redline | 1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f

General

Target

1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe
Size

643KB
MD5

6f562811f9e2b48e8d1c2e4a1ee454a9
SHA1

9ece8dc06ed22ae61bc91cc54f406cdc587828ab
SHA256

1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f
SHA512

c262927b45e9cbe40087b4303192bd82d9e6914ddd7c9410c641099602c7d87dd88a99648272c0ad5db336b07158b1d73a153e2499426f7e9cff690ed900b377
SSDEEP

12288:VMr3y90ko1v6FpTV+3oCexcSZGIa5RaujYGwvMOvtaFiqyU2U:yy61v6HxHC0cSZkTauQaoa

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1440	x7752826.exe
1784	g3913895.exe

Loads dropped DLL 4 IoCs

pid	Process
1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe
1440	x7752826.exe
1440	x7752826.exe
1784	g3913895.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7752826.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7752826.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1440	1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe	28
PID 1124 wrote to memory of 1440	1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe	28
PID 1124 wrote to memory of 1440	1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe	28
PID 1124 wrote to memory of 1440	1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe	28
PID 1124 wrote to memory of 1440	1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe	28
PID 1124 wrote to memory of 1440	1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe	28
PID 1124 wrote to memory of 1440	1124	1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe	28
PID 1440 wrote to memory of 1784	1440	x7752826.exe	29
PID 1440 wrote to memory of 1784	1440	x7752826.exe	29
PID 1440 wrote to memory of 1784	1440	x7752826.exe	29
PID 1440 wrote to memory of 1784	1440	x7752826.exe	29
PID 1440 wrote to memory of 1784	1440	x7752826.exe	29
PID 1440 wrote to memory of 1784	1440	x7752826.exe	29
PID 1440 wrote to memory of 1784	1440	x7752826.exe	29

C:\Users\Admin\AppData\Local\Temp\1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe
"C:\Users\Admin\AppData\Local\Temp\1ea36e1bb2e4c1b9f15e19adbcc7443ccb74b272820551b9f7672dc3b2ab2e5f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7752826.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7752826.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3913895.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3913895.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7752826.exe

Filesize
384KB

MD5
5db7a6afd7bf8d92f74aa9379fb32045

SHA1
5c45ddd6f7e3ee21a725126e4e1ac3f1868a7bc9

SHA256
12cee0ec995e26c6899d19aa329a0dc29e352994047a15a940f495abbffaf231

SHA512
d177de7b9effd4cfc2ecb95a5c1df3acc0852f8d73566dd4f059cb7f85f03a70e6c5ed6365734c6497c3b43444ed13798d86dc71ecaba091946728a0c899ff30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7752826.exe

Filesize
384KB

MD5
5db7a6afd7bf8d92f74aa9379fb32045

SHA1
5c45ddd6f7e3ee21a725126e4e1ac3f1868a7bc9

SHA256
12cee0ec995e26c6899d19aa329a0dc29e352994047a15a940f495abbffaf231

SHA512
d177de7b9effd4cfc2ecb95a5c1df3acc0852f8d73566dd4f059cb7f85f03a70e6c5ed6365734c6497c3b43444ed13798d86dc71ecaba091946728a0c899ff30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3913895.exe

Filesize
168KB

MD5
a5b031a9ccab62ba5f61aa50a88a3f67

SHA1
3d41b982726069cc55d0166404c41bab3274d397

SHA256
089a88f0aa686836d23ebf5edbdc25d681857a401f020ea35511deb87a2f2e03

SHA512
5da29a2f48b00c3300478c6287942115091828a5c93f2e2ab99c03ea107a5e9195bb7e0f9b742f50762e10ce9a8dfd586a3290c1a0d00419b9c9dac0a2a0c785

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3913895.exe

Filesize
168KB

MD5
a5b031a9ccab62ba5f61aa50a88a3f67

SHA1
3d41b982726069cc55d0166404c41bab3274d397

SHA256
089a88f0aa686836d23ebf5edbdc25d681857a401f020ea35511deb87a2f2e03

SHA512
5da29a2f48b00c3300478c6287942115091828a5c93f2e2ab99c03ea107a5e9195bb7e0f9b742f50762e10ce9a8dfd586a3290c1a0d00419b9c9dac0a2a0c785

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7752826.exe

Filesize
384KB

MD5
5db7a6afd7bf8d92f74aa9379fb32045

SHA1
5c45ddd6f7e3ee21a725126e4e1ac3f1868a7bc9

SHA256
12cee0ec995e26c6899d19aa329a0dc29e352994047a15a940f495abbffaf231

SHA512
d177de7b9effd4cfc2ecb95a5c1df3acc0852f8d73566dd4f059cb7f85f03a70e6c5ed6365734c6497c3b43444ed13798d86dc71ecaba091946728a0c899ff30

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7752826.exe

Filesize
384KB

MD5
5db7a6afd7bf8d92f74aa9379fb32045

SHA1
5c45ddd6f7e3ee21a725126e4e1ac3f1868a7bc9

SHA256
12cee0ec995e26c6899d19aa329a0dc29e352994047a15a940f495abbffaf231

SHA512
d177de7b9effd4cfc2ecb95a5c1df3acc0852f8d73566dd4f059cb7f85f03a70e6c5ed6365734c6497c3b43444ed13798d86dc71ecaba091946728a0c899ff30

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3913895.exe

Filesize
168KB

MD5
a5b031a9ccab62ba5f61aa50a88a3f67

SHA1
3d41b982726069cc55d0166404c41bab3274d397

SHA256
089a88f0aa686836d23ebf5edbdc25d681857a401f020ea35511deb87a2f2e03

SHA512
5da29a2f48b00c3300478c6287942115091828a5c93f2e2ab99c03ea107a5e9195bb7e0f9b742f50762e10ce9a8dfd586a3290c1a0d00419b9c9dac0a2a0c785

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g3913895.exe

Filesize
168KB

MD5
a5b031a9ccab62ba5f61aa50a88a3f67

SHA1
3d41b982726069cc55d0166404c41bab3274d397

SHA256
089a88f0aa686836d23ebf5edbdc25d681857a401f020ea35511deb87a2f2e03

SHA512
5da29a2f48b00c3300478c6287942115091828a5c93f2e2ab99c03ea107a5e9195bb7e0f9b742f50762e10ce9a8dfd586a3290c1a0d00419b9c9dac0a2a0c785

Download Submit
memory/1784-74-0x0000000001360000-0x0000000001390000-memory.dmp

Filesize
192KB

Download
memory/1784-75-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1784-76-0x00000000050C0000-0x0000000005100000-memory.dmp

Filesize
256KB

Download
memory/1784-77-0x00000000050C0000-0x0000000005100000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing