redline | 16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d

General

Target

16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe
Size

568KB
MD5

48a8da3b7b3ba8d867c69c1640e76177
SHA1

675440b0fe24c3a113430033e5cee0e8bae55f8c
SHA256

16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d
SHA512

bc933f0bda4235ed181643f13dd7c49684ebe3df3a648dc3480a4d4c0b1f94d0b04abda640e762516fb818f3271043c1d78ea112a38569116eec8ebb77a0912f
SSDEEP

12288:lMr5y90Ix4/ngrFMmBn0Y/ExmkgV2PNTq0Wh6HcpjZ0vbpLnW:Iyv4/ngrimZ0YM1ZxS2cpjaTpLW

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1208	y4854053.exe
696	k0814292.exe

Loads dropped DLL 4 IoCs

pid	Process
1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe
1208	y4854053.exe
1208	y4854053.exe
696	k0814292.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4854053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4854053.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1208	1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe	28
PID 1424 wrote to memory of 1208	1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe	28
PID 1424 wrote to memory of 1208	1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe	28
PID 1424 wrote to memory of 1208	1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe	28
PID 1424 wrote to memory of 1208	1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe	28
PID 1424 wrote to memory of 1208	1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe	28
PID 1424 wrote to memory of 1208	1424	16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe	28
PID 1208 wrote to memory of 696	1208	y4854053.exe	29
PID 1208 wrote to memory of 696	1208	y4854053.exe	29
PID 1208 wrote to memory of 696	1208	y4854053.exe	29
PID 1208 wrote to memory of 696	1208	y4854053.exe	29
PID 1208 wrote to memory of 696	1208	y4854053.exe	29
PID 1208 wrote to memory of 696	1208	y4854053.exe	29
PID 1208 wrote to memory of 696	1208	y4854053.exe	29

C:\Users\Admin\AppData\Local\Temp\16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe
"C:\Users\Admin\AppData\Local\Temp\16695e9d8ae0299b14eb060ea566cc0827079c035980c5e8a6af9f6e7efa948d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4854053.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4854053.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0814292.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0814292.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4854053.exe

Filesize
307KB

MD5
f7f9d37def47e802f0ae51f82cd3817d

SHA1
afa83616ba403f5dfcc8564cb21f54e785e10867

SHA256
eb11922c878d2e1a72b2e422e4cd5f77ca5827bac5834bf16bbb946503902df6

SHA512
ff80fd49052c2da4487ef80274242d6c59702bbe69c8a675d1c0545b8ae582fc5b871e8b3ce21f2802558fbcd1d9137b513ff6d088aba044e161cd8453983eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4854053.exe

Filesize
307KB

MD5
f7f9d37def47e802f0ae51f82cd3817d

SHA1
afa83616ba403f5dfcc8564cb21f54e785e10867

SHA256
eb11922c878d2e1a72b2e422e4cd5f77ca5827bac5834bf16bbb946503902df6

SHA512
ff80fd49052c2da4487ef80274242d6c59702bbe69c8a675d1c0545b8ae582fc5b871e8b3ce21f2802558fbcd1d9137b513ff6d088aba044e161cd8453983eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0814292.exe

Filesize
168KB

MD5
2681642b4adc36c8c739f0b0e84cd235

SHA1
8dbc7b55919c2efb985b812a77189cd70b7947fb

SHA256
bd0df156efaf7ce5c58149b86e635f036b0be893569d721fe13af27dcb53f447

SHA512
a4317556fe954bf195eda17c132ff567049d83ae9484100e5936dfcb81fbf693dbc92dff7072ab1c8b73a2386c0e881ee939c61ae7dbc86db4fac74f06bd3dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0814292.exe

Filesize
168KB

MD5
2681642b4adc36c8c739f0b0e84cd235

SHA1
8dbc7b55919c2efb985b812a77189cd70b7947fb

SHA256
bd0df156efaf7ce5c58149b86e635f036b0be893569d721fe13af27dcb53f447

SHA512
a4317556fe954bf195eda17c132ff567049d83ae9484100e5936dfcb81fbf693dbc92dff7072ab1c8b73a2386c0e881ee939c61ae7dbc86db4fac74f06bd3dab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4854053.exe

Filesize
307KB

MD5
f7f9d37def47e802f0ae51f82cd3817d

SHA1
afa83616ba403f5dfcc8564cb21f54e785e10867

SHA256
eb11922c878d2e1a72b2e422e4cd5f77ca5827bac5834bf16bbb946503902df6

SHA512
ff80fd49052c2da4487ef80274242d6c59702bbe69c8a675d1c0545b8ae582fc5b871e8b3ce21f2802558fbcd1d9137b513ff6d088aba044e161cd8453983eae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4854053.exe

Filesize
307KB

MD5
f7f9d37def47e802f0ae51f82cd3817d

SHA1
afa83616ba403f5dfcc8564cb21f54e785e10867

SHA256
eb11922c878d2e1a72b2e422e4cd5f77ca5827bac5834bf16bbb946503902df6

SHA512
ff80fd49052c2da4487ef80274242d6c59702bbe69c8a675d1c0545b8ae582fc5b871e8b3ce21f2802558fbcd1d9137b513ff6d088aba044e161cd8453983eae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0814292.exe

Filesize
168KB

MD5
2681642b4adc36c8c739f0b0e84cd235

SHA1
8dbc7b55919c2efb985b812a77189cd70b7947fb

SHA256
bd0df156efaf7ce5c58149b86e635f036b0be893569d721fe13af27dcb53f447

SHA512
a4317556fe954bf195eda17c132ff567049d83ae9484100e5936dfcb81fbf693dbc92dff7072ab1c8b73a2386c0e881ee939c61ae7dbc86db4fac74f06bd3dab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0814292.exe

Filesize
168KB

MD5
2681642b4adc36c8c739f0b0e84cd235

SHA1
8dbc7b55919c2efb985b812a77189cd70b7947fb

SHA256
bd0df156efaf7ce5c58149b86e635f036b0be893569d721fe13af27dcb53f447

SHA512
a4317556fe954bf195eda17c132ff567049d83ae9484100e5936dfcb81fbf693dbc92dff7072ab1c8b73a2386c0e881ee939c61ae7dbc86db4fac74f06bd3dab

Download Submit
memory/696-74-0x0000000000AD0000-0x0000000000B00000-memory.dmp

Filesize
192KB

Download
memory/696-75-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/696-76-0x00000000007E0000-0x0000000000820000-memory.dmp

Filesize
256KB

Download
memory/696-77-0x00000000007E0000-0x0000000000820000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing