redline | 7fd190439f0ae37e1f774f163eaa9d28a826b8834f3978882222a63d9d220f23

General

Target

26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe
Size

1.3MB
MD5

5461b2ea5f397c9dffba0bf58e4b4a77
SHA1

4aa5824c71de814f76a2c18f0ebccc0d47d1269f
SHA256

26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae
SHA512

d7d79de2545ef38d463b3c3d75f1bf7267727f5fcf35fa183cf2fe2b529b58a96ca5e436f08fb3684c3651b6fd690215578eece22f693d323b69f6811dc45c36
SSDEEP

24576:bE47kOUEfJvETlpqftmHioiS+yvk3RZAdBbVTb34k30/8dRi9:bEq5PfJvExMftmHzO0khZApykji9

Score

10^/10

redline kira infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

kira

C2

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1184	x7197568.exe
4612	f7319018.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7197568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7197568.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 1184	4404	26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe	86
PID 4404 wrote to memory of 1184	4404	26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe	86
PID 4404 wrote to memory of 1184	4404	26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe	86
PID 1184 wrote to memory of 4612	1184	x7197568.exe	87
PID 1184 wrote to memory of 4612	1184	x7197568.exe	87
PID 1184 wrote to memory of 4612	1184	x7197568.exe	87

C:\Users\Admin\AppData\Local\Temp\26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe
"C:\Users\Admin\AppData\Local\Temp\26bc3d8b0c6cd099d29f18e481d101c5be5b49db9655a0eb2cc339f9721b77ae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7197568.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7197568.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7319018.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7319018.exe
    3⤵
    - Executes dropped EXE
    PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7197568.exe

Filesize
756KB

MD5
7bd52f7aa7fb6e628532aa133ff46483

SHA1
535f08698bc5fe0ed57736f0dec1c49eac2a9560

SHA256
23804d67a2f3c169da6516bed1292569cd8a17af0a9b82eeb79135f6bec94416

SHA512
40223bcc8060efa0a7bc3e62a25efd8288d14d8d87f6ad1440203e9ad89c5b4dbc426fd2ba8e0e1d6a8738ac0866599d3113f21e842d21505c21e1070f333a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7197568.exe

Filesize
756KB

MD5
7bd52f7aa7fb6e628532aa133ff46483

SHA1
535f08698bc5fe0ed57736f0dec1c49eac2a9560

SHA256
23804d67a2f3c169da6516bed1292569cd8a17af0a9b82eeb79135f6bec94416

SHA512
40223bcc8060efa0a7bc3e62a25efd8288d14d8d87f6ad1440203e9ad89c5b4dbc426fd2ba8e0e1d6a8738ac0866599d3113f21e842d21505c21e1070f333a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7319018.exe

Filesize
692KB

MD5
db0b619826f21030c82c49d4f1ea1e5d

SHA1
b971a2c5541531164c6d6dfee7a181a401b84585

SHA256
6c022922112f4ab96084f61dd11641dbe24a678dab84ed4524a0adee35012635

SHA512
17c25903f9af0b2cdfaa65d039eac8d4806da79e383bc2a405e1e6d25186b1986057ef8aa5ce2a777ca91acedac36ed631ec174e0090f334573a879bc09a5829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7319018.exe

Filesize
692KB

MD5
db0b619826f21030c82c49d4f1ea1e5d

SHA1
b971a2c5541531164c6d6dfee7a181a401b84585

SHA256
6c022922112f4ab96084f61dd11641dbe24a678dab84ed4524a0adee35012635

SHA512
17c25903f9af0b2cdfaa65d039eac8d4806da79e383bc2a405e1e6d25186b1986057ef8aa5ce2a777ca91acedac36ed631ec174e0090f334573a879bc09a5829

Download Submit
memory/4404-133-0x0000000000810000-0x00000000008EB000-memory.dmp

Filesize
876KB

Download
memory/4612-153-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/4612-157-0x000000000A600000-0x000000000AC18000-memory.dmp

Filesize
6.1MB

Download
memory/4612-158-0x0000000009FF0000-0x000000000A0FA000-memory.dmp

Filesize
1.0MB

Download
memory/4612-159-0x000000000A130000-0x000000000A142000-memory.dmp

Filesize
72KB

Download
memory/4612-160-0x000000000A150000-0x000000000A18C000-memory.dmp

Filesize
240KB

Download
memory/4612-161-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4612-162-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing