redline | c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f

General

Target

c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe
Size

578KB
MD5

432b19f49dd991ebb1feffa31cda8e31
SHA1

6f2b316d662bdd9598294370d786fa0d4af65c18
SHA256

c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f
SHA512

7bef6cc3418fa9e4253fac30ff0839bd9edb662a0a94b9809db50f63071549f0670b969ca05af991d0cfae7b14036eb02a8c33aadbe151e6e6525119238250a2
SSDEEP

12288:2Mr2y90TeUQjYTXahstEC3CI5BoA0OUelnbxzBCBNVdpjp:kyiQjhh+Pb5Botu99AV3p

Score

10^/10

redline dasa discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dasa

C2

83.97.73.126:19048

Attributes

auth_value
7eca6ed540c2dcd359aed5b67c4eda07

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4036	x0594220.exe
2088	x4538667.exe
4256	f5826419.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0594220.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4538667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4538667.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0594220.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe
4256	f5826419.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	f5826419.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4036	4116	c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe	66
PID 4116 wrote to memory of 4036	4116	c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe	66
PID 4116 wrote to memory of 4036	4116	c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe	66
PID 4036 wrote to memory of 2088	4036	x0594220.exe	67
PID 4036 wrote to memory of 2088	4036	x0594220.exe	67
PID 4036 wrote to memory of 2088	4036	x0594220.exe	67
PID 2088 wrote to memory of 4256	2088	x4538667.exe	68
PID 2088 wrote to memory of 4256	2088	x4538667.exe	68
PID 2088 wrote to memory of 4256	2088	x4538667.exe	68

C:\Users\Admin\AppData\Local\Temp\c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe
"C:\Users\Admin\AppData\Local\Temp\c1f65623fc190ad87b1486da20ff852fe0332a355e8c6444ac3ceac6bda8719f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0594220.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0594220.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4538667.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4538667.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5826419.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5826419.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0594220.exe

Filesize
378KB

MD5
7d11e11898170145eea0b8b03423b8cb

SHA1
a75b10734953c7d318b75096b20f8f364f0c7ce3

SHA256
6b5d5d3065e13dbbf97350307a2c8d87e5befa5629d830b046eb565e8b7600db

SHA512
6aa415cc17c3537b9ff4e1078d07fe71558f522c73a41e5ff495fc24529873b643ca918c87a4e89fd4b3902dbfb8b6ab222572b7c6f03ebd77acfc3129945910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0594220.exe

Filesize
378KB

MD5
7d11e11898170145eea0b8b03423b8cb

SHA1
a75b10734953c7d318b75096b20f8f364f0c7ce3

SHA256
6b5d5d3065e13dbbf97350307a2c8d87e5befa5629d830b046eb565e8b7600db

SHA512
6aa415cc17c3537b9ff4e1078d07fe71558f522c73a41e5ff495fc24529873b643ca918c87a4e89fd4b3902dbfb8b6ab222572b7c6f03ebd77acfc3129945910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4538667.exe

Filesize
206KB

MD5
79620ad447d11aae3ae0a885b72a997d

SHA1
348e3792482403a89ddac15f789ca3a613c43fb4

SHA256
aa5fb12f90dee17d34a16920337ee79bf00690c0698eab9339091d97da554d2f

SHA512
080f5f18329d6594b5a72deea6b2ff9df5c7b95e2b0f96bb953d0878987132f73ab588eb361d1c990aed1633ab0341b5db34ed636525ba5a78cb7486ad666ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4538667.exe

Filesize
206KB

MD5
79620ad447d11aae3ae0a885b72a997d

SHA1
348e3792482403a89ddac15f789ca3a613c43fb4

SHA256
aa5fb12f90dee17d34a16920337ee79bf00690c0698eab9339091d97da554d2f

SHA512
080f5f18329d6594b5a72deea6b2ff9df5c7b95e2b0f96bb953d0878987132f73ab588eb361d1c990aed1633ab0341b5db34ed636525ba5a78cb7486ad666ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5826419.exe

Filesize
172KB

MD5
c24ed690fb860e97bcfe1ebfd1ccd964

SHA1
1d6954cd6f28e407783ca863f20176945240f20c

SHA256
f893458a5769867766e46ae886d672f0b1cf58ec042330ddead309a3385490c4

SHA512
527f5c1f2e6d6d3184f8c2c9e65e61b8995ca435cc10da39ff26a4a4a06c52e0a3b179960fe8375a4fe2622311f01bc743c3180ede78b9785720271d732f8eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5826419.exe

Filesize
172KB

MD5
c24ed690fb860e97bcfe1ebfd1ccd964

SHA1
1d6954cd6f28e407783ca863f20176945240f20c

SHA256
f893458a5769867766e46ae886d672f0b1cf58ec042330ddead309a3385490c4

SHA512
527f5c1f2e6d6d3184f8c2c9e65e61b8995ca435cc10da39ff26a4a4a06c52e0a3b179960fe8375a4fe2622311f01bc743c3180ede78b9785720271d732f8eb9

Download Submit
memory/4256-141-0x0000000000290000-0x00000000002C0000-memory.dmp

Filesize
192KB

Download
memory/4256-142-0x0000000000A50000-0x0000000000A56000-memory.dmp

Filesize
24KB

Download
memory/4256-143-0x00000000052E0000-0x00000000058E6000-memory.dmp

Filesize
6.0MB

Download
memory/4256-144-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/4256-145-0x0000000004650000-0x0000000004662000-memory.dmp

Filesize
72KB

Download
memory/4256-146-0x0000000004B10000-0x0000000004B4E000-memory.dmp

Filesize
248KB

Download
memory/4256-147-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4256-148-0x0000000004B50000-0x0000000004B9B000-memory.dmp

Filesize
300KB

Download
memory/4256-149-0x0000000005070000-0x00000000050E6000-memory.dmp

Filesize
472KB

Download
memory/4256-150-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/4256-151-0x0000000006300000-0x00000000067FE000-memory.dmp

Filesize
5.0MB

Download
memory/4256-152-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/4256-153-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4256-154-0x0000000005C40000-0x0000000005C90000-memory.dmp

Filesize
320KB

Download
memory/4256-155-0x0000000006800000-0x00000000069C2000-memory.dmp

Filesize
1.8MB

Download
memory/4256-156-0x0000000008580000-0x0000000008AAC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing