redline | 7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502

General

Target

7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe
Size

838KB
MD5

54f095772915884360c9b4bcd1b4e855
SHA1

d868f4b6912c28d130886e02b5a00f65e856da92
SHA256

7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502
SHA512

c38a0633ca8e472d13db0a5c209be2c292f88e67b140dabf2fb53a503b3b2f449219a09a099b7c32284f244b512d354ff1bbbef3f46150949a5d29ce214c42ae
SSDEEP

12288:GMrNy90XfXV7ROFOBlUaUTjSIFYHOQrOmnn8sX+ZA53mK25zLX5DH/tlgmcE4O1J:fyuvqVaUTjhqOQxnnPnmK8DZbiORt

Score

10^/10

redline crypt1 infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

crypt1

C2

176.113.115.17:4132

Attributes

auth_value
2e2ca7bbceaa9f98252a6f9fc0e6fa86

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4380	dDl07.exe
208	dha65.exe
224	dFQ13.exe
4588	lTN32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dDl07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dDl07.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dha65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dha65.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 224 set thread context of 1940	224	dFQ13.exe	83

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	lTN32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 4380	732	7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe	79
PID 732 wrote to memory of 4380	732	7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe	79
PID 732 wrote to memory of 4380	732	7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe	79
PID 4380 wrote to memory of 208	4380	dDl07.exe	80
PID 4380 wrote to memory of 208	4380	dDl07.exe	80
PID 4380 wrote to memory of 208	4380	dDl07.exe	80
PID 208 wrote to memory of 224	208	dha65.exe	81
PID 208 wrote to memory of 224	208	dha65.exe	81
PID 208 wrote to memory of 224	208	dha65.exe	81
PID 224 wrote to memory of 1940	224	dFQ13.exe	83
PID 224 wrote to memory of 1940	224	dFQ13.exe	83
PID 224 wrote to memory of 1940	224	dFQ13.exe	83
PID 224 wrote to memory of 1940	224	dFQ13.exe	83
PID 224 wrote to memory of 1940	224	dFQ13.exe	83
PID 208 wrote to memory of 4588	208	dha65.exe	84
PID 208 wrote to memory of 4588	208	dha65.exe	84
PID 208 wrote to memory of 4588	208	dha65.exe	84

C:\Users\Admin\AppData\Local\Temp\7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe
"C:\Users\Admin\AppData\Local\Temp\7ef9ade8d61dfd78938e14e51b9df6b6ebdbd495a36307d58330876d4ae66502.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dDl07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dDl07.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dha65.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dha65.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFQ13.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFQ13.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lTN32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lTN32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dDl07.exe

Filesize
734KB

MD5
012b98effd0c207551a81783b2d340b5

SHA1
739b99933cd833f2875204f88cd7f73ef4b499ad

SHA256
c53de99eda3dea68c13d70e9d1fc673e0b1d6e70a58bf7dd512a84ed36b7c741

SHA512
b03185c9677467c2bd96c41301a80d2b2dea062b71c04ee01cf023edb80193fe03a0b8c8e94d2a1096c68eecd3693a330b2298d7eed6140b3cb2a2a392fd0f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dDl07.exe

Filesize
734KB

MD5
012b98effd0c207551a81783b2d340b5

SHA1
739b99933cd833f2875204f88cd7f73ef4b499ad

SHA256
c53de99eda3dea68c13d70e9d1fc673e0b1d6e70a58bf7dd512a84ed36b7c741

SHA512
b03185c9677467c2bd96c41301a80d2b2dea062b71c04ee01cf023edb80193fe03a0b8c8e94d2a1096c68eecd3693a330b2298d7eed6140b3cb2a2a392fd0f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dha65.exe

Filesize
589KB

MD5
d11890038453d65293353524d37d7869

SHA1
524543bfa7e560e535880c1f481cf3711c6a2813

SHA256
b97c526d95a90d7de27d343deab84d0476254d118510b73055a03ff04dea4e38

SHA512
9ffa2e6d8c742cd91c18086fac24212ac23c22d07bb3d8ae3bb8e15b12974c56f480aaada1fe999d1abf69b3303e1ffac1b10d246c8401428d0e1345fccd8bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dha65.exe

Filesize
589KB

MD5
d11890038453d65293353524d37d7869

SHA1
524543bfa7e560e535880c1f481cf3711c6a2813

SHA256
b97c526d95a90d7de27d343deab84d0476254d118510b73055a03ff04dea4e38

SHA512
9ffa2e6d8c742cd91c18086fac24212ac23c22d07bb3d8ae3bb8e15b12974c56f480aaada1fe999d1abf69b3303e1ffac1b10d246c8401428d0e1345fccd8bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFQ13.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFQ13.exe

Filesize
277KB

MD5
3bc6ecb7d1f35f3171383f88879659b7

SHA1
e82887b3d6ab38ae3b8880d6c904244495dcf0cc

SHA256
c95f1ca2230edb615f3365e4c3ad09e4e1940a2c554eaf27c0df2d5bc4fc1068

SHA512
709eb1c1c322c70a2a377324fa1766bfff9a3e1d37db04da240aaab36317d813b6f32f5c0d0a3f8d30f196f132985fce0ec030d5783df3c7bff76a4ccfb4431c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lTN32.exe

Filesize
484KB

MD5
68b10141d93a77733ce23042508b9140

SHA1
ac8276bd1d88bb0cf3e83111efc281bafc88fdbc

SHA256
47cee558a1085210f1bc739ea396233f4bd5f77c233985159f038237c3f9936d

SHA512
984b314c2ac1fc004d7fb0fcc4660b553cb2b045e113e97a51f9ca2b4c0c8d829013554aa22a91eb1f454cbd0b8b7fc0f94da8ddb87598801c0dde569d691bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lTN32.exe

Filesize
484KB

MD5
68b10141d93a77733ce23042508b9140

SHA1
ac8276bd1d88bb0cf3e83111efc281bafc88fdbc

SHA256
47cee558a1085210f1bc739ea396233f4bd5f77c233985159f038237c3f9936d

SHA512
984b314c2ac1fc004d7fb0fcc4660b553cb2b045e113e97a51f9ca2b4c0c8d829013554aa22a91eb1f454cbd0b8b7fc0f94da8ddb87598801c0dde569d691bd4

Download Submit
memory/208-135-0x0000000000000000-mapping.dmp

Download
memory/224-138-0x0000000000000000-mapping.dmp

Download
memory/224-141-0x0000000000173000-0x0000000000175000-memory.dmp

Filesize
8KB

Download
memory/224-142-0x0000000000173000-0x0000000000175000-memory.dmp

Filesize
8KB

Download
memory/1940-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1940-156-0x0000000005220000-0x000000000532A000-memory.dmp

Filesize
1.0MB

Download
memory/1940-159-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/1940-143-0x0000000000000000-mapping.dmp

Download
memory/1940-158-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/4380-132-0x0000000000000000-mapping.dmp

Download
memory/4588-152-0x00000000006E4000-0x0000000000713000-memory.dmp

Filesize
188KB

Download
memory/4588-155-0x0000000005760000-0x0000000005D78000-memory.dmp

Filesize
6.1MB

Download
memory/4588-154-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/4588-157-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4588-153-0x0000000000650000-0x000000000069B000-memory.dmp

Filesize
300KB

Download
memory/4588-149-0x0000000000000000-mapping.dmp

Download
memory/4588-160-0x00000000006E4000-0x0000000000713000-memory.dmp

Filesize
188KB

Download
memory/4588-161-0x0000000000650000-0x000000000069B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing