redline | 0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8

General

Target

0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Size

643KB
MD5

23693d58857ce79fbb62ad6e1590dabd
SHA1

d31d7b29330c0b864f908604eb73824d23642dc6
SHA256

0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8
SHA512

5d07c656f8de2fc0aaeaadfc01d3b38ef724fecf2dc9dd5427ab6a28d13f45dbd4adb0c30cd508f29ced700e3b3eda54540849ef2b63c6a288726e3914f98979
SSDEEP

12288:vMr3y90nmZ4qQIcn+o5JachYZ3R8keACR966IFyOVMLlzL1fS:UyhXc+o5scEh8X66uyO0L1q

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1652	x2020685.exe
2020	g7895368.exe

Loads dropped DLL 4 IoCs

pid	Process
1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
1652	x2020685.exe
1652	x2020685.exe
2020	g7895368.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2020685.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2020685.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1652	1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	28
PID 1976 wrote to memory of 1652	1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	28
PID 1976 wrote to memory of 1652	1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	28
PID 1976 wrote to memory of 1652	1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	28
PID 1976 wrote to memory of 1652	1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	28
PID 1976 wrote to memory of 1652	1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	28
PID 1976 wrote to memory of 1652	1976	0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe	28
PID 1652 wrote to memory of 2020	1652	x2020685.exe	29
PID 1652 wrote to memory of 2020	1652	x2020685.exe	29
PID 1652 wrote to memory of 2020	1652	x2020685.exe	29
PID 1652 wrote to memory of 2020	1652	x2020685.exe	29
PID 1652 wrote to memory of 2020	1652	x2020685.exe	29
PID 1652 wrote to memory of 2020	1652	x2020685.exe	29
PID 1652 wrote to memory of 2020	1652	x2020685.exe	29

C:\Users\Admin\AppData\Local\Temp\0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe
"C:\Users\Admin\AppData\Local\Temp\0f4c5547a09a7131c7e1e855f1e5469779e8a2242d9a581eee717906fd4d69d8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe

Filesize
383KB

MD5
93f8a85c9caedb6cd7d72893fc5f04a0

SHA1
9c45ab122990f593bd4dadc0a274282ff6ecb81f

SHA256
d5091f453faec384437b3c4e7fd345f16c46d3003c015b32c46d946b5a9e1f2b

SHA512
72f0e84be9cccac6a13da4b687fdde1f0f311d5706fda993dcd9eaa6aab08e3aab90f7dfa0904f1b156e1c2edf8bd60e6596aaf54d0f9e148de603a519b2d6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe

Filesize
383KB

MD5
93f8a85c9caedb6cd7d72893fc5f04a0

SHA1
9c45ab122990f593bd4dadc0a274282ff6ecb81f

SHA256
d5091f453faec384437b3c4e7fd345f16c46d3003c015b32c46d946b5a9e1f2b

SHA512
72f0e84be9cccac6a13da4b687fdde1f0f311d5706fda993dcd9eaa6aab08e3aab90f7dfa0904f1b156e1c2edf8bd60e6596aaf54d0f9e148de603a519b2d6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe

Filesize
168KB

MD5
8c29a78514c0c95f91df7c2780855604

SHA1
49ea7d31a3ebc76c89bcd9213ee3f8940311afc2

SHA256
1dafb53940d8c9ce35decc5ce7e92fc8abbed7af73bb04f22cfe3b2976d877b4

SHA512
64c0270ec1a229a29dc940e9e480ffc1040f3b3c9d30d1a623dc8d9d9931a0423e0861b9f4cd1ff84e9a472c1b5c54d1cd99b77b98e519827ddc7c91e7fe0e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe

Filesize
168KB

MD5
8c29a78514c0c95f91df7c2780855604

SHA1
49ea7d31a3ebc76c89bcd9213ee3f8940311afc2

SHA256
1dafb53940d8c9ce35decc5ce7e92fc8abbed7af73bb04f22cfe3b2976d877b4

SHA512
64c0270ec1a229a29dc940e9e480ffc1040f3b3c9d30d1a623dc8d9d9931a0423e0861b9f4cd1ff84e9a472c1b5c54d1cd99b77b98e519827ddc7c91e7fe0e5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe

Filesize
383KB

MD5
93f8a85c9caedb6cd7d72893fc5f04a0

SHA1
9c45ab122990f593bd4dadc0a274282ff6ecb81f

SHA256
d5091f453faec384437b3c4e7fd345f16c46d3003c015b32c46d946b5a9e1f2b

SHA512
72f0e84be9cccac6a13da4b687fdde1f0f311d5706fda993dcd9eaa6aab08e3aab90f7dfa0904f1b156e1c2edf8bd60e6596aaf54d0f9e148de603a519b2d6b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2020685.exe

Filesize
383KB

MD5
93f8a85c9caedb6cd7d72893fc5f04a0

SHA1
9c45ab122990f593bd4dadc0a274282ff6ecb81f

SHA256
d5091f453faec384437b3c4e7fd345f16c46d3003c015b32c46d946b5a9e1f2b

SHA512
72f0e84be9cccac6a13da4b687fdde1f0f311d5706fda993dcd9eaa6aab08e3aab90f7dfa0904f1b156e1c2edf8bd60e6596aaf54d0f9e148de603a519b2d6b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe

Filesize
168KB

MD5
8c29a78514c0c95f91df7c2780855604

SHA1
49ea7d31a3ebc76c89bcd9213ee3f8940311afc2

SHA256
1dafb53940d8c9ce35decc5ce7e92fc8abbed7af73bb04f22cfe3b2976d877b4

SHA512
64c0270ec1a229a29dc940e9e480ffc1040f3b3c9d30d1a623dc8d9d9931a0423e0861b9f4cd1ff84e9a472c1b5c54d1cd99b77b98e519827ddc7c91e7fe0e5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7895368.exe

Filesize
168KB

MD5
8c29a78514c0c95f91df7c2780855604

SHA1
49ea7d31a3ebc76c89bcd9213ee3f8940311afc2

SHA256
1dafb53940d8c9ce35decc5ce7e92fc8abbed7af73bb04f22cfe3b2976d877b4

SHA512
64c0270ec1a229a29dc940e9e480ffc1040f3b3c9d30d1a623dc8d9d9931a0423e0861b9f4cd1ff84e9a472c1b5c54d1cd99b77b98e519827ddc7c91e7fe0e5b

Download Submit
memory/2020-74-0x00000000011E0000-0x0000000001210000-memory.dmp

Filesize
192KB

Download
memory/2020-75-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2020-76-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/2020-77-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing