\Local\Temp\5de5e53fe18a3c5437a4cfe42045a4cba0e9d0bf6aab35aa6bc30a5253fd38dd.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3628
-