redline | 02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618

General

Target

02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe
Size

566KB
MD5

c81726182bdafff67fac5935985ef5c5
SHA1

76232a2245c51ead56235f0a8f2d76873c1ea280
SHA256

02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618
SHA512

51d98ce67c2930e7d79fd60db560d18cde96a3c4a226eb1911aff3749ff8574c91fda81d28ab63d14c548bacceed0f86258640ec566d98be9c81a3467f0638e8
SSDEEP

12288:zMrry9046pPFjb3X1GHtgFbvQe8tQyFifYl:cyzGFnHotub58t0Ql

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1864	y1986806.exe
2004	k4721332.exe

Loads dropped DLL 4 IoCs

pid	Process
1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe
1864	y1986806.exe
1864	y1986806.exe
2004	k4721332.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1986806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1986806.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1864	1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe	26
PID 1852 wrote to memory of 1864	1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe	26
PID 1852 wrote to memory of 1864	1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe	26
PID 1852 wrote to memory of 1864	1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe	26
PID 1852 wrote to memory of 1864	1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe	26
PID 1852 wrote to memory of 1864	1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe	26
PID 1852 wrote to memory of 1864	1852	02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe	26
PID 1864 wrote to memory of 2004	1864	y1986806.exe	27
PID 1864 wrote to memory of 2004	1864	y1986806.exe	27
PID 1864 wrote to memory of 2004	1864	y1986806.exe	27
PID 1864 wrote to memory of 2004	1864	y1986806.exe	27
PID 1864 wrote to memory of 2004	1864	y1986806.exe	27
PID 1864 wrote to memory of 2004	1864	y1986806.exe	27
PID 1864 wrote to memory of 2004	1864	y1986806.exe	27

C:\Users\Admin\AppData\Local\Temp\02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe
"C:\Users\Admin\AppData\Local\Temp\02c7a6cd9c3849a69a122da814446a9582fb657c13370fdcb6907e89f29e7618.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1986806.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1986806.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4721332.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4721332.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1986806.exe

Filesize
307KB

MD5
cb41696f688aa02e5960475aae4c9e8d

SHA1
2fd0e5b944920cdd51d6ed7f244ddcf16941d001

SHA256
074c5cde351e0c790ec6570cf2baadb1bd8448db46039517d0ab04e50ac078c3

SHA512
5cf70ed76121fdaab6aaaa984e92f402703ccf12c0170e9aff588f76743dd22c602d1620831a2a3457507c21ce64c40b85e88a032b2b6ceba145657b2341a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1986806.exe

Filesize
307KB

MD5
cb41696f688aa02e5960475aae4c9e8d

SHA1
2fd0e5b944920cdd51d6ed7f244ddcf16941d001

SHA256
074c5cde351e0c790ec6570cf2baadb1bd8448db46039517d0ab04e50ac078c3

SHA512
5cf70ed76121fdaab6aaaa984e92f402703ccf12c0170e9aff588f76743dd22c602d1620831a2a3457507c21ce64c40b85e88a032b2b6ceba145657b2341a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4721332.exe

Filesize
168KB

MD5
cbe6a248452a06cb84e88fb2280aee18

SHA1
9dd3e0a7cd4b5a31ae18c4be6405ec0f375678b4

SHA256
d2ed2b4712a0e41726e1e344686ab9169b20973b3ea7ab08e39e33df8cec8b6f

SHA512
897df8c8a8d24b19cf731346c26facb3b744347cca3043edbc25d406044e22980d528be603557ecc0f6d2b065ce0b281a54df6ee9a7303f5b20919fcc4e80840

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4721332.exe

Filesize
168KB

MD5
cbe6a248452a06cb84e88fb2280aee18

SHA1
9dd3e0a7cd4b5a31ae18c4be6405ec0f375678b4

SHA256
d2ed2b4712a0e41726e1e344686ab9169b20973b3ea7ab08e39e33df8cec8b6f

SHA512
897df8c8a8d24b19cf731346c26facb3b744347cca3043edbc25d406044e22980d528be603557ecc0f6d2b065ce0b281a54df6ee9a7303f5b20919fcc4e80840

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1986806.exe

Filesize
307KB

MD5
cb41696f688aa02e5960475aae4c9e8d

SHA1
2fd0e5b944920cdd51d6ed7f244ddcf16941d001

SHA256
074c5cde351e0c790ec6570cf2baadb1bd8448db46039517d0ab04e50ac078c3

SHA512
5cf70ed76121fdaab6aaaa984e92f402703ccf12c0170e9aff588f76743dd22c602d1620831a2a3457507c21ce64c40b85e88a032b2b6ceba145657b2341a5da

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1986806.exe

Filesize
307KB

MD5
cb41696f688aa02e5960475aae4c9e8d

SHA1
2fd0e5b944920cdd51d6ed7f244ddcf16941d001

SHA256
074c5cde351e0c790ec6570cf2baadb1bd8448db46039517d0ab04e50ac078c3

SHA512
5cf70ed76121fdaab6aaaa984e92f402703ccf12c0170e9aff588f76743dd22c602d1620831a2a3457507c21ce64c40b85e88a032b2b6ceba145657b2341a5da

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4721332.exe

Filesize
168KB

MD5
cbe6a248452a06cb84e88fb2280aee18

SHA1
9dd3e0a7cd4b5a31ae18c4be6405ec0f375678b4

SHA256
d2ed2b4712a0e41726e1e344686ab9169b20973b3ea7ab08e39e33df8cec8b6f

SHA512
897df8c8a8d24b19cf731346c26facb3b744347cca3043edbc25d406044e22980d528be603557ecc0f6d2b065ce0b281a54df6ee9a7303f5b20919fcc4e80840

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4721332.exe

Filesize
168KB

MD5
cbe6a248452a06cb84e88fb2280aee18

SHA1
9dd3e0a7cd4b5a31ae18c4be6405ec0f375678b4

SHA256
d2ed2b4712a0e41726e1e344686ab9169b20973b3ea7ab08e39e33df8cec8b6f

SHA512
897df8c8a8d24b19cf731346c26facb3b744347cca3043edbc25d406044e22980d528be603557ecc0f6d2b065ce0b281a54df6ee9a7303f5b20919fcc4e80840

Download Submit
memory/2004-74-0x0000000001040000-0x0000000001070000-memory.dmp

Filesize
192KB

Download
memory/2004-75-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2004-76-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2004-77-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing