redline | 0e932b85a279881dc2dbf643c3998110222fb0344b9a451af2ade01cbd7f35b1

General

Target

file.exe
Size

797KB
MD5

33ce6988ab0cb0eb3b229ebdfddc9e83
SHA1

0d06f8491bf61a16b917a2829dc952fae6ac37af
SHA256

0e932b85a279881dc2dbf643c3998110222fb0344b9a451af2ade01cbd7f35b1
SHA512

cea4e1e84fb5d3459b019e415e28b40e632f0c4c1356369572f7ba3e6ed60d1519ccd24f0be478404a673836dfc0c4179ae3d857ca48401cc23de829a2eca312
SSDEEP

12288:ZMr6y90r4dSVQLMzz1Tj1zK9//beJeOJ6L72bk3BDbXqmCZnsYoJ34CRB8/UWgcS:TyoVQQzzb2GqX2batb7CZsYolHR19

Score

10^/10

redline dunm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
240	gYK93uz.exe
520	grY80cQ.exe
3464	azO12Uo.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	grY80cQ.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gYK93uz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gYK93uz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	grY80cQ.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 240	2100	file.exe	78
PID 2100 wrote to memory of 240	2100	file.exe	78
PID 2100 wrote to memory of 240	2100	file.exe	78
PID 240 wrote to memory of 520	240	gYK93uz.exe	79
PID 240 wrote to memory of 520	240	gYK93uz.exe	79
PID 240 wrote to memory of 520	240	gYK93uz.exe	79
PID 520 wrote to memory of 3464	520	grY80cQ.exe	80
PID 520 wrote to memory of 3464	520	grY80cQ.exe	80
PID 520 wrote to memory of 3464	520	grY80cQ.exe	80

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gYK93uz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gYK93uz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\grY80cQ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\grY80cQ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\azO12Uo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\azO12Uo.exe
      4⤵
      Executes dropped EXE
      PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gYK93uz.exe

Filesize
693KB

MD5
d999fece20700976f1483237ebdc4b50

SHA1
930d3f2bc323d5cace1f03e2d681a42b3593ad0a

SHA256
071bfbb050b677960ee4a58bd0450df9755efe89599dfc565fc04d6b6b7d0b25

SHA512
52f3dfd5d471fa86e38786c2eb2ad656d4b460e9f987534708bee78a67889665df5900c245b4a0c2d685001701785d3ea25a5bd06c2fafd5d4fe0c0d8a94e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gYK93uz.exe

Filesize
693KB

MD5
d999fece20700976f1483237ebdc4b50

SHA1
930d3f2bc323d5cace1f03e2d681a42b3593ad0a

SHA256
071bfbb050b677960ee4a58bd0450df9755efe89599dfc565fc04d6b6b7d0b25

SHA512
52f3dfd5d471fa86e38786c2eb2ad656d4b460e9f987534708bee78a67889665df5900c245b4a0c2d685001701785d3ea25a5bd06c2fafd5d4fe0c0d8a94e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\grY80cQ.exe

Filesize
286KB

MD5
6fb36304199ed2a8e517727914ead17d

SHA1
11f732a94318ddc71610bde8f62cd5d095c10e98

SHA256
95e51d78b486af6898127935afbd4ba25ed11911171aef5b9ea4d4e7b3e4d5a7

SHA512
5de966be2c87093ac5a40151930aa1e69170b689a675a4b4cc86500e0d35886086ad5e5cfd3c95f0fc3490045459c2ac6e7a96adf204b673c9a95f2c457ae995

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\grY80cQ.exe

Filesize
286KB

MD5
6fb36304199ed2a8e517727914ead17d

SHA1
11f732a94318ddc71610bde8f62cd5d095c10e98

SHA256
95e51d78b486af6898127935afbd4ba25ed11911171aef5b9ea4d4e7b3e4d5a7

SHA512
5de966be2c87093ac5a40151930aa1e69170b689a675a4b4cc86500e0d35886086ad5e5cfd3c95f0fc3490045459c2ac6e7a96adf204b673c9a95f2c457ae995

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\azO12Uo.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\azO12Uo.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
memory/3464-141-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

Filesize
200KB

Download
memory/3464-142-0x0000000005C50000-0x0000000006268000-memory.dmp

Filesize
6.1MB

Download
memory/3464-143-0x0000000005740000-0x000000000584A000-memory.dmp

Filesize
1.0MB

Download
memory/3464-144-0x0000000005650000-0x0000000005662000-memory.dmp

Filesize
72KB

Download
memory/3464-145-0x00000000056B0000-0x00000000056EC000-memory.dmp

Filesize
240KB

Download
memory/3464-146-0x0000000006920000-0x0000000006EC4000-memory.dmp

Filesize
5.6MB

Download
memory/3464-147-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/3464-148-0x0000000006510000-0x0000000006576000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing