redline | 607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa

Analysis

max time kernel
289s
max time network
370s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe
Size

565KB
MD5

f81c9f76005f58a3297b59d958c55bbc
SHA1

79be64c1245503b956e7f00a4d042bbf939bf754
SHA256

607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa
SHA512

fc208a3fc575968473cf016c4e182c888b5d2027fd8a248bc54c8de41ec7f7f8870a423039594641b504736d4847c3bfc4b38d5e026ac13874f5ac9102cb13e3
SSDEEP

12288:hMrXy90SlrQZuTrgL2Xc9Mard+TqqOjvNCc1z1R8:uyLl8Zuq8Sjd+T7k1C26

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4520	y4709663.exe
2420	k2674960.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4709663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4709663.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4520	4784	607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe	85
PID 4784 wrote to memory of 4520	4784	607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe	85
PID 4784 wrote to memory of 4520	4784	607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe	85
PID 4520 wrote to memory of 2420	4520	y4709663.exe	87
PID 4520 wrote to memory of 2420	4520	y4709663.exe	87
PID 4520 wrote to memory of 2420	4520	y4709663.exe	87

C:\Users\Admin\AppData\Local\Temp\607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe
"C:\Users\Admin\AppData\Local\Temp\607f5b003a59c5e2e02f32debcce4b47b2a458d7a31eaf80f1125717990373aa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4709663.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4709663.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2674960.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2674960.exe
    3⤵
    - Executes dropped EXE
    PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4709663.exe

Filesize
307KB

MD5
16da68f729be28bce910d9e20a0b8af5

SHA1
05e58988081493e08a75024dade697ffa30e3b76

SHA256
dfd9595a87714dd0186240323a16029bb2426fb849f308704f861e7bc0087ed9

SHA512
5847926c1938d01ef5b7d4f85e359ca41c14d5d550dbb6993030c343a49108832ea663af216a4407b6a903a54a8acd3606bda0f6dc46f499fe9e55d211fd1bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4709663.exe

Filesize
307KB

MD5
16da68f729be28bce910d9e20a0b8af5

SHA1
05e58988081493e08a75024dade697ffa30e3b76

SHA256
dfd9595a87714dd0186240323a16029bb2426fb849f308704f861e7bc0087ed9

SHA512
5847926c1938d01ef5b7d4f85e359ca41c14d5d550dbb6993030c343a49108832ea663af216a4407b6a903a54a8acd3606bda0f6dc46f499fe9e55d211fd1bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2674960.exe

Filesize
168KB

MD5
9cf61dc52e06acb7933f2e47fd71738d

SHA1
ab34798e2d113947b368ca7b4db04863d5de42a3

SHA256
7cdd7f840f09911a7d9ba3a4dc64eb736df67969487ecc01a0eb239c6b8c6350

SHA512
200e399be881a7bf0bbf032d0c9cfa5bab3d94375be0c26abeaf1f7ce9fc4c89831ea342ff283a8e8b14306b5c4b2b6d8053de004bd34e7c5c01914620c9e519

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2674960.exe

Filesize
168KB

MD5
9cf61dc52e06acb7933f2e47fd71738d

SHA1
ab34798e2d113947b368ca7b4db04863d5de42a3

SHA256
7cdd7f840f09911a7d9ba3a4dc64eb736df67969487ecc01a0eb239c6b8c6350

SHA512
200e399be881a7bf0bbf032d0c9cfa5bab3d94375be0c26abeaf1f7ce9fc4c89831ea342ff283a8e8b14306b5c4b2b6d8053de004bd34e7c5c01914620c9e519

Download Submit
memory/2420-147-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download