redline | 0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004

General

Target

0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe
Size

753KB
MD5

cfbf7b53776fb1d6607a36893c41e762
SHA1

73a2d3e265dc1d600a6f106c3341f1a06d44062c
SHA256

0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004
SHA512

55b09a8aadb2b060cfbacadc554471ebb6062961a63ceaf663551354701b899a6a17a094b02e7c61d24a0ea86195f310be9a5987bdf3a8afe2101a0baeae8733
SSDEEP

12288:fMr/y90kF5Ie0Z5xiEoJNYiiRScK3+hLktm65k+/tPfcmqmRrFaYp7hfE1/+Rgx6:YyC0iKrk+/tcrmRrYYptE1igx6

Score

10^/10

redline dars infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dars

C2

83.97.73.127:19045

Attributes

auth_value
7cd208e6b6c927262304d5d4d88647fd

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2444	x5504876.exe
2524	x9258075.exe
2124	f6904395.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5504876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5504876.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9258075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9258075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2444	2200	0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe	66
PID 2200 wrote to memory of 2444	2200	0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe	66
PID 2200 wrote to memory of 2444	2200	0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe	66
PID 2444 wrote to memory of 2524	2444	x5504876.exe	67
PID 2444 wrote to memory of 2524	2444	x5504876.exe	67
PID 2444 wrote to memory of 2524	2444	x5504876.exe	67
PID 2524 wrote to memory of 2124	2524	x9258075.exe	68
PID 2524 wrote to memory of 2124	2524	x9258075.exe	68
PID 2524 wrote to memory of 2124	2524	x9258075.exe	68

C:\Users\Admin\AppData\Local\Temp\0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe
"C:\Users\Admin\AppData\Local\Temp\0eac485b62b8f701681ee1cced4d78d297727b29096209d5ea6d70ac73089004.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5504876.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5504876.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9258075.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9258075.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6904395.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6904395.exe
      4⤵
      Executes dropped EXE
      PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5504876.exe

Filesize
445KB

MD5
f267b7f08be4cca0672c8625c6730853

SHA1
8461d2b252b48f22b1fc8266a288dda6ea4d3d14

SHA256
b15e026ffd5c5e28512811ff36d83720d44476350d076384f0918c696084c8e0

SHA512
5028e6fa4d347954547122e40663cb7fe240e8470bed70690f7f7ea1a1524b5b00b361cee747c803d0d21dbeacf0fa5482adfb1662741f9c29a70d123b39feb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5504876.exe

Filesize
445KB

MD5
f267b7f08be4cca0672c8625c6730853

SHA1
8461d2b252b48f22b1fc8266a288dda6ea4d3d14

SHA256
b15e026ffd5c5e28512811ff36d83720d44476350d076384f0918c696084c8e0

SHA512
5028e6fa4d347954547122e40663cb7fe240e8470bed70690f7f7ea1a1524b5b00b361cee747c803d0d21dbeacf0fa5482adfb1662741f9c29a70d123b39feb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9258075.exe

Filesize
274KB

MD5
d0d4d73be00ec05e8e477c318d95a6ae

SHA1
dd81be817b4fc096dafa717b09356baabdcb2133

SHA256
a02b70eb408f48d16b6de367d0e84b2ba5160356bcee8fec55caba2d6fc57440

SHA512
8c2aeacd88225deae45f194295727db630721f6ad7405ce944ff1ce2ab5c79ed9994af9e877a8bd2ce100cd1856aebb7c4a40271ede305246293cd592a0baf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9258075.exe

Filesize
274KB

MD5
d0d4d73be00ec05e8e477c318d95a6ae

SHA1
dd81be817b4fc096dafa717b09356baabdcb2133

SHA256
a02b70eb408f48d16b6de367d0e84b2ba5160356bcee8fec55caba2d6fc57440

SHA512
8c2aeacd88225deae45f194295727db630721f6ad7405ce944ff1ce2ab5c79ed9994af9e877a8bd2ce100cd1856aebb7c4a40271ede305246293cd592a0baf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6904395.exe

Filesize
168KB

MD5
a437cc39d8c83914b6030dfb4c3f1858

SHA1
660dcc40c9014d80051de56b624df1bc980a65e6

SHA256
8eea22b05042ed9dd5c07385016c4738ee4d3cb626e07bd390745bb5105d9f87

SHA512
3dd3f174bf2a355b00164df7b555e99b8a37ae41a14a51a4f7c32239ad54a6440dd3ea2f89eeef49b5df4032a1bedf7e24bc8d3dd55480c0863640b73255bcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6904395.exe

Filesize
168KB

MD5
a437cc39d8c83914b6030dfb4c3f1858

SHA1
660dcc40c9014d80051de56b624df1bc980a65e6

SHA256
8eea22b05042ed9dd5c07385016c4738ee4d3cb626e07bd390745bb5105d9f87

SHA512
3dd3f174bf2a355b00164df7b555e99b8a37ae41a14a51a4f7c32239ad54a6440dd3ea2f89eeef49b5df4032a1bedf7e24bc8d3dd55480c0863640b73255bcee

Download Submit
memory/2124-142-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/2124-143-0x0000000002670000-0x0000000002676000-memory.dmp

Filesize
24KB

Download
memory/2124-144-0x000000000A690000-0x000000000AC96000-memory.dmp

Filesize
6.0MB

Download
memory/2124-145-0x000000000A190000-0x000000000A29A000-memory.dmp

Filesize
1.0MB

Download
memory/2124-146-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2124-147-0x000000000A0C0000-0x000000000A0FE000-memory.dmp

Filesize
248KB

Download
memory/2124-148-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2124-149-0x000000000A100000-0x000000000A14B000-memory.dmp

Filesize
300KB

Download
memory/2124-150-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing