redline | 54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6

General

Target

54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe
Size

480KB
MD5

a49a85456374883ec3d20c8645bada06
SHA1

0a3155817c717e08c5cbf51c3a926ad432371668
SHA256

54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6
SHA512

964d28d076e97e414a1da0b83a4990251e8a81b9917657c3b0f4b492549be46f6dedf0beb85f389037924d792e1ff91719c612f6f41458e14fbf1f0a55746e20
SSDEEP

12288:nMrIy90sW/ieUkMygTEQq+CUuYvKh3B735ft:vy/AUkJg4Qq+uYIpRt

Score

10^/10

redline daris infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
524	y5134366.exe
988	k3280172.exe

Loads dropped DLL 4 IoCs

pid	Process
1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe
524	y5134366.exe
524	y5134366.exe
988	k3280172.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5134366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5134366.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 524	1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe	27
PID 1492 wrote to memory of 524	1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe	27
PID 1492 wrote to memory of 524	1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe	27
PID 1492 wrote to memory of 524	1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe	27
PID 1492 wrote to memory of 524	1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe	27
PID 1492 wrote to memory of 524	1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe	27
PID 1492 wrote to memory of 524	1492	54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe	27
PID 524 wrote to memory of 988	524	y5134366.exe	28
PID 524 wrote to memory of 988	524	y5134366.exe	28
PID 524 wrote to memory of 988	524	y5134366.exe	28
PID 524 wrote to memory of 988	524	y5134366.exe	28
PID 524 wrote to memory of 988	524	y5134366.exe	28
PID 524 wrote to memory of 988	524	y5134366.exe	28
PID 524 wrote to memory of 988	524	y5134366.exe	28

C:\Users\Admin\AppData\Local\Temp\54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe
"C:\Users\Admin\AppData\Local\Temp\54de0ac15eb53a24d3e3982f7d579bffe916fc02cdec2d8d70d22ce89c669fa6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5134366.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5134366.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3280172.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3280172.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5134366.exe

Filesize
308KB

MD5
cd54d95e384b85d062d545b99dc77833

SHA1
1509df43fb24074e3619f3ba71c1b0546fdcf10a

SHA256
9af736cb3e0f8d08eb49f9f1cad40580997d884636d5588af2c50ff93c57d2df

SHA512
e7857e12189442f898ce07210bc7ad44aae4dcfd2a5feea32aef130367be14fa8beb2a8bb0a57b10e07a6519f350ae08ecd85bc9a5531d95ebfbd2dc1471bf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5134366.exe

Filesize
308KB

MD5
cd54d95e384b85d062d545b99dc77833

SHA1
1509df43fb24074e3619f3ba71c1b0546fdcf10a

SHA256
9af736cb3e0f8d08eb49f9f1cad40580997d884636d5588af2c50ff93c57d2df

SHA512
e7857e12189442f898ce07210bc7ad44aae4dcfd2a5feea32aef130367be14fa8beb2a8bb0a57b10e07a6519f350ae08ecd85bc9a5531d95ebfbd2dc1471bf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3280172.exe

Filesize
168KB

MD5
9696ef6a8d1d275a6e0f8f08668bfa4d

SHA1
38c342bf2aa3016454ce886fac3df905e929c045

SHA256
d6e2972b0e7b3d46d9f2389de95e3451d3fbac107546306693686665a820fb77

SHA512
e5c56ab9c7d411ff832487dc275ee4e65486163b6114d600c204bf7051cccf17b7638f1f829302f4db250905eb828e720e16e3e399cde4003beffe36435235e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3280172.exe

Filesize
168KB

MD5
9696ef6a8d1d275a6e0f8f08668bfa4d

SHA1
38c342bf2aa3016454ce886fac3df905e929c045

SHA256
d6e2972b0e7b3d46d9f2389de95e3451d3fbac107546306693686665a820fb77

SHA512
e5c56ab9c7d411ff832487dc275ee4e65486163b6114d600c204bf7051cccf17b7638f1f829302f4db250905eb828e720e16e3e399cde4003beffe36435235e0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5134366.exe

Filesize
308KB

MD5
cd54d95e384b85d062d545b99dc77833

SHA1
1509df43fb24074e3619f3ba71c1b0546fdcf10a

SHA256
9af736cb3e0f8d08eb49f9f1cad40580997d884636d5588af2c50ff93c57d2df

SHA512
e7857e12189442f898ce07210bc7ad44aae4dcfd2a5feea32aef130367be14fa8beb2a8bb0a57b10e07a6519f350ae08ecd85bc9a5531d95ebfbd2dc1471bf0f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5134366.exe

Filesize
308KB

MD5
cd54d95e384b85d062d545b99dc77833

SHA1
1509df43fb24074e3619f3ba71c1b0546fdcf10a

SHA256
9af736cb3e0f8d08eb49f9f1cad40580997d884636d5588af2c50ff93c57d2df

SHA512
e7857e12189442f898ce07210bc7ad44aae4dcfd2a5feea32aef130367be14fa8beb2a8bb0a57b10e07a6519f350ae08ecd85bc9a5531d95ebfbd2dc1471bf0f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3280172.exe

Filesize
168KB

MD5
9696ef6a8d1d275a6e0f8f08668bfa4d

SHA1
38c342bf2aa3016454ce886fac3df905e929c045

SHA256
d6e2972b0e7b3d46d9f2389de95e3451d3fbac107546306693686665a820fb77

SHA512
e5c56ab9c7d411ff832487dc275ee4e65486163b6114d600c204bf7051cccf17b7638f1f829302f4db250905eb828e720e16e3e399cde4003beffe36435235e0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3280172.exe

Filesize
168KB

MD5
9696ef6a8d1d275a6e0f8f08668bfa4d

SHA1
38c342bf2aa3016454ce886fac3df905e929c045

SHA256
d6e2972b0e7b3d46d9f2389de95e3451d3fbac107546306693686665a820fb77

SHA512
e5c56ab9c7d411ff832487dc275ee4e65486163b6114d600c204bf7051cccf17b7638f1f829302f4db250905eb828e720e16e3e399cde4003beffe36435235e0

Download Submit
memory/988-74-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

Filesize
184KB

Download
memory/988-75-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/988-76-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/988-77-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing