redline | 0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef

General

Target

0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe
Size

1.1MB
MD5

540d13527238f444eafe19b39ebba972
SHA1

c08f66cb8d4890250a3565f176f022533db626e3
SHA256

0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef
SHA512

907cee6afd970cecfb6f2756932c353c4f889e045fb0ebaf448a6888675dcfb72a3a50338939fe62e0f0aa8196aaf0cecbd9f33a1ffd771aa250908ba94319b8
SSDEEP

24576:ayNGNvIKIcX8X3B8S6wpYKtJCicwAKQT46Nx9pJ:hawYsX3uCYKt5cKv+zp

Score

10^/10

redline desto infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

desto

C2

185.161.248.75:4132

Attributes

auth_value
9170d4ae7d11eaa24684a71b73bf9c86

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2732	x1137707.exe
3884	x7129494.exe
3524	f8994510.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1137707.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1137707.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7129494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7129494.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 2732	1000	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	82
PID 1000 wrote to memory of 2732	1000	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	82
PID 1000 wrote to memory of 2732	1000	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	82
PID 2732 wrote to memory of 3884	2732	x1137707.exe	83
PID 2732 wrote to memory of 3884	2732	x1137707.exe	83
PID 2732 wrote to memory of 3884	2732	x1137707.exe	83
PID 3884 wrote to memory of 3524	3884	x7129494.exe	84
PID 3884 wrote to memory of 3524	3884	x7129494.exe	84
PID 3884 wrote to memory of 3524	3884	x7129494.exe	84

C:\Users\Admin\AppData\Local\Temp\0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe
"C:\Users\Admin\AppData\Local\Temp\0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe
      4⤵
      Executes dropped EXE
      PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe

Filesize
749KB

MD5
f0455a9162620817936ce66c5bb9d2f6

SHA1
13f2465faaf837db89d4784065c6fa5b0ab009e7

SHA256
8c92c056562d9a9c7c777b8f8b11e205ee818979bb05c835c9a9d4ca2e659325

SHA512
737c4f630241665310be2f50dd06b4e732cef78211c9a56ecfb09671611aaf1789b32903e6e2a72f8800da58450db719732fd935ae8f544e97f96fff814e95a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe

Filesize
749KB

MD5
f0455a9162620817936ce66c5bb9d2f6

SHA1
13f2465faaf837db89d4784065c6fa5b0ab009e7

SHA256
8c92c056562d9a9c7c777b8f8b11e205ee818979bb05c835c9a9d4ca2e659325

SHA512
737c4f630241665310be2f50dd06b4e732cef78211c9a56ecfb09671611aaf1789b32903e6e2a72f8800da58450db719732fd935ae8f544e97f96fff814e95a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe

Filesize
305KB

MD5
bdc26ad934a32d9072681548e97c86e9

SHA1
3d8699e0e04461fa2e1d0a17ba0b60f4ec2ae78a

SHA256
e6cc2d8bd8006a9495b868918e2d09c7b52933b9ea6328d2e1ddafdb6dccf849

SHA512
4c20fead08a3137a17dedca9019dd24cf04ec76ba8f1799c1aaf9913932529f9e474959616998405868f258b734b15684e90e7b3c88241f81a5b53deaf1dfb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe

Filesize
305KB

MD5
bdc26ad934a32d9072681548e97c86e9

SHA1
3d8699e0e04461fa2e1d0a17ba0b60f4ec2ae78a

SHA256
e6cc2d8bd8006a9495b868918e2d09c7b52933b9ea6328d2e1ddafdb6dccf849

SHA512
4c20fead08a3137a17dedca9019dd24cf04ec76ba8f1799c1aaf9913932529f9e474959616998405868f258b734b15684e90e7b3c88241f81a5b53deaf1dfb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe

Filesize
145KB

MD5
802d402f939fa8d10ae65127fcb1f931

SHA1
bfa5578a764f69674a27e21fd170f68b7fe42f82

SHA256
17c9c5bde303138e55c1f2dbf2a7d20dfb22470dfa4b78684ff395469099442b

SHA512
fb05c532dd57933d8c5d86208bcc0e9273b79dc50d17a1398717f71bd4b3a86f574e653e2a88d532baffa13588f35282e858f4f5a5f0322aaa06e49fb0529e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe

Filesize
145KB

MD5
802d402f939fa8d10ae65127fcb1f931

SHA1
bfa5578a764f69674a27e21fd170f68b7fe42f82

SHA256
17c9c5bde303138e55c1f2dbf2a7d20dfb22470dfa4b78684ff395469099442b

SHA512
fb05c532dd57933d8c5d86208bcc0e9273b79dc50d17a1398717f71bd4b3a86f574e653e2a88d532baffa13588f35282e858f4f5a5f0322aaa06e49fb0529e14

Download Submit
memory/3524-154-0x0000000000600000-0x000000000062A000-memory.dmp

Filesize
168KB

Download
memory/3524-155-0x00000000053E0000-0x00000000059F8000-memory.dmp

Filesize
6.1MB

Download
memory/3524-156-0x0000000004F60000-0x000000000506A000-memory.dmp

Filesize
1.0MB

Download
memory/3524-157-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/3524-158-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/3524-159-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3524-160-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing