redline | 56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c

General

Target

56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
Size

643KB
MD5

537626c1376fc48f62dce4c6f3b47924
SHA1

0db4310258602b3a1c788034e1b4235a44eaad92
SHA256

56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c
SHA512

450ca1c8da4bccf978e5456b9e9e1415974d2772eb5a6d088f818ca542cedd6801132726be0faf84f25202ae846a819b305a90c971b25eac0e784aaeefe922f8
SSDEEP

12288:JMrFy90ABlYOiXFoqnxa8sONhYxtR8D9aHscFHxbJnyUkLyLzP44S9XdYlhf:Ey8BFrnx7sj8ZaMcdh7kLyLzPvSPi

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1684	x2397502.exe
1108	g2748512.exe

Loads dropped DLL 4 IoCs

pid	Process
1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
1684	x2397502.exe
1684	x2397502.exe
1108	g2748512.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2397502.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2397502.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1684	1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	28
PID 1324 wrote to memory of 1684	1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	28
PID 1324 wrote to memory of 1684	1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	28
PID 1324 wrote to memory of 1684	1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	28
PID 1324 wrote to memory of 1684	1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	28
PID 1324 wrote to memory of 1684	1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	28
PID 1324 wrote to memory of 1684	1324	56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe	28
PID 1684 wrote to memory of 1108	1684	x2397502.exe	29
PID 1684 wrote to memory of 1108	1684	x2397502.exe	29
PID 1684 wrote to memory of 1108	1684	x2397502.exe	29
PID 1684 wrote to memory of 1108	1684	x2397502.exe	29
PID 1684 wrote to memory of 1108	1684	x2397502.exe	29
PID 1684 wrote to memory of 1108	1684	x2397502.exe	29
PID 1684 wrote to memory of 1108	1684	x2397502.exe	29

C:\Users\Admin\AppData\Local\Temp\56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe
"C:\Users\Admin\AppData\Local\Temp\56bda6d78374abade54633563c7aa37e193d7888802eefaa44792fd94029094c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe

Filesize
383KB

MD5
0090e627f4bcd11d7f395c28a337c421

SHA1
471f8518118320d89e4a2069bde3d3c4eaee9d4c

SHA256
5740774b15b56a8acc2c517c32419928b438dc414bbe541264dab0aaf2703efd

SHA512
8ea20a86e5e68c1b93ad4b5622a882d83a7a2392296291f88b99262873dbb047a8555e646c6bdd1604939bf54265093a780ad37ff5e59273242a0f277e3a38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe

Filesize
383KB

MD5
0090e627f4bcd11d7f395c28a337c421

SHA1
471f8518118320d89e4a2069bde3d3c4eaee9d4c

SHA256
5740774b15b56a8acc2c517c32419928b438dc414bbe541264dab0aaf2703efd

SHA512
8ea20a86e5e68c1b93ad4b5622a882d83a7a2392296291f88b99262873dbb047a8555e646c6bdd1604939bf54265093a780ad37ff5e59273242a0f277e3a38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe

Filesize
168KB

MD5
416d9ed85163fb53dfc7f9f98ede4201

SHA1
cbc2080f1fc82aed2b3d3e2fdec49085aa4aeef9

SHA256
5bcd0023054804203a0e5d55bf02e8b42046a58734e5d033fff6267d3aa5144a

SHA512
f3df3c33ff6405b963dfc0409bd0e0a46dcc7bb366b7e13bd843589759473bc41e71d65767f59cb475a6d3026faa98392bf9a7ab1283a5097b2a250a285e2349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe

Filesize
168KB

MD5
416d9ed85163fb53dfc7f9f98ede4201

SHA1
cbc2080f1fc82aed2b3d3e2fdec49085aa4aeef9

SHA256
5bcd0023054804203a0e5d55bf02e8b42046a58734e5d033fff6267d3aa5144a

SHA512
f3df3c33ff6405b963dfc0409bd0e0a46dcc7bb366b7e13bd843589759473bc41e71d65767f59cb475a6d3026faa98392bf9a7ab1283a5097b2a250a285e2349

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe

Filesize
383KB

MD5
0090e627f4bcd11d7f395c28a337c421

SHA1
471f8518118320d89e4a2069bde3d3c4eaee9d4c

SHA256
5740774b15b56a8acc2c517c32419928b438dc414bbe541264dab0aaf2703efd

SHA512
8ea20a86e5e68c1b93ad4b5622a882d83a7a2392296291f88b99262873dbb047a8555e646c6bdd1604939bf54265093a780ad37ff5e59273242a0f277e3a38e3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2397502.exe

Filesize
383KB

MD5
0090e627f4bcd11d7f395c28a337c421

SHA1
471f8518118320d89e4a2069bde3d3c4eaee9d4c

SHA256
5740774b15b56a8acc2c517c32419928b438dc414bbe541264dab0aaf2703efd

SHA512
8ea20a86e5e68c1b93ad4b5622a882d83a7a2392296291f88b99262873dbb047a8555e646c6bdd1604939bf54265093a780ad37ff5e59273242a0f277e3a38e3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe

Filesize
168KB

MD5
416d9ed85163fb53dfc7f9f98ede4201

SHA1
cbc2080f1fc82aed2b3d3e2fdec49085aa4aeef9

SHA256
5bcd0023054804203a0e5d55bf02e8b42046a58734e5d033fff6267d3aa5144a

SHA512
f3df3c33ff6405b963dfc0409bd0e0a46dcc7bb366b7e13bd843589759473bc41e71d65767f59cb475a6d3026faa98392bf9a7ab1283a5097b2a250a285e2349

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2748512.exe

Filesize
168KB

MD5
416d9ed85163fb53dfc7f9f98ede4201

SHA1
cbc2080f1fc82aed2b3d3e2fdec49085aa4aeef9

SHA256
5bcd0023054804203a0e5d55bf02e8b42046a58734e5d033fff6267d3aa5144a

SHA512
f3df3c33ff6405b963dfc0409bd0e0a46dcc7bb366b7e13bd843589759473bc41e71d65767f59cb475a6d3026faa98392bf9a7ab1283a5097b2a250a285e2349

Download Submit
memory/1108-74-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/1108-75-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/1108-76-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/1108-77-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing