redline | feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2

General

Target

feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe
Size

719KB
MD5

67587bf2a1c0e409ecabbd598159afbc
SHA1

9b856c7eba296908e137b6c6f61bc3462dd6c252
SHA256

feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2
SHA512

6d08b46e47ec107ef2ec204eb9e0d5620797e129f0f3848e93bc6feae3b0dbd7770b42a19b5ef64429aadab45c5b4a59cdc930b36b39bd083b794f2d76c78d83
SSDEEP

12288:TMrgy907vZPnzGDkxXpGVbyeJZPpYgeSbAWPgaI+84aKug0N:vyeZPnrVqZPygfrga2PN

Score

10^/10

redline dunm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4872	gUa08qn.exe
2528	gye23GB.exe
4904	arg36KK.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gUa08qn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gye23GB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gye23GB.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gUa08qn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4872	4932	feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe	75
PID 4932 wrote to memory of 4872	4932	feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe	75
PID 4932 wrote to memory of 4872	4932	feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe	75
PID 4872 wrote to memory of 2528	4872	gUa08qn.exe	76
PID 4872 wrote to memory of 2528	4872	gUa08qn.exe	76
PID 4872 wrote to memory of 2528	4872	gUa08qn.exe	76
PID 2528 wrote to memory of 4904	2528	gye23GB.exe	77
PID 2528 wrote to memory of 4904	2528	gye23GB.exe	77
PID 2528 wrote to memory of 4904	2528	gye23GB.exe	77

C:\Users\Admin\AppData\Local\Temp\feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe
"C:\Users\Admin\AppData\Local\Temp\feb75ffcc4337f81bdcb6729465eb5cf6a90c537efd22129db39db472b6013e2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gUa08qn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gUa08qn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gye23GB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gye23GB.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\arg36KK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\arg36KK.exe
      4⤵
      Executes dropped EXE
      PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gUa08qn.exe

Filesize
615KB

MD5
d80d84efd1803e2e5fb774211b4ffd95

SHA1
3d0be37da9c20a585a2b8fba3331d9bbcc339aae

SHA256
b61c836beaed00f8f4a3149b75e3030ffb702d294d2d1b78ead6aa02f31bd7da

SHA512
e92c5fe41696383c508096df171a3e136cf2109143d0ea7c327347eea0dbfc833dafedc2d0d6fae1908dbc1d4dcaa3e5f4a52809067aab0923a85195ec26a41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gUa08qn.exe

Filesize
615KB

MD5
d80d84efd1803e2e5fb774211b4ffd95

SHA1
3d0be37da9c20a585a2b8fba3331d9bbcc339aae

SHA256
b61c836beaed00f8f4a3149b75e3030ffb702d294d2d1b78ead6aa02f31bd7da

SHA512
e92c5fe41696383c508096df171a3e136cf2109143d0ea7c327347eea0dbfc833dafedc2d0d6fae1908dbc1d4dcaa3e5f4a52809067aab0923a85195ec26a41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gye23GB.exe

Filesize
286KB

MD5
1783efa82847f52dab460e4ae6b80e44

SHA1
c65e3b84332e91395aee4f9b9a99b03a2a16d0a8

SHA256
8e65abd5651579537097a84dd0ba5ecaff5558acbe5613c754a555bbae0f5cd5

SHA512
6f7c6cc47ed40e1024dcf27e490093dee6e09a1b1f2a4334b4d6ece2a601620603dc0caa40eee9e41134ddee5f2ea0b4cfbbff0981f5e925338e277ca3dc25b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gye23GB.exe

Filesize
286KB

MD5
1783efa82847f52dab460e4ae6b80e44

SHA1
c65e3b84332e91395aee4f9b9a99b03a2a16d0a8

SHA256
8e65abd5651579537097a84dd0ba5ecaff5558acbe5613c754a555bbae0f5cd5

SHA512
6f7c6cc47ed40e1024dcf27e490093dee6e09a1b1f2a4334b4d6ece2a601620603dc0caa40eee9e41134ddee5f2ea0b4cfbbff0981f5e925338e277ca3dc25b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\arg36KK.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\arg36KK.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
memory/4904-141-0x00000000006A0000-0x00000000006D2000-memory.dmp

Filesize
200KB

Download
memory/4904-142-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/4904-143-0x0000000005000000-0x000000000510A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-144-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/4904-145-0x0000000004F90000-0x0000000004FCC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing