redline | f14d1779017aff6e3bf7fc9119ee7c249963ae76ecbd6063668fadc4606aa844

General

Target

file.exe
Size

719KB
MD5

c458bcae292a9daf3f12378b00fb58e3
SHA1

0adafa64e4dd666f289fd966ca7094e89227835c
SHA256

f14d1779017aff6e3bf7fc9119ee7c249963ae76ecbd6063668fadc4606aa844
SHA512

4a414e0f8db62b00dd69f5685b81298cd8df260381dfb7fd8963d6aee6897dbbfa8cea6a97de8940fd111036b576315776f0b67ab038db0f41bffd261ed9db24
SSDEEP

12288:5MrWy90sCetxylqGEqncq5XIMzeJQmxk8Fyqg5gZ7J0T1wb/zm:rySqylqGqq5XIbQkYHeZ90Bwby

Score

10^/10

redline dunm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
204	gks49bJ.exe
996	gtZ45cO.exe
3656	ajv81jC.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gks49bJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gks49bJ.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gtZ45cO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gtZ45cO.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 204	2164	file.exe	78
PID 2164 wrote to memory of 204	2164	file.exe	78
PID 2164 wrote to memory of 204	2164	file.exe	78
PID 204 wrote to memory of 996	204	gks49bJ.exe	79
PID 204 wrote to memory of 996	204	gks49bJ.exe	79
PID 204 wrote to memory of 996	204	gks49bJ.exe	79
PID 996 wrote to memory of 3656	996	gtZ45cO.exe	80
PID 996 wrote to memory of 3656	996	gtZ45cO.exe	80
PID 996 wrote to memory of 3656	996	gtZ45cO.exe	80

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gks49bJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gks49bJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtZ45cO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtZ45cO.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ajv81jC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ajv81jC.exe
      4⤵
      Executes dropped EXE
      PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gks49bJ.exe

Filesize
615KB

MD5
e4365942361e642dd324a4bc6a53b3be

SHA1
fc6ed1d1d53b63c690ae95105c3c9981b9a750aa

SHA256
4c1eb8ff38faecf8f676f5fbdbd256ef3cf84b84a0f40b3f50471e148fd82151

SHA512
e697c9614ee883a8c7a14371b31fe7a2ee9f5837bcce56671935e0f45ef36d367b99d54900f6289e22a78c6c4c66cbd7a93fe40106258f600d5cabbe97b7c959

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gks49bJ.exe

Filesize
615KB

MD5
e4365942361e642dd324a4bc6a53b3be

SHA1
fc6ed1d1d53b63c690ae95105c3c9981b9a750aa

SHA256
4c1eb8ff38faecf8f676f5fbdbd256ef3cf84b84a0f40b3f50471e148fd82151

SHA512
e697c9614ee883a8c7a14371b31fe7a2ee9f5837bcce56671935e0f45ef36d367b99d54900f6289e22a78c6c4c66cbd7a93fe40106258f600d5cabbe97b7c959

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtZ45cO.exe

Filesize
286KB

MD5
85ef6691632d245602dff89c96d86d54

SHA1
fb97ed53fd388afb8eb8b2613a18d465edf95968

SHA256
dd8ba4efe031c253bca53dea2b51ad4e92e7be7a872d4832ce14a96b8fdbf07e

SHA512
5cbb064b2caa996f68e74d2310b8ae4642b5d3fb997cf4c7eec28bb9f161e4b4f83d105fd46ecafd6c41e21c83f7a1c01cb5fcb14a0982fdd8e82a9800aa6b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtZ45cO.exe

Filesize
286KB

MD5
85ef6691632d245602dff89c96d86d54

SHA1
fb97ed53fd388afb8eb8b2613a18d465edf95968

SHA256
dd8ba4efe031c253bca53dea2b51ad4e92e7be7a872d4832ce14a96b8fdbf07e

SHA512
5cbb064b2caa996f68e74d2310b8ae4642b5d3fb997cf4c7eec28bb9f161e4b4f83d105fd46ecafd6c41e21c83f7a1c01cb5fcb14a0982fdd8e82a9800aa6b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ajv81jC.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ajv81jC.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
memory/3656-141-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/3656-142-0x0000000005140000-0x0000000005758000-memory.dmp

Filesize
6.1MB

Download
memory/3656-143-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/3656-144-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3656-145-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing