redline | 92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76

General

Target

92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe
Size

724KB
MD5

deb0f3b739c1833a249a5d2f6f85d787
SHA1

0b7fe66a2d4ccd0ff6762a771a5e1959715a6674
SHA256

92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76
SHA512

3225b1d791805b718739573aec80486a6627fe50822e62b1232b8343bbb5f43ccf3989563afb60258498527a57a169048634dd740ee0200d42cbc3561f2160db
SSDEEP

12288:kMrMy90scq0F2XbX2O1GN2yNvX88vdRIPIObrKCA5EIhAC5HiHn:Yyyq0F2XbGOGN2yp88vdRIwBtOIhg

Score

10^/10

redline fusa discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4920	sNs14Ez.exe
4508	stA92YF.exe
4484	kXo24Km.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sNs14Ez.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sNs14Ez.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	stA92YF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	stA92YF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4484	kXo24Km.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	kXo24Km.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4920	4916	92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe	78
PID 4916 wrote to memory of 4920	4916	92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe	78
PID 4916 wrote to memory of 4920	4916	92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe	78
PID 4920 wrote to memory of 4508	4920	sNs14Ez.exe	79
PID 4920 wrote to memory of 4508	4920	sNs14Ez.exe	79
PID 4920 wrote to memory of 4508	4920	sNs14Ez.exe	79
PID 4508 wrote to memory of 4484	4508	stA92YF.exe	80
PID 4508 wrote to memory of 4484	4508	stA92YF.exe	80
PID 4508 wrote to memory of 4484	4508	stA92YF.exe	80

C:\Users\Admin\AppData\Local\Temp\92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe
"C:\Users\Admin\AppData\Local\Temp\92fbd52b8ff0bb08f29ca970c6cd0e51488c8bc956e86a40fbf6a9a173ecaa76.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sNs14Ez.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sNs14Ez.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stA92YF.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stA92YF.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kXo24Km.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kXo24Km.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sNs14Ez.exe

Filesize
620KB

MD5
96d30e6011774eb4e601066a21c801b1

SHA1
c8358607c2d34cf3ae156221a75f75f09242a502

SHA256
f3d6fd6f68f66a00247442c40b1cf9f5c190b96991d9d0c98de9db3750b437bd

SHA512
8deb7b850a61a7b3b9fe6824e085ae02ce251aaa0f8ba3b21e5dd81e97e8d5151228b45cee71f7eb2294fef2ef71e07069752c94debbf89dcace232eb0743e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sNs14Ez.exe

Filesize
620KB

MD5
96d30e6011774eb4e601066a21c801b1

SHA1
c8358607c2d34cf3ae156221a75f75f09242a502

SHA256
f3d6fd6f68f66a00247442c40b1cf9f5c190b96991d9d0c98de9db3750b437bd

SHA512
8deb7b850a61a7b3b9fe6824e085ae02ce251aaa0f8ba3b21e5dd81e97e8d5151228b45cee71f7eb2294fef2ef71e07069752c94debbf89dcace232eb0743e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stA92YF.exe

Filesize
286KB

MD5
7fb99c0ea0f4e6faf68e75c11eb7d65c

SHA1
a9c422d4a8ff43930990742281458c8c349744f2

SHA256
f105657084d50b085ce5681724998a711f4c41fc947fdd72335d79acdf2183cc

SHA512
187851aa7e25cbccee5c8af7919e5e8b022991b85f3b67f37d96d7e8662f0868dae23110152661dc266bbfbfd3c789e48b337cfd809bf1c5fd181fdee8d6df26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\stA92YF.exe

Filesize
286KB

MD5
7fb99c0ea0f4e6faf68e75c11eb7d65c

SHA1
a9c422d4a8ff43930990742281458c8c349744f2

SHA256
f105657084d50b085ce5681724998a711f4c41fc947fdd72335d79acdf2183cc

SHA512
187851aa7e25cbccee5c8af7919e5e8b022991b85f3b67f37d96d7e8662f0868dae23110152661dc266bbfbfd3c789e48b337cfd809bf1c5fd181fdee8d6df26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kXo24Km.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kXo24Km.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
memory/4484-145-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/4484-142-0x0000000000A80000-0x0000000000AB2000-memory.dmp

Filesize
200KB

Download
memory/4484-143-0x0000000005A30000-0x0000000006048000-memory.dmp

Filesize
6.1MB

Download
memory/4484-144-0x0000000005520000-0x000000000562A000-memory.dmp

Filesize
1.0MB

Download
memory/4484-146-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/4484-147-0x0000000006700000-0x0000000006CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4484-148-0x0000000006330000-0x00000000063C2000-memory.dmp

Filesize
584KB

Download
memory/4484-149-0x0000000002B10000-0x0000000002B76000-memory.dmp

Filesize
408KB

Download
memory/4484-150-0x0000000006CB0000-0x0000000006E72000-memory.dmp

Filesize
1.8MB

Download
memory/4484-151-0x00000000073B0000-0x00000000078DC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing