redline | f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787

General

Target

f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe
Size

838KB
MD5

8d6b247e8d3fb7f100eb8695b4acaf77
SHA1

03844f5ca6a7f9203825724ac4e32ccb369b31b3
SHA256

f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787
SHA512

ea374fb0007f0021b455d7c80bcf74fb77250fe330164932ee33a6c2430c255ee8ff5ee1a6f89679c22e0347873f8714a044101ff3402c8f6230f9f748e82db9
SSDEEP

12288:YMrPy90m6K8CXPSdLcidfTYCO+rOnbtRwTHakPutNp16eYLU3HSEdAgCC:3yJ6PCGc2f7O+YpRM6quPrHwcRCC

Score

10^/10

redline crypt1 infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

crypt1

C2

176.113.115.17:4132

Attributes

auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2980	diR63.exe
3468	dlX74.exe
1112	dGi16.exe
5032	lwj96.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	diR63.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dlX74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dlX74.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	diR63.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 2784	1112	dGi16.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	AppLaunch.exe
2784	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	lwj96.exe
Token: SeDebugPrivilege	2784	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2980	1016	f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe	79
PID 1016 wrote to memory of 2980	1016	f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe	79
PID 1016 wrote to memory of 2980	1016	f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe	79
PID 2980 wrote to memory of 3468	2980	diR63.exe	80
PID 2980 wrote to memory of 3468	2980	diR63.exe	80
PID 2980 wrote to memory of 3468	2980	diR63.exe	80
PID 3468 wrote to memory of 1112	3468	dlX74.exe	81
PID 3468 wrote to memory of 1112	3468	dlX74.exe	81
PID 3468 wrote to memory of 1112	3468	dlX74.exe	81
PID 1112 wrote to memory of 2784	1112	dGi16.exe	83
PID 1112 wrote to memory of 2784	1112	dGi16.exe	83
PID 1112 wrote to memory of 2784	1112	dGi16.exe	83
PID 1112 wrote to memory of 2784	1112	dGi16.exe	83
PID 1112 wrote to memory of 2784	1112	dGi16.exe	83
PID 3468 wrote to memory of 5032	3468	dlX74.exe	84
PID 3468 wrote to memory of 5032	3468	dlX74.exe	84
PID 3468 wrote to memory of 5032	3468	dlX74.exe	84

C:\Users\Admin\AppData\Local\Temp\f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe
"C:\Users\Admin\AppData\Local\Temp\f9a74c4f0566f6f2095cb8224c2e76adcbae051a1d0b649e0af3eccb1d468787.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\diR63.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\diR63.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dlX74.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dlX74.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGi16.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGi16.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lwj96.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lwj96.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\diR63.exe

Filesize
734KB

MD5
f200453462c5f5d1b2a92ad47d913849

SHA1
4829ab60cc2858cae1d6aefc2939633bd51bc871

SHA256
faaf8d0f68f79f559e03d49486055670700b583202d3b8211d90ceb820b84750

SHA512
f743970d12dff5e50bae69032d48e0841a0b11211ab9be7fdd659607f15fabb10cf2c4e6b2565cdf529a76df7c505095ce6185972575ae1b0926b72395d18614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\diR63.exe

Filesize
734KB

MD5
f200453462c5f5d1b2a92ad47d913849

SHA1
4829ab60cc2858cae1d6aefc2939633bd51bc871

SHA256
faaf8d0f68f79f559e03d49486055670700b583202d3b8211d90ceb820b84750

SHA512
f743970d12dff5e50bae69032d48e0841a0b11211ab9be7fdd659607f15fabb10cf2c4e6b2565cdf529a76df7c505095ce6185972575ae1b0926b72395d18614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dlX74.exe

Filesize
589KB

MD5
e30daeaa53c12fceca6cb6b0da45bb8b

SHA1
6ad664a911619f80f06e68e96e4f37265f39d05c

SHA256
e844222aaee4cc87efc230af71a848b62b7286bea7f4beb7621e0166d83c7c3e

SHA512
a94c5df08b5252db1bcc9e2ea3e186b7071a9b46894849e58876c9dfadfdc42c37e43a8ff33fb52ad5c4735e43d147ee37c73fe65c8dd1c60209830006649da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dlX74.exe

Filesize
589KB

MD5
e30daeaa53c12fceca6cb6b0da45bb8b

SHA1
6ad664a911619f80f06e68e96e4f37265f39d05c

SHA256
e844222aaee4cc87efc230af71a848b62b7286bea7f4beb7621e0166d83c7c3e

SHA512
a94c5df08b5252db1bcc9e2ea3e186b7071a9b46894849e58876c9dfadfdc42c37e43a8ff33fb52ad5c4735e43d147ee37c73fe65c8dd1c60209830006649da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGi16.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGi16.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lwj96.exe

Filesize
484KB

MD5
67fc4155065f855ee44b2d7d1ae7fa36

SHA1
5735b62947b4e9e430fb64af0b2b07f7f6f06740

SHA256
110c64fa68b2ffb9df302a04ccec5167715aef0c979bf212bd4b4e6300fcaaf0

SHA512
e4e77baad1c95ee9ca8ee012b52e9ec864ffae6b0c5c40c7ab160d091dd1e99d5c0ea921de3514b0bc8673f311dea42f0f27c7f8447df7d710763e92699f6ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lwj96.exe

Filesize
484KB

MD5
67fc4155065f855ee44b2d7d1ae7fa36

SHA1
5735b62947b4e9e430fb64af0b2b07f7f6f06740

SHA256
110c64fa68b2ffb9df302a04ccec5167715aef0c979bf212bd4b4e6300fcaaf0

SHA512
e4e77baad1c95ee9ca8ee012b52e9ec864ffae6b0c5c40c7ab160d091dd1e99d5c0ea921de3514b0bc8673f311dea42f0f27c7f8447df7d710763e92699f6ab9

Download Submit
memory/2784-158-0x00000000060E0000-0x0000000006172000-memory.dmp

Filesize
584KB

Download
memory/2784-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2784-162-0x0000000007650000-0x0000000007B7C000-memory.dmp

Filesize
5.2MB

Download
memory/2784-150-0x0000000005AC0000-0x00000000060D8000-memory.dmp

Filesize
6.1MB

Download
memory/2784-151-0x0000000005640000-0x000000000574A000-memory.dmp

Filesize
1.0MB

Download
memory/2784-152-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/2784-153-0x00000000055B0000-0x00000000055EC000-memory.dmp

Filesize
240KB

Download
memory/2784-161-0x0000000006F50000-0x0000000007112000-memory.dmp

Filesize
1.8MB

Download
memory/2784-159-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/5032-157-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/5032-156-0x0000000000730000-0x000000000077B000-memory.dmp

Filesize
300KB

Download
memory/5032-155-0x00000000007B4000-0x00000000007E3000-memory.dmp

Filesize
188KB

Download
memory/5032-160-0x00000000007B4000-0x00000000007E3000-memory.dmp

Filesize
188KB

Download
memory/5032-154-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing