redline | 66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96

General

Target

66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe
Size

642KB
MD5

132f1f66a9ad40e725a298dfaa0d98cd
SHA1

9c432aa16a648795ece63456fe2dc493a5d2a759
SHA256

66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96
SHA512

7a866160c3364871baec5cd544a0831b24757125ffb1d203550290443753ba82a2a751c917b5377a814efe5a5a6fdf8b83033725da51dac174386bf61da652bc
SSDEEP

12288:4MrLy90DFr72FdV8HIgPhZsnP8qqYVO1mkNucbzuOpxhNbpj7gO:DyW/2CIOUnP8aV/k9mOpxzbFgO

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
808	x9252102.exe
672	g7496243.exe

Loads dropped DLL 4 IoCs

pid	Process
1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe
808	x9252102.exe
808	x9252102.exe
672	g7496243.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9252102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9252102.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 808	1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe	28
PID 1732 wrote to memory of 808	1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe	28
PID 1732 wrote to memory of 808	1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe	28
PID 1732 wrote to memory of 808	1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe	28
PID 1732 wrote to memory of 808	1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe	28
PID 1732 wrote to memory of 808	1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe	28
PID 1732 wrote to memory of 808	1732	66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe	28
PID 808 wrote to memory of 672	808	x9252102.exe	29
PID 808 wrote to memory of 672	808	x9252102.exe	29
PID 808 wrote to memory of 672	808	x9252102.exe	29
PID 808 wrote to memory of 672	808	x9252102.exe	29
PID 808 wrote to memory of 672	808	x9252102.exe	29
PID 808 wrote to memory of 672	808	x9252102.exe	29
PID 808 wrote to memory of 672	808	x9252102.exe	29

C:\Users\Admin\AppData\Local\Temp\66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe
"C:\Users\Admin\AppData\Local\Temp\66cd9a81bd6bf52e972426659e5f639380ad67d01b2e2bef6ef7a25616a23e96.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9252102.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9252102.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7496243.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7496243.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9252102.exe

Filesize
383KB

MD5
bf741a5bee2754e4c0319b941b4c2ed6

SHA1
9342fac83c75dc5038438e2f5bd35d73900bb87a

SHA256
8f6a938518f684666f1692adaf02f1a7e68c000bd24e9b9e2eb44330ee91496f

SHA512
fa808d814509112b7d14fab787df57a9eef1a01ae6587ec62a3cc7a430e6d8f36ee3088e08a0c231d55b18bb0665937a707b35469cd58d80fb6068ad84384b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9252102.exe

Filesize
383KB

MD5
bf741a5bee2754e4c0319b941b4c2ed6

SHA1
9342fac83c75dc5038438e2f5bd35d73900bb87a

SHA256
8f6a938518f684666f1692adaf02f1a7e68c000bd24e9b9e2eb44330ee91496f

SHA512
fa808d814509112b7d14fab787df57a9eef1a01ae6587ec62a3cc7a430e6d8f36ee3088e08a0c231d55b18bb0665937a707b35469cd58d80fb6068ad84384b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7496243.exe

Filesize
168KB

MD5
fc6cde39444c185caf24e4ede8d4fe6b

SHA1
cf2f56bb0d096edc9f8bda4070b23827f0e6ae0e

SHA256
7c07cd13d09bfeecb330539e167728438420acd2ae976c7b706e82ef5eff0a2f

SHA512
8ec5480207f3f8e72ab796da948234ea5240b46c9cb2c18addd4d8b8e27c50340ab9a06cfdd0f2f6e1eca5171ffcb5ebb1dd3fcc42ea5a9d7a04790c9eda39f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7496243.exe

Filesize
168KB

MD5
fc6cde39444c185caf24e4ede8d4fe6b

SHA1
cf2f56bb0d096edc9f8bda4070b23827f0e6ae0e

SHA256
7c07cd13d09bfeecb330539e167728438420acd2ae976c7b706e82ef5eff0a2f

SHA512
8ec5480207f3f8e72ab796da948234ea5240b46c9cb2c18addd4d8b8e27c50340ab9a06cfdd0f2f6e1eca5171ffcb5ebb1dd3fcc42ea5a9d7a04790c9eda39f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9252102.exe

Filesize
383KB

MD5
bf741a5bee2754e4c0319b941b4c2ed6

SHA1
9342fac83c75dc5038438e2f5bd35d73900bb87a

SHA256
8f6a938518f684666f1692adaf02f1a7e68c000bd24e9b9e2eb44330ee91496f

SHA512
fa808d814509112b7d14fab787df57a9eef1a01ae6587ec62a3cc7a430e6d8f36ee3088e08a0c231d55b18bb0665937a707b35469cd58d80fb6068ad84384b6f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9252102.exe

Filesize
383KB

MD5
bf741a5bee2754e4c0319b941b4c2ed6

SHA1
9342fac83c75dc5038438e2f5bd35d73900bb87a

SHA256
8f6a938518f684666f1692adaf02f1a7e68c000bd24e9b9e2eb44330ee91496f

SHA512
fa808d814509112b7d14fab787df57a9eef1a01ae6587ec62a3cc7a430e6d8f36ee3088e08a0c231d55b18bb0665937a707b35469cd58d80fb6068ad84384b6f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7496243.exe

Filesize
168KB

MD5
fc6cde39444c185caf24e4ede8d4fe6b

SHA1
cf2f56bb0d096edc9f8bda4070b23827f0e6ae0e

SHA256
7c07cd13d09bfeecb330539e167728438420acd2ae976c7b706e82ef5eff0a2f

SHA512
8ec5480207f3f8e72ab796da948234ea5240b46c9cb2c18addd4d8b8e27c50340ab9a06cfdd0f2f6e1eca5171ffcb5ebb1dd3fcc42ea5a9d7a04790c9eda39f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7496243.exe

Filesize
168KB

MD5
fc6cde39444c185caf24e4ede8d4fe6b

SHA1
cf2f56bb0d096edc9f8bda4070b23827f0e6ae0e

SHA256
7c07cd13d09bfeecb330539e167728438420acd2ae976c7b706e82ef5eff0a2f

SHA512
8ec5480207f3f8e72ab796da948234ea5240b46c9cb2c18addd4d8b8e27c50340ab9a06cfdd0f2f6e1eca5171ffcb5ebb1dd3fcc42ea5a9d7a04790c9eda39f0

Download Submit
memory/672-74-0x0000000001110000-0x0000000001140000-memory.dmp

Filesize
192KB

Download
memory/672-75-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/672-76-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/672-77-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing