Overview
overview
10Static
static
3e4a200fc3d...97.exe
windows10-ltsc_2021-x64
10e4a200fc3d...97.exe
windows10-2004-x64
10e4a200fc3d...97.exe
windows10-ltsc_2021-x64
10e4a200fc3d...97.exe
windows11-21h2-x64
10e4a200fc3d...97.exe
android-10-x64
e4a200fc3d...97.exe
android-13-x64
e4a200fc3d...97.exe
macos-10.15-amd64
e4a200fc3d...97.exe
ubuntu-18.04-amd64
e4a200fc3d...97.exe
debian-9-armhf
e4a200fc3d...97.exe
debian-9-mips
e4a200fc3d...97.exe
debian-9-mipsel
Analysis
-
max time kernel
101s -
max time network
116s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
31/03/2025, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral4
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
win11-20250313-en
Behavioral task
behavioral5
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
android-x64-20240910-en
Behavioral task
behavioral6
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
android-33-x64-arm64-20240910-en
Behavioral task
behavioral7
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
macos-20241106-en
Behavioral task
behavioral8
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral9
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral10
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral11
Sample
e4a200fc3da152d2b8c48f6e19b8ec97.exe
Resource
debian9-mipsel-20240611-en
General
-
Target
e4a200fc3da152d2b8c48f6e19b8ec97.exe
-
Size
787KB
-
MD5
e4a200fc3da152d2b8c48f6e19b8ec97
-
SHA1
6104b851cccad3628b12d4ca136b8f364bbd3d35
-
SHA256
95d29f64d0106c91070bcd511f78f6cf29d35cdb8cbbd97cfdfdcf61e422b4da
-
SHA512
d704391d9a566a889398af1d119e46aecfa9421802cb14785847a64d4848874f2b65aed132d955f624a848fead5b2cb48a9805c90d5df2e230064775f6f015ea
-
SSDEEP
6144:YMOuBuN9xo1rFJLgGu8BWsijyckMnCgstzX29Hr13PKLeifjdUQhNZ:YMOuBuN9xoS8BWHjVktgMOHh3PKyGf
Malware Config
Extracted
redline
cheat
172.31.9.183:29120
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral4/memory/4360-12-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
Redline family
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral4/memory/4360-12-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2984 set thread context of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4a200fc3da152d2b8c48f6e19b8ec97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4a200fc3da152d2b8c48f6e19b8ec97.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe Token: SeDebugPrivilege 4360 e4a200fc3da152d2b8c48f6e19b8ec97.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2416 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 82 PID 2984 wrote to memory of 2416 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 82 PID 2984 wrote to memory of 2416 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 82 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83 PID 2984 wrote to memory of 4360 2984 e4a200fc3da152d2b8c48f6e19b8ec97.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exeC:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe bcdedit /c set shutdown /r readonly /f force /t 21⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"2⤵PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"C:\Users\Admin\AppData\Local\Temp\e4a200fc3da152d2b8c48f6e19b8ec97.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e4a200fc3da152d2b8c48f6e19b8ec97.exe.log
Filesize1KB
MD57e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA2564c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8