redline | 2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed

General

Target

2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
Size

566KB
MD5

a5b6eddb60e381c69421ee60b28b68f2
SHA1

996a54f8833c380082d0af5667dfedc256e66248
SHA256

2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed
SHA512

fbdc26ea54b91dbf419e5330e2dc97b376ac11dd219f80910ab3284a77dab8d497a7b41cbc1e083918834eb5b72b4e82303e02df595bd0aa59755b882194f6e9
SSDEEP

12288:uMrty90Tkg9FqMeMk0cxSRfgToTHRm6oLtQ9MchnG:rye1ob0QSKTUF6RchG

Score

10^/10

redline darm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
856	y5620419.exe
1276	k0416647.exe

Loads dropped DLL 4 IoCs

pid	Process
920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
856	y5620419.exe
856	y5620419.exe
1276	k0416647.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5620419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5620419.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 856	920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	28
PID 920 wrote to memory of 856	920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	28
PID 920 wrote to memory of 856	920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	28
PID 920 wrote to memory of 856	920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	28
PID 920 wrote to memory of 856	920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	28
PID 920 wrote to memory of 856	920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	28
PID 920 wrote to memory of 856	920	2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe	28
PID 856 wrote to memory of 1276	856	y5620419.exe	29
PID 856 wrote to memory of 1276	856	y5620419.exe	29
PID 856 wrote to memory of 1276	856	y5620419.exe	29
PID 856 wrote to memory of 1276	856	y5620419.exe	29
PID 856 wrote to memory of 1276	856	y5620419.exe	29
PID 856 wrote to memory of 1276	856	y5620419.exe	29
PID 856 wrote to memory of 1276	856	y5620419.exe	29

C:\Users\Admin\AppData\Local\Temp\2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe
"C:\Users\Admin\AppData\Local\Temp\2c90cae133dd907c23b102bda785d4f4a3d7ee3613ccc0630930386dc23c4fed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe

Filesize
307KB

MD5
0611e33493dd493a696042fa98ee2264

SHA1
424e1c5611609b0f4a21791824dbc57c56c4cf36

SHA256
35bf5bf55b720ce17865617c61d4a6f93714f8d5c0cede6112a65aadd4d9a99c

SHA512
1c55b22a6cec4784d44d702e0d81a6ef1d2fea99be3d4605499c4bdf0de6cc765229e5807c80e50b547d44977ce375280fcfff3a955021762a7dc47349f971a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe

Filesize
307KB

MD5
0611e33493dd493a696042fa98ee2264

SHA1
424e1c5611609b0f4a21791824dbc57c56c4cf36

SHA256
35bf5bf55b720ce17865617c61d4a6f93714f8d5c0cede6112a65aadd4d9a99c

SHA512
1c55b22a6cec4784d44d702e0d81a6ef1d2fea99be3d4605499c4bdf0de6cc765229e5807c80e50b547d44977ce375280fcfff3a955021762a7dc47349f971a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe

Filesize
168KB

MD5
812e59d43de4456c4c99d1f829a36888

SHA1
268810deb1d4b32a751c64a15653588355309486

SHA256
d6879b2db708483bbbdb9aedb3fa8d4ec0f586dadd33610a10b4e2449a5b777d

SHA512
819482a28efb00c94ccb5b7e92a7a32602f25213886319759bafed60ab56734885c2396bfd823302790996caf284c487198a6942b2e9de34c452c8ea200f9188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe

Filesize
168KB

MD5
812e59d43de4456c4c99d1f829a36888

SHA1
268810deb1d4b32a751c64a15653588355309486

SHA256
d6879b2db708483bbbdb9aedb3fa8d4ec0f586dadd33610a10b4e2449a5b777d

SHA512
819482a28efb00c94ccb5b7e92a7a32602f25213886319759bafed60ab56734885c2396bfd823302790996caf284c487198a6942b2e9de34c452c8ea200f9188

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe

Filesize
307KB

MD5
0611e33493dd493a696042fa98ee2264

SHA1
424e1c5611609b0f4a21791824dbc57c56c4cf36

SHA256
35bf5bf55b720ce17865617c61d4a6f93714f8d5c0cede6112a65aadd4d9a99c

SHA512
1c55b22a6cec4784d44d702e0d81a6ef1d2fea99be3d4605499c4bdf0de6cc765229e5807c80e50b547d44977ce375280fcfff3a955021762a7dc47349f971a3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5620419.exe

Filesize
307KB

MD5
0611e33493dd493a696042fa98ee2264

SHA1
424e1c5611609b0f4a21791824dbc57c56c4cf36

SHA256
35bf5bf55b720ce17865617c61d4a6f93714f8d5c0cede6112a65aadd4d9a99c

SHA512
1c55b22a6cec4784d44d702e0d81a6ef1d2fea99be3d4605499c4bdf0de6cc765229e5807c80e50b547d44977ce375280fcfff3a955021762a7dc47349f971a3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe

Filesize
168KB

MD5
812e59d43de4456c4c99d1f829a36888

SHA1
268810deb1d4b32a751c64a15653588355309486

SHA256
d6879b2db708483bbbdb9aedb3fa8d4ec0f586dadd33610a10b4e2449a5b777d

SHA512
819482a28efb00c94ccb5b7e92a7a32602f25213886319759bafed60ab56734885c2396bfd823302790996caf284c487198a6942b2e9de34c452c8ea200f9188

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0416647.exe

Filesize
168KB

MD5
812e59d43de4456c4c99d1f829a36888

SHA1
268810deb1d4b32a751c64a15653588355309486

SHA256
d6879b2db708483bbbdb9aedb3fa8d4ec0f586dadd33610a10b4e2449a5b777d

SHA512
819482a28efb00c94ccb5b7e92a7a32602f25213886319759bafed60ab56734885c2396bfd823302790996caf284c487198a6942b2e9de34c452c8ea200f9188

Download Submit
memory/1276-74-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/1276-75-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1276-76-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/1276-77-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing