redline | 21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a

General

Target

21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe
Size

603KB
MD5

dbd41de51fa0b6bf5b6f06f5210711ac
SHA1

4f2cb6a2be53509de07b383e741799190224ca29
SHA256

21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a
SHA512

56f20633bad77f3d5b10f0d0480ae013bf3081c42c71315d43db378cb29950f5137a8e2e3c0323ce2dfe34fa1fd3f7d309b5a3452e961a5e31fb691b5b6f6887
SSDEEP

12288:WMrcy90qs7TwBiuxSTQH3b/3038u5xAMgxgnFGjAu1+pG:WyMABiarrP01vAPx8GjAuOG

Score

10^/10

redline daris infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes

auth_value
3491f24ae0250969cd45ce4b3fe77549

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1700	y9346428.exe
980	k2831189.exe

Loads dropped DLL 4 IoCs

pid	Process
1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe
1700	y9346428.exe
1700	y9346428.exe
980	k2831189.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9346428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9346428.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1700	1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe	28
PID 1376 wrote to memory of 1700	1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe	28
PID 1376 wrote to memory of 1700	1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe	28
PID 1376 wrote to memory of 1700	1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe	28
PID 1376 wrote to memory of 1700	1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe	28
PID 1376 wrote to memory of 1700	1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe	28
PID 1376 wrote to memory of 1700	1376	21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe	28
PID 1700 wrote to memory of 980	1700	y9346428.exe	29
PID 1700 wrote to memory of 980	1700	y9346428.exe	29
PID 1700 wrote to memory of 980	1700	y9346428.exe	29
PID 1700 wrote to memory of 980	1700	y9346428.exe	29
PID 1700 wrote to memory of 980	1700	y9346428.exe	29
PID 1700 wrote to memory of 980	1700	y9346428.exe	29
PID 1700 wrote to memory of 980	1700	y9346428.exe	29

C:\Users\Admin\AppData\Local\Temp\21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe
"C:\Users\Admin\AppData\Local\Temp\21c99f5b83a1a9e45d9b02a6d2ed7e22217058de5521684ed9cf363f88922e9a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9346428.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9346428.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2831189.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2831189.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9346428.exe

Filesize
308KB

MD5
62ea72480cbdf7dcaaf0ac4549bdbc8e

SHA1
081494486a812dba651f2e0c88249812346dbc06

SHA256
c111acb357a5a230bbe021a92574e1a005f985ba7d9db1d9dbfb9dd69931f504

SHA512
40747bf145bd01a4306a8448908d74dbdffacf54c9900fb8763ae23ee8c3b85d08e12078746212a2144a587b70d5da700b179b14873adb2ce7ff4c36fd185644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9346428.exe

Filesize
308KB

MD5
62ea72480cbdf7dcaaf0ac4549bdbc8e

SHA1
081494486a812dba651f2e0c88249812346dbc06

SHA256
c111acb357a5a230bbe021a92574e1a005f985ba7d9db1d9dbfb9dd69931f504

SHA512
40747bf145bd01a4306a8448908d74dbdffacf54c9900fb8763ae23ee8c3b85d08e12078746212a2144a587b70d5da700b179b14873adb2ce7ff4c36fd185644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2831189.exe

Filesize
168KB

MD5
2a830cfebe2fb92d719e06a54de9616e

SHA1
6cfc7876d72d043446c8597b3bad5708db197982

SHA256
591959232a3dc35c8246014cf14ac5d6ec23acef1844266631603452c8ae2642

SHA512
3bd6da73ace04446bd6d6637680c85a3f22442aa1733f74a839f01e4af7d07f6edc0ff112ff272915c9e65d1a5b85c07e6a3dc4f7ce730571eac3626a19ec042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2831189.exe

Filesize
168KB

MD5
2a830cfebe2fb92d719e06a54de9616e

SHA1
6cfc7876d72d043446c8597b3bad5708db197982

SHA256
591959232a3dc35c8246014cf14ac5d6ec23acef1844266631603452c8ae2642

SHA512
3bd6da73ace04446bd6d6637680c85a3f22442aa1733f74a839f01e4af7d07f6edc0ff112ff272915c9e65d1a5b85c07e6a3dc4f7ce730571eac3626a19ec042

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9346428.exe

Filesize
308KB

MD5
62ea72480cbdf7dcaaf0ac4549bdbc8e

SHA1
081494486a812dba651f2e0c88249812346dbc06

SHA256
c111acb357a5a230bbe021a92574e1a005f985ba7d9db1d9dbfb9dd69931f504

SHA512
40747bf145bd01a4306a8448908d74dbdffacf54c9900fb8763ae23ee8c3b85d08e12078746212a2144a587b70d5da700b179b14873adb2ce7ff4c36fd185644

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9346428.exe

Filesize
308KB

MD5
62ea72480cbdf7dcaaf0ac4549bdbc8e

SHA1
081494486a812dba651f2e0c88249812346dbc06

SHA256
c111acb357a5a230bbe021a92574e1a005f985ba7d9db1d9dbfb9dd69931f504

SHA512
40747bf145bd01a4306a8448908d74dbdffacf54c9900fb8763ae23ee8c3b85d08e12078746212a2144a587b70d5da700b179b14873adb2ce7ff4c36fd185644

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2831189.exe

Filesize
168KB

MD5
2a830cfebe2fb92d719e06a54de9616e

SHA1
6cfc7876d72d043446c8597b3bad5708db197982

SHA256
591959232a3dc35c8246014cf14ac5d6ec23acef1844266631603452c8ae2642

SHA512
3bd6da73ace04446bd6d6637680c85a3f22442aa1733f74a839f01e4af7d07f6edc0ff112ff272915c9e65d1a5b85c07e6a3dc4f7ce730571eac3626a19ec042

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2831189.exe

Filesize
168KB

MD5
2a830cfebe2fb92d719e06a54de9616e

SHA1
6cfc7876d72d043446c8597b3bad5708db197982

SHA256
591959232a3dc35c8246014cf14ac5d6ec23acef1844266631603452c8ae2642

SHA512
3bd6da73ace04446bd6d6637680c85a3f22442aa1733f74a839f01e4af7d07f6edc0ff112ff272915c9e65d1a5b85c07e6a3dc4f7ce730571eac3626a19ec042

Download Submit
memory/980-74-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

Filesize
184KB

Download
memory/980-75-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/980-76-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/980-77-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing