redline | 48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2

General

Target

48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe
Size

479KB
MD5

acdf786e8286e13c651b27438d1d9b08
SHA1

b947b94293e3e272dd7c1b12754f23ef423da520
SHA256

48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2
SHA512

8834552b3664374b2fa43c42ce9e356f338a87e4d58fcb15f5ce708a023f82955b727d83006a1229725a98af2b1488a91b9299bfff15650b10cab177fad9a457
SSDEEP

12288:rMrQy90I9yfuOfZvxrdw7+tBzU21BPlQfJQWvYzcmwiCF:zyrp6AajPlZWvYzPwlF

Score

10^/10

redline daris infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
268	y1584088.exe
440	k0265306.exe

Loads dropped DLL 4 IoCs

pid	Process
1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe
268	y1584088.exe
268	y1584088.exe
440	k0265306.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1584088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1584088.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 268	1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe	28
PID 1404 wrote to memory of 268	1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe	28
PID 1404 wrote to memory of 268	1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe	28
PID 1404 wrote to memory of 268	1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe	28
PID 1404 wrote to memory of 268	1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe	28
PID 1404 wrote to memory of 268	1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe	28
PID 1404 wrote to memory of 268	1404	48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe	28
PID 268 wrote to memory of 440	268	y1584088.exe	29
PID 268 wrote to memory of 440	268	y1584088.exe	29
PID 268 wrote to memory of 440	268	y1584088.exe	29
PID 268 wrote to memory of 440	268	y1584088.exe	29
PID 268 wrote to memory of 440	268	y1584088.exe	29
PID 268 wrote to memory of 440	268	y1584088.exe	29
PID 268 wrote to memory of 440	268	y1584088.exe	29

C:\Users\Admin\AppData\Local\Temp\48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe
"C:\Users\Admin\AppData\Local\Temp\48cc12c115c5750e8d32947a1fbe51e11779a58b37edf2e1b7eec89ae5b2f5d2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1584088.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1584088.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0265306.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0265306.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1584088.exe

Filesize
308KB

MD5
ef90918841f5c02182d8e4d8125f7334

SHA1
ff6dfdc695758f5b3a518f28ec878b283763d9aa

SHA256
582780c20397191cb2225e8f362c5e6af3f66dbfa5c77c81f9096bcaf59a6834

SHA512
51449d08fc2cc7baa0888a1c24cd055bdaacc46a2d43df5d67f9694cb748e99bc7a5d0ba851e76bfd71b562e6fe15a9a0556b731f8df8acf33cbc4e91aeb28fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1584088.exe

Filesize
308KB

MD5
ef90918841f5c02182d8e4d8125f7334

SHA1
ff6dfdc695758f5b3a518f28ec878b283763d9aa

SHA256
582780c20397191cb2225e8f362c5e6af3f66dbfa5c77c81f9096bcaf59a6834

SHA512
51449d08fc2cc7baa0888a1c24cd055bdaacc46a2d43df5d67f9694cb748e99bc7a5d0ba851e76bfd71b562e6fe15a9a0556b731f8df8acf33cbc4e91aeb28fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0265306.exe

Filesize
168KB

MD5
bbeb564bc08a42d68f8702bc08401a54

SHA1
355d73653e1018bc9e0b9b4069e57307cf13142d

SHA256
fc402c7b39013dbe4a2836d6bf59df3d9eb8da0b3e20964e0e18937ac4063d8b

SHA512
765ad5128b51afabfcbc5c3cb8f1e67c042b384773faf8ef6a657abd25f0f764483f893419124461cc31b5c5a62045f056f9babb2c2359682943075cb361807f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0265306.exe

Filesize
168KB

MD5
bbeb564bc08a42d68f8702bc08401a54

SHA1
355d73653e1018bc9e0b9b4069e57307cf13142d

SHA256
fc402c7b39013dbe4a2836d6bf59df3d9eb8da0b3e20964e0e18937ac4063d8b

SHA512
765ad5128b51afabfcbc5c3cb8f1e67c042b384773faf8ef6a657abd25f0f764483f893419124461cc31b5c5a62045f056f9babb2c2359682943075cb361807f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1584088.exe

Filesize
308KB

MD5
ef90918841f5c02182d8e4d8125f7334

SHA1
ff6dfdc695758f5b3a518f28ec878b283763d9aa

SHA256
582780c20397191cb2225e8f362c5e6af3f66dbfa5c77c81f9096bcaf59a6834

SHA512
51449d08fc2cc7baa0888a1c24cd055bdaacc46a2d43df5d67f9694cb748e99bc7a5d0ba851e76bfd71b562e6fe15a9a0556b731f8df8acf33cbc4e91aeb28fb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1584088.exe

Filesize
308KB

MD5
ef90918841f5c02182d8e4d8125f7334

SHA1
ff6dfdc695758f5b3a518f28ec878b283763d9aa

SHA256
582780c20397191cb2225e8f362c5e6af3f66dbfa5c77c81f9096bcaf59a6834

SHA512
51449d08fc2cc7baa0888a1c24cd055bdaacc46a2d43df5d67f9694cb748e99bc7a5d0ba851e76bfd71b562e6fe15a9a0556b731f8df8acf33cbc4e91aeb28fb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0265306.exe

Filesize
168KB

MD5
bbeb564bc08a42d68f8702bc08401a54

SHA1
355d73653e1018bc9e0b9b4069e57307cf13142d

SHA256
fc402c7b39013dbe4a2836d6bf59df3d9eb8da0b3e20964e0e18937ac4063d8b

SHA512
765ad5128b51afabfcbc5c3cb8f1e67c042b384773faf8ef6a657abd25f0f764483f893419124461cc31b5c5a62045f056f9babb2c2359682943075cb361807f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0265306.exe

Filesize
168KB

MD5
bbeb564bc08a42d68f8702bc08401a54

SHA1
355d73653e1018bc9e0b9b4069e57307cf13142d

SHA256
fc402c7b39013dbe4a2836d6bf59df3d9eb8da0b3e20964e0e18937ac4063d8b

SHA512
765ad5128b51afabfcbc5c3cb8f1e67c042b384773faf8ef6a657abd25f0f764483f893419124461cc31b5c5a62045f056f9babb2c2359682943075cb361807f

Download Submit
memory/440-74-0x0000000000DF0000-0x0000000000E1E000-memory.dmp

Filesize
184KB

Download
memory/440-75-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/440-76-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/440-77-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing