redline | a241c4ff5356908623117fe13865feab023b7093cd545d13a86fe782c49c4276

General

Target

8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe
Size

718KB
MD5

eb29869c725dd87bea4cdefb0bcc9426
SHA1

ba42e8b7fe5cd8981cce8b2f99d5366f9d2b0334
SHA256

8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c
SHA512

99d91ff1fb737e57a9c21a264a119aef85142340bca7e2e94c722926cb997f6a7da345029e70dbe5a3439bb1e07916f39add51c4409eb711f80a260d44c357f4
SSDEEP

12288:+MrNy90p7rfLU5ir5Rk/eQqiKoivyHSaieJCUKiECV0RHcg:rym3DQYy/PqiKoiKy8CUKiEzT

Score

10^/10

redline dunm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2256	gsb95mB.exe
1008	gST52ox.exe
1984	afi30fc.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gsb95mB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gsb95mB.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gST52ox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gST52ox.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2256	4928	8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe	81
PID 4928 wrote to memory of 2256	4928	8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe	81
PID 4928 wrote to memory of 2256	4928	8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe	81
PID 2256 wrote to memory of 1008	2256	gsb95mB.exe	82
PID 2256 wrote to memory of 1008	2256	gsb95mB.exe	82
PID 2256 wrote to memory of 1008	2256	gsb95mB.exe	82
PID 1008 wrote to memory of 1984	1008	gST52ox.exe	83
PID 1008 wrote to memory of 1984	1008	gST52ox.exe	83
PID 1008 wrote to memory of 1984	1008	gST52ox.exe	83

C:\Users\Admin\AppData\Local\Temp\8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe
"C:\Users\Admin\AppData\Local\Temp\8e6f43381c9f193767c4dfef68e809576baebdd47bacfd77a1dec41826f4a77c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsb95mB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsb95mB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gST52ox.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gST52ox.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afi30fc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afi30fc.exe
      4⤵
      Executes dropped EXE
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsb95mB.exe

Filesize
614KB

MD5
3d921367e22c48d5f7fbb6ff64d839a6

SHA1
8f8d9b1443b350c3c8b810926dcdc9de8212821a

SHA256
e30d81ec9f4c31bf679629bea6edac024e7d20c44fdb3275f192a4637ae199c0

SHA512
5311c79923460d5f1117aaaa21d6ee83d98d642760b68471ab5b8616af3d350961d7509d4c6e4fff7d10a6b96e6932636b098b9ccc1cffd99b4d7e65b631ea57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsb95mB.exe

Filesize
614KB

MD5
3d921367e22c48d5f7fbb6ff64d839a6

SHA1
8f8d9b1443b350c3c8b810926dcdc9de8212821a

SHA256
e30d81ec9f4c31bf679629bea6edac024e7d20c44fdb3275f192a4637ae199c0

SHA512
5311c79923460d5f1117aaaa21d6ee83d98d642760b68471ab5b8616af3d350961d7509d4c6e4fff7d10a6b96e6932636b098b9ccc1cffd99b4d7e65b631ea57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gST52ox.exe

Filesize
286KB

MD5
5058e1f081b2e3ce596d2636e28b7264

SHA1
a870d87ad7f098a2046d31c2f046b03c9e07d142

SHA256
54f14793f21e4d0beef4c06501855137c3bc6df1c42abe6b8d11a765a422e809

SHA512
a03620ffa1a5f0bd718d3483defac6d4a90fbcd1fb5619e577b7874e438234852a14479f41cf6a5efbf23f34d9c1d6212a67d9c6c053e30a638656ee3b32b0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gST52ox.exe

Filesize
286KB

MD5
5058e1f081b2e3ce596d2636e28b7264

SHA1
a870d87ad7f098a2046d31c2f046b03c9e07d142

SHA256
54f14793f21e4d0beef4c06501855137c3bc6df1c42abe6b8d11a765a422e809

SHA512
a03620ffa1a5f0bd718d3483defac6d4a90fbcd1fb5619e577b7874e438234852a14479f41cf6a5efbf23f34d9c1d6212a67d9c6c053e30a638656ee3b32b0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afi30fc.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\afi30fc.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
memory/1984-141-0x00000000007D0000-0x0000000000802000-memory.dmp

Filesize
200KB

Download
memory/1984-142-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/1984-143-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/1984-144-0x0000000005060000-0x0000000005072000-memory.dmp

Filesize
72KB

Download
memory/1984-145-0x00000000050C0000-0x00000000050FC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing