redline | 9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a

General

Target

9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe
Size

1.0MB
MD5

9d5919817704bc815b61b3598bd9aa42
SHA1

1700742fdd8c1e2fd31edb20140fa41fc777f5c4
SHA256

9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a
SHA512

052afd1ae91b6134aacc1bd8c9d967540a2e433cc8d53bf5d78eb0c0e75f03d8efae519e313fb9cc609e02443a50446ce1abe29ae5509495c6183bc35f11f70f
SSDEEP

12288:tMrpy90oGwOeg93h+5mKH/hgeMrGVE/UEhJ1J3tx3/NaUSwSHUNkhCVjm6RNMqq1:EyMSmKIK83t91aUSZH8khCfRTidCwJ

Score

10^/10

redline deren infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

deren

C2

77.91.68.253:19065

Attributes

auth_value
04a169f1fb198bfbeca74d0e06ea2d54

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4780	x4059314.exe
2664	x1858401.exe
4732	f1137394.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4059314.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1858401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1858401.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4059314.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4780	4800	9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe	81
PID 4800 wrote to memory of 4780	4800	9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe	81
PID 4800 wrote to memory of 4780	4800	9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe	81
PID 4780 wrote to memory of 2664	4780	x4059314.exe	82
PID 4780 wrote to memory of 2664	4780	x4059314.exe	82
PID 4780 wrote to memory of 2664	4780	x4059314.exe	82
PID 2664 wrote to memory of 4732	2664	x1858401.exe	83
PID 2664 wrote to memory of 4732	2664	x1858401.exe	83
PID 2664 wrote to memory of 4732	2664	x1858401.exe	83

C:\Users\Admin\AppData\Local\Temp\9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe
"C:\Users\Admin\AppData\Local\Temp\9dfed59017ce0e8acb51c17b2f59f490f9676898c63399954d7eb87ab724fd2a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4059314.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4059314.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1858401.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1858401.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1137394.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1137394.exe
      4⤵
      Executes dropped EXE
      PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4059314.exe

Filesize
751KB

MD5
9998529cb597de4d2e02ce48dabb8f60

SHA1
15a09b670b5a176c3267c6274d5bb750dae89397

SHA256
3809161625a843ee52f99cd046aff16c2d95162807d3031355e5b5f85dd3f748

SHA512
0b9c6a59f25c67c705fb5c3469b2c647efc05563b0105f980c64eef12c1d4dd4cf6a797975d9d2bb0d6e90c7907b94f209698d2024ffe01885431264e2e9d78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4059314.exe

Filesize
751KB

MD5
9998529cb597de4d2e02ce48dabb8f60

SHA1
15a09b670b5a176c3267c6274d5bb750dae89397

SHA256
3809161625a843ee52f99cd046aff16c2d95162807d3031355e5b5f85dd3f748

SHA512
0b9c6a59f25c67c705fb5c3469b2c647efc05563b0105f980c64eef12c1d4dd4cf6a797975d9d2bb0d6e90c7907b94f209698d2024ffe01885431264e2e9d78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1858401.exe

Filesize
306KB

MD5
8488f525ec9b638940bfe5134d0939cd

SHA1
c8583531ca14b362474b5ee5d0c0f3fa6b49fd43

SHA256
a162e92689eba676aca42afa07bf1151ab7ef1a1810aeb4a00f357efd55ec974

SHA512
baa8b2424dfa8d9882e60004997748bc8604cb30404137a47f4efdf726d49eb84f62f301184a0022ea9c14362e87f229874044ce6ec297a700a41db2278ef02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1858401.exe

Filesize
306KB

MD5
8488f525ec9b638940bfe5134d0939cd

SHA1
c8583531ca14b362474b5ee5d0c0f3fa6b49fd43

SHA256
a162e92689eba676aca42afa07bf1151ab7ef1a1810aeb4a00f357efd55ec974

SHA512
baa8b2424dfa8d9882e60004997748bc8604cb30404137a47f4efdf726d49eb84f62f301184a0022ea9c14362e87f229874044ce6ec297a700a41db2278ef02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1137394.exe

Filesize
145KB

MD5
0718270eed7be56d88d34133695080f6

SHA1
ceb9877252dde767674ef8fc08740a49ce0f4916

SHA256
37fc828691b5c454559fb189ae16e426ec93cedc572479e0074925511b4c5964

SHA512
110f3cbe3a4326f2fde7b0cb3c03123225e3905b5c1f28bd3445225537d77d659497c07ba1cfe4cf23a354ab711e42b6feaed7ab45e1267fea48273cd2ff5946

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1137394.exe

Filesize
145KB

MD5
0718270eed7be56d88d34133695080f6

SHA1
ceb9877252dde767674ef8fc08740a49ce0f4916

SHA256
37fc828691b5c454559fb189ae16e426ec93cedc572479e0074925511b4c5964

SHA512
110f3cbe3a4326f2fde7b0cb3c03123225e3905b5c1f28bd3445225537d77d659497c07ba1cfe4cf23a354ab711e42b6feaed7ab45e1267fea48273cd2ff5946

Download Submit
memory/4732-154-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/4732-155-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/4732-156-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

Filesize
1.0MB

Download
memory/4732-157-0x0000000004D20000-0x0000000004D32000-memory.dmp

Filesize
72KB

Download
memory/4732-158-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/4732-159-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4732-160-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing