redline | 177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793

General

Target

177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe
Size

567KB
MD5

9997fd3175f50c1e35624662175bdbd6
SHA1

34ba74cf508783b78f63dd70c791b8aad0dca1bb
SHA256

177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793
SHA512

477b5b154f7e0ad8babadd13755af0aaed4ce23180cfa0fd03c752e7272e88f16bba233f80b8987c325d31fbcf74ded1a81dee0088970fbf6ac8bdf10753b81c
SSDEEP

12288:5MrZy90GIn3fD4C9ePFiV0BgJm6iWGcZPi4RS4hT8UBlu:Yyk3fDDec0BgE6iWXZqMSsTnS

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1672	y4627860.exe
1888	k7380175.exe

Loads dropped DLL 4 IoCs

pid	Process
2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe
1672	y4627860.exe
1672	y4627860.exe
1888	k7380175.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4627860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4627860.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1672	2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe	28
PID 2036 wrote to memory of 1672	2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe	28
PID 2036 wrote to memory of 1672	2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe	28
PID 2036 wrote to memory of 1672	2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe	28
PID 2036 wrote to memory of 1672	2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe	28
PID 2036 wrote to memory of 1672	2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe	28
PID 2036 wrote to memory of 1672	2036	177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe	28
PID 1672 wrote to memory of 1888	1672	y4627860.exe	29
PID 1672 wrote to memory of 1888	1672	y4627860.exe	29
PID 1672 wrote to memory of 1888	1672	y4627860.exe	29
PID 1672 wrote to memory of 1888	1672	y4627860.exe	29
PID 1672 wrote to memory of 1888	1672	y4627860.exe	29
PID 1672 wrote to memory of 1888	1672	y4627860.exe	29
PID 1672 wrote to memory of 1888	1672	y4627860.exe	29

C:\Users\Admin\AppData\Local\Temp\177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe
"C:\Users\Admin\AppData\Local\Temp\177397ad62413fc008bd3836d10109abed11c001b42bb4be9d359be2ebb05793.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exe

Filesize
308KB

MD5
6f9028d26c741abbf8025a7adf0d80ae

SHA1
c8886b8da83ecf31be49b7cd164912e9031ea158

SHA256
1368316846cca9f75a41f98b82ca73c7777f3aa13337308d54893fd18bb8ffc8

SHA512
16dcf7f1365e911ae7d523cf5a416f3b4275b67b7b31d34dbbac03876a8614c89826df4e940e9e2c88fb4171f914de8930bde2fac344020af96a2c8addfc65cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exe

Filesize
308KB

MD5
6f9028d26c741abbf8025a7adf0d80ae

SHA1
c8886b8da83ecf31be49b7cd164912e9031ea158

SHA256
1368316846cca9f75a41f98b82ca73c7777f3aa13337308d54893fd18bb8ffc8

SHA512
16dcf7f1365e911ae7d523cf5a416f3b4275b67b7b31d34dbbac03876a8614c89826df4e940e9e2c88fb4171f914de8930bde2fac344020af96a2c8addfc65cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exe

Filesize
168KB

MD5
dcbce19930d7abe573cd3c797ed0bfba

SHA1
dbded78b656816c7b2c1ba7e185b3952f7c6eb6d

SHA256
1f45227a3178875c6740a85595b72fb981863aa70e103ea6284a9d4a4fead2d4

SHA512
761756723189f0fa97d35470f99d80f4c48f1ba066a2b64fa8a9b6b6aa582998537fd4efabb8920f807f729367f1f6b8dd8da5bfcfe441ceccddff0ceed39fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exe

Filesize
168KB

MD5
dcbce19930d7abe573cd3c797ed0bfba

SHA1
dbded78b656816c7b2c1ba7e185b3952f7c6eb6d

SHA256
1f45227a3178875c6740a85595b72fb981863aa70e103ea6284a9d4a4fead2d4

SHA512
761756723189f0fa97d35470f99d80f4c48f1ba066a2b64fa8a9b6b6aa582998537fd4efabb8920f807f729367f1f6b8dd8da5bfcfe441ceccddff0ceed39fd6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exe

Filesize
308KB

MD5
6f9028d26c741abbf8025a7adf0d80ae

SHA1
c8886b8da83ecf31be49b7cd164912e9031ea158

SHA256
1368316846cca9f75a41f98b82ca73c7777f3aa13337308d54893fd18bb8ffc8

SHA512
16dcf7f1365e911ae7d523cf5a416f3b4275b67b7b31d34dbbac03876a8614c89826df4e940e9e2c88fb4171f914de8930bde2fac344020af96a2c8addfc65cc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4627860.exe

Filesize
308KB

MD5
6f9028d26c741abbf8025a7adf0d80ae

SHA1
c8886b8da83ecf31be49b7cd164912e9031ea158

SHA256
1368316846cca9f75a41f98b82ca73c7777f3aa13337308d54893fd18bb8ffc8

SHA512
16dcf7f1365e911ae7d523cf5a416f3b4275b67b7b31d34dbbac03876a8614c89826df4e940e9e2c88fb4171f914de8930bde2fac344020af96a2c8addfc65cc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exe

Filesize
168KB

MD5
dcbce19930d7abe573cd3c797ed0bfba

SHA1
dbded78b656816c7b2c1ba7e185b3952f7c6eb6d

SHA256
1f45227a3178875c6740a85595b72fb981863aa70e103ea6284a9d4a4fead2d4

SHA512
761756723189f0fa97d35470f99d80f4c48f1ba066a2b64fa8a9b6b6aa582998537fd4efabb8920f807f729367f1f6b8dd8da5bfcfe441ceccddff0ceed39fd6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7380175.exe

Filesize
168KB

MD5
dcbce19930d7abe573cd3c797ed0bfba

SHA1
dbded78b656816c7b2c1ba7e185b3952f7c6eb6d

SHA256
1f45227a3178875c6740a85595b72fb981863aa70e103ea6284a9d4a4fead2d4

SHA512
761756723189f0fa97d35470f99d80f4c48f1ba066a2b64fa8a9b6b6aa582998537fd4efabb8920f807f729367f1f6b8dd8da5bfcfe441ceccddff0ceed39fd6

Download Submit
memory/1888-74-0x00000000009D0000-0x0000000000A00000-memory.dmp

Filesize
192KB

Download
memory/1888-75-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1888-76-0x0000000004520000-0x0000000004560000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing