redline | a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce

General

Target

a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe
Size

475KB
MD5

9b7c46ba6918e3e6a8a9962380bd9fbb
SHA1

78e438367be14d1cf684f7a329e1707c3891068d
SHA256

a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce
SHA512

586010dd85f4ce29315678d2b6579f498785c622be8e5960fadaca78d873f7f48bb1b0715deb41c8855db534a9bf6d5317b995416a9a9c0b7b807f9e18c36acd
SSDEEP

12288:NMrjy909GMJZgDcxC7e9OnJeW6BFprP0jW5CaSCY8l:iyUGMJqc07/JeW6BPkaW8l

Score

10^/10

redline dasa infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dasa

C2

83.97.73.126:19048

Attributes

auth_value
7eca6ed540c2dcd359aed5b67c4eda07

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4572	x5953205.exe
4780	x4659499.exe
2200	f7627774.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5953205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5953205.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4659499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4659499.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4572	4320	a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe	84
PID 4320 wrote to memory of 4572	4320	a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe	84
PID 4320 wrote to memory of 4572	4320	a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe	84
PID 4572 wrote to memory of 4780	4572	x5953205.exe	85
PID 4572 wrote to memory of 4780	4572	x5953205.exe	85
PID 4572 wrote to memory of 4780	4572	x5953205.exe	85
PID 4780 wrote to memory of 2200	4780	x4659499.exe	86
PID 4780 wrote to memory of 2200	4780	x4659499.exe	86
PID 4780 wrote to memory of 2200	4780	x4659499.exe	86

C:\Users\Admin\AppData\Local\Temp\a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe
"C:\Users\Admin\AppData\Local\Temp\a330c7e3e99a5241fb15705e589f2f2bdd468f761cb8f13325706feef5b4f7ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5953205.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5953205.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4659499.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4659499.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7627774.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7627774.exe
      4⤵
      Executes dropped EXE
      PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5953205.exe

Filesize
378KB

MD5
5e072942d8ed3c9d18c6d3ea4079cf40

SHA1
04be998224ff79b1c64cdb0b2630317c21a04ea5

SHA256
53bf8d3032e41decf7abe66579ed2f37316887283f2d16e42dff4cfa1a97a3d4

SHA512
24cbf686b8395edfc658e17d3671aab314ffbced64de0e2b26aa8e663228d3c018f9119ba5140c0c836d6efb973df37db3bbaf017b755c256d13d4c2b4e6790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5953205.exe

Filesize
378KB

MD5
5e072942d8ed3c9d18c6d3ea4079cf40

SHA1
04be998224ff79b1c64cdb0b2630317c21a04ea5

SHA256
53bf8d3032e41decf7abe66579ed2f37316887283f2d16e42dff4cfa1a97a3d4

SHA512
24cbf686b8395edfc658e17d3671aab314ffbced64de0e2b26aa8e663228d3c018f9119ba5140c0c836d6efb973df37db3bbaf017b755c256d13d4c2b4e6790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4659499.exe

Filesize
206KB

MD5
747bed6b79ff3d24036aa5580026636e

SHA1
250792f73109419084ce757c613466e3d91526a1

SHA256
78fd67c46b5ecac801b5354c95e7a637fc46c29d04630ccb5d642fba29ef9b50

SHA512
d1835d3e6d0d4e24dcc8c9a7e2531914c50ffa41c7980ad27d7c00057e47a5886f865c691e093ad7de1b5d60893b2464bdee507c804e944dc315450afd26e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4659499.exe

Filesize
206KB

MD5
747bed6b79ff3d24036aa5580026636e

SHA1
250792f73109419084ce757c613466e3d91526a1

SHA256
78fd67c46b5ecac801b5354c95e7a637fc46c29d04630ccb5d642fba29ef9b50

SHA512
d1835d3e6d0d4e24dcc8c9a7e2531914c50ffa41c7980ad27d7c00057e47a5886f865c691e093ad7de1b5d60893b2464bdee507c804e944dc315450afd26e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7627774.exe

Filesize
172KB

MD5
562b10551ca84542d45fa521df5cb4e4

SHA1
e7817c7caaa2afa52bb2a7490978c90e7a2c6e77

SHA256
2c59fba0c80cdbd2488c895db3d95508676f62dd3091c910e9858cecf2e8b91a

SHA512
c97a59f3bbb4ac819bb8b60327047dde30360c2a04c2c4e5d175b3f4ebfa77185129dfcc9f8877efaa2e013b3bff3d946d689e4fd5e518093164577f5da94303

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7627774.exe

Filesize
172KB

MD5
562b10551ca84542d45fa521df5cb4e4

SHA1
e7817c7caaa2afa52bb2a7490978c90e7a2c6e77

SHA256
2c59fba0c80cdbd2488c895db3d95508676f62dd3091c910e9858cecf2e8b91a

SHA512
c97a59f3bbb4ac819bb8b60327047dde30360c2a04c2c4e5d175b3f4ebfa77185129dfcc9f8877efaa2e013b3bff3d946d689e4fd5e518093164577f5da94303

Download Submit
memory/2200-154-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/2200-155-0x000000000B2A0000-0x000000000B8B8000-memory.dmp

Filesize
6.1MB

Download
memory/2200-156-0x000000000ADF0000-0x000000000AEFA000-memory.dmp

Filesize
1.0MB

Download
memory/2200-157-0x000000000AD30000-0x000000000AD42000-memory.dmp

Filesize
72KB

Download
memory/2200-158-0x000000000AD90000-0x000000000ADCC000-memory.dmp

Filesize
240KB

Download
memory/2200-159-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/2200-160-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing