redline | 099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6

General

Target

099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe
Size

642KB
MD5

19b3c047d1c29c8679e15b558b38b06e
SHA1

b2593b50a1fceb082962524ed4c5db12e7f996ba
SHA256

099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6
SHA512

d75d5413641cba226ff9199f3f6b7fe3f6b15801db74f4c336476b898f2d4a2a259ba3c6c09e0207b9bc460e04751a9229ac696211e7eae063fb5cdc80e79ff0
SSDEEP

12288:HMrby90T0ZU0QHFf8B0xD6JHmNfLH+AXuVu7hpY4skyyZHDXtY:Uy2ODQCBtJHm9Le9uTsTeC

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
340	x6687393.exe
1744	g7997050.exe

Loads dropped DLL 4 IoCs

pid	Process
592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe
340	x6687393.exe
340	x6687393.exe
1744	g7997050.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6687393.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6687393.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 340	592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe	28
PID 592 wrote to memory of 340	592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe	28
PID 592 wrote to memory of 340	592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe	28
PID 592 wrote to memory of 340	592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe	28
PID 592 wrote to memory of 340	592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe	28
PID 592 wrote to memory of 340	592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe	28
PID 592 wrote to memory of 340	592	099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe	28
PID 340 wrote to memory of 1744	340	x6687393.exe	29
PID 340 wrote to memory of 1744	340	x6687393.exe	29
PID 340 wrote to memory of 1744	340	x6687393.exe	29
PID 340 wrote to memory of 1744	340	x6687393.exe	29
PID 340 wrote to memory of 1744	340	x6687393.exe	29
PID 340 wrote to memory of 1744	340	x6687393.exe	29
PID 340 wrote to memory of 1744	340	x6687393.exe	29

C:\Users\Admin\AppData\Local\Temp\099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe
"C:\Users\Admin\AppData\Local\Temp\099a45eab53517c592fa271844d19e1111f637cb4fb90691d134856a72196aa6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6687393.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6687393.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7997050.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7997050.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6687393.exe

Filesize
384KB

MD5
b1285bbbf4ea698e94af93da196bf17b

SHA1
e7e099022b5fe2917c6f4138602721a10c3ef47f

SHA256
90a4ec4b55c13e0bdc092bc41b716ce2d3026a933600a9be9cc906b58b6cc7ad

SHA512
230a464c48b78b8680d84117f79e39a1a39b1e993032932aa980e59778b79e2e21c8722b81265b7afe050bd71df7da399a51bc09f0dc14071963ad9155f38769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6687393.exe

Filesize
384KB

MD5
b1285bbbf4ea698e94af93da196bf17b

SHA1
e7e099022b5fe2917c6f4138602721a10c3ef47f

SHA256
90a4ec4b55c13e0bdc092bc41b716ce2d3026a933600a9be9cc906b58b6cc7ad

SHA512
230a464c48b78b8680d84117f79e39a1a39b1e993032932aa980e59778b79e2e21c8722b81265b7afe050bd71df7da399a51bc09f0dc14071963ad9155f38769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7997050.exe

Filesize
168KB

MD5
d969c1ad92f18077894314b2e8d1ce8e

SHA1
dcacc2f1b6303ef9ba59de8103486d082aa41d2b

SHA256
84c42f1b666f727f0896902202f6d3670da26dcf0f2be795372e49adc7f433b0

SHA512
f7644bcf411b6dea539dfddd9ee67b53ce26de7f2e4a38f4ae86a93cc834f068343bff309b9d62884815009f26377dc77f9fe602c7d167ecfa4e1cdfb7340918

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7997050.exe

Filesize
168KB

MD5
d969c1ad92f18077894314b2e8d1ce8e

SHA1
dcacc2f1b6303ef9ba59de8103486d082aa41d2b

SHA256
84c42f1b666f727f0896902202f6d3670da26dcf0f2be795372e49adc7f433b0

SHA512
f7644bcf411b6dea539dfddd9ee67b53ce26de7f2e4a38f4ae86a93cc834f068343bff309b9d62884815009f26377dc77f9fe602c7d167ecfa4e1cdfb7340918

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6687393.exe

Filesize
384KB

MD5
b1285bbbf4ea698e94af93da196bf17b

SHA1
e7e099022b5fe2917c6f4138602721a10c3ef47f

SHA256
90a4ec4b55c13e0bdc092bc41b716ce2d3026a933600a9be9cc906b58b6cc7ad

SHA512
230a464c48b78b8680d84117f79e39a1a39b1e993032932aa980e59778b79e2e21c8722b81265b7afe050bd71df7da399a51bc09f0dc14071963ad9155f38769

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6687393.exe

Filesize
384KB

MD5
b1285bbbf4ea698e94af93da196bf17b

SHA1
e7e099022b5fe2917c6f4138602721a10c3ef47f

SHA256
90a4ec4b55c13e0bdc092bc41b716ce2d3026a933600a9be9cc906b58b6cc7ad

SHA512
230a464c48b78b8680d84117f79e39a1a39b1e993032932aa980e59778b79e2e21c8722b81265b7afe050bd71df7da399a51bc09f0dc14071963ad9155f38769

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7997050.exe

Filesize
168KB

MD5
d969c1ad92f18077894314b2e8d1ce8e

SHA1
dcacc2f1b6303ef9ba59de8103486d082aa41d2b

SHA256
84c42f1b666f727f0896902202f6d3670da26dcf0f2be795372e49adc7f433b0

SHA512
f7644bcf411b6dea539dfddd9ee67b53ce26de7f2e4a38f4ae86a93cc834f068343bff309b9d62884815009f26377dc77f9fe602c7d167ecfa4e1cdfb7340918

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7997050.exe

Filesize
168KB

MD5
d969c1ad92f18077894314b2e8d1ce8e

SHA1
dcacc2f1b6303ef9ba59de8103486d082aa41d2b

SHA256
84c42f1b666f727f0896902202f6d3670da26dcf0f2be795372e49adc7f433b0

SHA512
f7644bcf411b6dea539dfddd9ee67b53ce26de7f2e4a38f4ae86a93cc834f068343bff309b9d62884815009f26377dc77f9fe602c7d167ecfa4e1cdfb7340918

Download Submit
memory/1744-74-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/1744-75-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1744-76-0x0000000000D60000-0x0000000000DA0000-memory.dmp

Filesize
256KB

Download
memory/1744-77-0x0000000000D60000-0x0000000000DA0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing