redline | 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795

General

Target

8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Size

760KB
MD5

13e20284ca88bd97247c9f9c7c669c29
SHA1

1b28f7a71df60402fe9fc6a49f38b17dc8501700
SHA256

8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795
SHA512

125fbb6a0d246bcaa1db02bf0943d2459f974635a8861fa8eabed9cd8c3da85377dc90be5e3b689bb42dac760ec9103d16c62a8fdd517e8712b7b907f3fb80da
SSDEEP

12288:vMrIy90pyJ0Y+YVY+ZZOR0fUBN542JHL6aQQ3n/7j3w0QKmzgboGyiM8rt3TQEN:PyoY7Zc1O2JHLp/nP3w0QKmzg5JyEN

Score

10^/10

redline dura infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dura

C2

83.97.73.127:19062

Attributes

auth_value
44b7d6fb9572dea0d64d018139c3d208

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2144	x7050235.exe
2512	x8170986.exe
4780	f0845043.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8170986.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7050235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7050235.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8170986.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2144	1804	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	66
PID 1804 wrote to memory of 2144	1804	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	66
PID 1804 wrote to memory of 2144	1804	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	66
PID 2144 wrote to memory of 2512	2144	x7050235.exe	67
PID 2144 wrote to memory of 2512	2144	x7050235.exe	67
PID 2144 wrote to memory of 2512	2144	x7050235.exe	67
PID 2512 wrote to memory of 4780	2512	x8170986.exe	68
PID 2512 wrote to memory of 4780	2512	x8170986.exe	68
PID 2512 wrote to memory of 4780	2512	x8170986.exe	68

C:\Users\Admin\AppData\Local\Temp\8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
"C:\Users\Admin\AppData\Local\Temp\8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe
      4⤵
      Executes dropped EXE
      PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe

Filesize
445KB

MD5
dfb11b06e6627ebf02aff75abbb0363a

SHA1
b128c31ba451b968ceb14cabc6f646158f1b2279

SHA256
f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e

SHA512
cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe

Filesize
445KB

MD5
dfb11b06e6627ebf02aff75abbb0363a

SHA1
b128c31ba451b968ceb14cabc6f646158f1b2279

SHA256
f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e

SHA512
cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe

Filesize
274KB

MD5
dc2c7aa2ec3c34956b500b4aefe42f05

SHA1
e922cd78240e346e120941bdc0ec5c2dd44242cc

SHA256
9a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117

SHA512
75af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe

Filesize
274KB

MD5
dc2c7aa2ec3c34956b500b4aefe42f05

SHA1
e922cd78240e346e120941bdc0ec5c2dd44242cc

SHA256
9a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117

SHA512
75af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe

Filesize
145KB

MD5
7afca2ca9835921bf38a27cb798befef

SHA1
5e68110bdbff8fc5eefaa1810d89c7e485bb90a4

SHA256
f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f

SHA512
2f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe

Filesize
145KB

MD5
7afca2ca9835921bf38a27cb798befef

SHA1
5e68110bdbff8fc5eefaa1810d89c7e485bb90a4

SHA256
f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f

SHA512
2f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a

Download Submit
memory/4780-141-0x0000000000C70000-0x0000000000C9A000-memory.dmp

Filesize
168KB

Download
memory/4780-142-0x0000000005A30000-0x0000000006036000-memory.dmp

Filesize
6.0MB

Download
memory/4780-143-0x0000000005590000-0x000000000569A000-memory.dmp

Filesize
1.0MB

Download
memory/4780-144-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/4780-145-0x0000000005540000-0x000000000557E000-memory.dmp

Filesize
248KB

Download
memory/4780-146-0x00000000056A0000-0x00000000056EB000-memory.dmp

Filesize
300KB

Download
memory/4780-147-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4780-148-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing