redline | d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331

General

Target

d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe
Size

576KB
MD5

1a4b23f904b79a5e52856ef40844e34a
SHA1

05eaa04207138cfce00b9037a0bf4a9ee14340f5
SHA256

d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331
SHA512

536d18a8c4782c50317d7536dde8e28cb3e6f4ba440f22d10bd8d19c5f1be3eab2163cbe6cb5a9c7023d91d20a65cefc0ee941bc26c49fabeb62760f4fa6ae94
SSDEEP

12288:HMr+y907eEl/OQ/HOxEhw7J/OLoYBIi8rEhUDRqgXIef:NyCZHhw74LRBIdA6

Score

10^/10

redline dana infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dana

C2

83.97.73.130:19061

Attributes

auth_value
da2d1691db653e49676d799e1eae2673

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1728	x5490145.exe
1252	x7263370.exe
1084	f0380719.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5490145.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5490145.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7263370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7263370.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1728	1764	d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe	86
PID 1764 wrote to memory of 1728	1764	d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe	86
PID 1764 wrote to memory of 1728	1764	d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe	86
PID 1728 wrote to memory of 1252	1728	x5490145.exe	87
PID 1728 wrote to memory of 1252	1728	x5490145.exe	87
PID 1728 wrote to memory of 1252	1728	x5490145.exe	87
PID 1252 wrote to memory of 1084	1252	x7263370.exe	88
PID 1252 wrote to memory of 1084	1252	x7263370.exe	88
PID 1252 wrote to memory of 1084	1252	x7263370.exe	88

C:\Users\Admin\AppData\Local\Temp\d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe
"C:\Users\Admin\AppData\Local\Temp\d8e93551bc64022d36892f187c094bb7c72fdfd474efd59d671abb2ebe9e6331.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5490145.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5490145.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7263370.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7263370.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0380719.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0380719.exe
      4⤵
      Executes dropped EXE
      PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5490145.exe

Filesize
377KB

MD5
4132aa6487bb41466850a7863a144504

SHA1
4510d2ba8e600e46c4f5dc55fe316221f4942cb0

SHA256
0f5280943bf4b9e4cf4a955fd98bd2ee9ad91303b39bac107606c61eb9c92e0c

SHA512
bce9901424777b6e2a3a0df57eab6d030a0ee5e0cf7e9ef515b3a206f745f7d6ba4daac2938ff1f5491f72fb2f84606e0ff903177979b413ba74cccbc75f359b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5490145.exe

Filesize
377KB

MD5
4132aa6487bb41466850a7863a144504

SHA1
4510d2ba8e600e46c4f5dc55fe316221f4942cb0

SHA256
0f5280943bf4b9e4cf4a955fd98bd2ee9ad91303b39bac107606c61eb9c92e0c

SHA512
bce9901424777b6e2a3a0df57eab6d030a0ee5e0cf7e9ef515b3a206f745f7d6ba4daac2938ff1f5491f72fb2f84606e0ff903177979b413ba74cccbc75f359b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7263370.exe

Filesize
206KB

MD5
3696c4b752044d586ca53810e3b428fa

SHA1
4df48287fd601cb01e52b05d154fe0c52c0a635e

SHA256
2b56cf3b78aea930a3d9ebc8e4e62c6f58de756eff35949dcb0e91d217df01b3

SHA512
10b84f42a3364bd4dba46a2a9aab55b593b8bcd88e42e9fee0a1fc6f771ae7e169342e96b472b6db87571e728849efdb0d9f0ee3c95669c50179ff25ea6e9fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7263370.exe

Filesize
206KB

MD5
3696c4b752044d586ca53810e3b428fa

SHA1
4df48287fd601cb01e52b05d154fe0c52c0a635e

SHA256
2b56cf3b78aea930a3d9ebc8e4e62c6f58de756eff35949dcb0e91d217df01b3

SHA512
10b84f42a3364bd4dba46a2a9aab55b593b8bcd88e42e9fee0a1fc6f771ae7e169342e96b472b6db87571e728849efdb0d9f0ee3c95669c50179ff25ea6e9fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0380719.exe

Filesize
172KB

MD5
12239c38403930245d164197dde5b9ba

SHA1
cebbf5693bf5c218769d6c67e84d46ffffa22384

SHA256
3c2236a75a764d2cfe94a33d48570ee1eba0659c39873ca6a56190b4dc84ceeb

SHA512
837fc93ea9ae151f3d67596cb774ffa4b51be87b7c2484575b9d98dc9c21fd7ff810ca8fb3d6f67c181b5bfb359126a99e3f5f4af29318701cbe4c59490c4fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0380719.exe

Filesize
172KB

MD5
12239c38403930245d164197dde5b9ba

SHA1
cebbf5693bf5c218769d6c67e84d46ffffa22384

SHA256
3c2236a75a764d2cfe94a33d48570ee1eba0659c39873ca6a56190b4dc84ceeb

SHA512
837fc93ea9ae151f3d67596cb774ffa4b51be87b7c2484575b9d98dc9c21fd7ff810ca8fb3d6f67c181b5bfb359126a99e3f5f4af29318701cbe4c59490c4fee

Download Submit
memory/1084-154-0x0000000000960000-0x0000000000990000-memory.dmp

Filesize
192KB

Download
memory/1084-155-0x00000000059E0000-0x0000000005FF8000-memory.dmp

Filesize
6.1MB

Download
memory/1084-156-0x00000000054D0000-0x00000000055DA000-memory.dmp

Filesize
1.0MB

Download
memory/1084-157-0x0000000005400000-0x0000000005412000-memory.dmp

Filesize
72KB

Download
memory/1084-158-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1084-159-0x0000000005460000-0x000000000549C000-memory.dmp

Filesize
240KB

Download
memory/1084-160-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing