redline | b07ccf0277e4d430d480cea80888098d0ca9a31ab42fd93d98ed3d9e96e8f8e5

General

Target

fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe
Size

721KB
MD5

f3fa50e9aafa42fc4582fb70ee997cd6
SHA1

1c53e6cb28f8a42f81b24e2c6435a40b11d0b537
SHA256

fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933
SHA512

42c5d383f3d75bc1116050eb77f59d05702fdd90a44086dc255bf0aa740f68acad47d13b94de5eb6cfe7efd7b482ec09e93487237d49bbabf8a5660e574a65ad
SSDEEP

12288:8MrFy90XlQWI9GqfiBgX7HteNPlUSeJc2Z4K2BiGnlkl+iFErknzOF:xyYlGTaBgLr2K2BiGCFNY

Score

10^/10

redline dunm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dunm

C2

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1948	gsT65wh.exe
4140	gtl97Ob.exe
2212	aBv22cD.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gsT65wh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gtl97Ob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gtl97Ob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gsT65wh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1948	4092	fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe	82
PID 4092 wrote to memory of 1948	4092	fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe	82
PID 4092 wrote to memory of 1948	4092	fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe	82
PID 1948 wrote to memory of 4140	1948	gsT65wh.exe	83
PID 1948 wrote to memory of 4140	1948	gsT65wh.exe	83
PID 1948 wrote to memory of 4140	1948	gsT65wh.exe	83
PID 4140 wrote to memory of 2212	4140	gtl97Ob.exe	84
PID 4140 wrote to memory of 2212	4140	gtl97Ob.exe	84
PID 4140 wrote to memory of 2212	4140	gtl97Ob.exe	84

C:\Users\Admin\AppData\Local\Temp\fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe
"C:\Users\Admin\AppData\Local\Temp\fc86011339815cb1979c0e85e875ba3f125a147437cde8a37faf3ccc78b37933.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsT65wh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsT65wh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtl97Ob.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtl97Ob.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aBv22cD.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aBv22cD.exe
      4⤵
      Executes dropped EXE
      PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsT65wh.exe

Filesize
617KB

MD5
863a64c9d1cdbe68b712dc7452414cae

SHA1
9c7da5fc0c7d51c72db258937e03fce783f4ae0f

SHA256
2b250b397be6e6e1b5c4997bd40a608441fabac3c4d8f303ca31dd51f4a4213c

SHA512
7d60c305e20fb7184bcc8f9a6d791182b56c05dfc84436155f7351ea80612e00a05cf6a4632e413a5a27db13a6424e9b09736e86b1f90771cc4358837b4e18c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gsT65wh.exe

Filesize
617KB

MD5
863a64c9d1cdbe68b712dc7452414cae

SHA1
9c7da5fc0c7d51c72db258937e03fce783f4ae0f

SHA256
2b250b397be6e6e1b5c4997bd40a608441fabac3c4d8f303ca31dd51f4a4213c

SHA512
7d60c305e20fb7184bcc8f9a6d791182b56c05dfc84436155f7351ea80612e00a05cf6a4632e413a5a27db13a6424e9b09736e86b1f90771cc4358837b4e18c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtl97Ob.exe

Filesize
286KB

MD5
dfd2ca6e50f9154786b16a97585d720c

SHA1
cab6ef8d941c7234f86993371ffa2f9e84c19b07

SHA256
b4c6f63a7092bd5fb4965302fefaa21840b1c31766cc398167ff6f1f6c650ba3

SHA512
0489f8de5e94356ff9828d910bfae4ad3e77714ef7f0c4393e8bad6e7706a49e1d659ba4a601644e58d3d57bd49ea1426370531bbe32cbb617b2db6fb4ee21d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gtl97Ob.exe

Filesize
286KB

MD5
dfd2ca6e50f9154786b16a97585d720c

SHA1
cab6ef8d941c7234f86993371ffa2f9e84c19b07

SHA256
b4c6f63a7092bd5fb4965302fefaa21840b1c31766cc398167ff6f1f6c650ba3

SHA512
0489f8de5e94356ff9828d910bfae4ad3e77714ef7f0c4393e8bad6e7706a49e1d659ba4a601644e58d3d57bd49ea1426370531bbe32cbb617b2db6fb4ee21d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aBv22cD.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aBv22cD.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
memory/2212-141-0x00000000005D0000-0x0000000000602000-memory.dmp

Filesize
200KB

Download
memory/2212-142-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/2212-143-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/2212-144-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/2212-145-0x0000000005030000-0x000000000506C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing