redline | fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4

General

Target

fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe
Size

472KB
MD5

48e6a8f6455468fdee319f8805cbcabf
SHA1

dd919127c4dbb7e0f050f810c31b55a3b0f9bd37
SHA256

fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4
SHA512

a915666a265a5acb5965a118e38aeec02091c94920b28ac990ad5a45ef0155931a6bbb41c8521148ad2001ed502bd7e36865196ed23145da914e8835bcc83186
SSDEEP

6144:KMy+bnr+2p0yN90QEdXdT6VBouFo+yWkywF4+v54ObjdMTxrf1ZtlxL0y/CAgvv/:8Mrey90zh6VC++QObjUrffJTCju0Dv

Score

10^/10

redline fusa infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3516	nsr85.exe
4824	brT09.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nsr85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nsr85.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3516	1584	fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe	78
PID 1584 wrote to memory of 3516	1584	fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe	78
PID 1584 wrote to memory of 3516	1584	fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe	78
PID 3516 wrote to memory of 4824	3516	nsr85.exe	79
PID 3516 wrote to memory of 4824	3516	nsr85.exe	79
PID 3516 wrote to memory of 4824	3516	nsr85.exe	79

C:\Users\Admin\AppData\Local\Temp\fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe
"C:\Users\Admin\AppData\Local\Temp\fc458371368ddd5d1cca2954a55ee367c048c8c8bd936d3cd2deceec2fed81b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsr85.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsr85.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\brT09.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\brT09.exe
    3⤵
    - Executes dropped EXE
    PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsr85.exe

Filesize
202KB

MD5
4fab0e53fdfe5baafcd07d213aa28554

SHA1
9667fd2cbdfe727d4bfebb9846251432837d783a

SHA256
77303f95cddb7cc6134939b4caa0d1ffb0b8d99295296b7442df47f82e61c697

SHA512
66a82fac4abfb880d1830eb927395d3a233942bfb01e966a256d2f214cf4d1d18788fd7181f4e321dda8ab695fe472b09ac94ebf0797db0f449546cc4aaca884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nsr85.exe

Filesize
202KB

MD5
4fab0e53fdfe5baafcd07d213aa28554

SHA1
9667fd2cbdfe727d4bfebb9846251432837d783a

SHA256
77303f95cddb7cc6134939b4caa0d1ffb0b8d99295296b7442df47f82e61c697

SHA512
66a82fac4abfb880d1830eb927395d3a233942bfb01e966a256d2f214cf4d1d18788fd7181f4e321dda8ab695fe472b09ac94ebf0797db0f449546cc4aaca884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\brT09.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\brT09.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
memory/4824-141-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/4824-139-0x00000000009A0000-0x00000000009D2000-memory.dmp

Filesize
200KB

Download
memory/4824-140-0x0000000005BC0000-0x00000000061D8000-memory.dmp

Filesize
6.1MB

Download
memory/4824-142-0x00000000055F0000-0x0000000005602000-memory.dmp

Filesize
72KB

Download
memory/4824-143-0x0000000005650000-0x000000000568C000-memory.dmp

Filesize
240KB

Download
memory/4824-144-0x0000000006790000-0x0000000006D34000-memory.dmp

Filesize
5.6MB

Download
memory/4824-145-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4824-146-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/4824-147-0x0000000006D40000-0x0000000006F02000-memory.dmp

Filesize
1.8MB

Download
memory/4824-148-0x0000000007440000-0x000000000796C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing