redline | a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856

General

Target

a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe
Size

1014KB
MD5

087d9eb4a4a7ab1f79923d350455cc90
SHA1

bb022ec55269982ef9cf48578fe58deddad6a089
SHA256

a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856
SHA512

3278fc5d05721bac47f33711a7d181f92c0eb0f1376b58655f4d94c1294c38e9195eb4eaaf90aab4728a99af84a07487ddf22e020fa70c1d0ab4179a562b0222
SSDEEP

12288:SMrYy905v816+DVKGcsQdJAxsJG3prsBsSQiKda1X15tbjLcvCopFWnNf3b2f9Ss:Oy7DosQDA2JG3prsBDp1fjLNopZShM3

Score

10^/10

redline masha infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3320	x1851176.exe
1532	x8450758.exe
1132	f1547013.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1851176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1851176.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8450758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8450758.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3320	1304	a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe	84
PID 1304 wrote to memory of 3320	1304	a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe	84
PID 1304 wrote to memory of 3320	1304	a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe	84
PID 3320 wrote to memory of 1532	3320	x1851176.exe	85
PID 3320 wrote to memory of 1532	3320	x1851176.exe	85
PID 3320 wrote to memory of 1532	3320	x1851176.exe	85
PID 1532 wrote to memory of 1132	1532	x8450758.exe	87
PID 1532 wrote to memory of 1132	1532	x8450758.exe	87
PID 1532 wrote to memory of 1132	1532	x8450758.exe	87

C:\Users\Admin\AppData\Local\Temp\a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe
"C:\Users\Admin\AppData\Local\Temp\a2f47badc0b0db8e08ca23952f65ce6f5f9d02f7927a0b4e82b38014853bc856.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1851176.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1851176.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8450758.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8450758.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1547013.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1547013.exe
      4⤵
      Executes dropped EXE
      PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1851176.exe

Filesize
858KB

MD5
722f2b2fcdfa6d70035cb96339b3ce97

SHA1
d4d14c42ca43b33b68b25e1bd1a6e68cf40d1237

SHA256
b8640296d367f21322ebb1ffaaf8fbd619385a715b235a42966755988d6f5f4c

SHA512
0d237e8b6568904f23749e27ba5afa73faf8d41f676e2624d881141145997b0dbd21010a66200299d492a05122521cf8ebfd59ccf2f537a83635039520975954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1851176.exe

Filesize
858KB

MD5
722f2b2fcdfa6d70035cb96339b3ce97

SHA1
d4d14c42ca43b33b68b25e1bd1a6e68cf40d1237

SHA256
b8640296d367f21322ebb1ffaaf8fbd619385a715b235a42966755988d6f5f4c

SHA512
0d237e8b6568904f23749e27ba5afa73faf8d41f676e2624d881141145997b0dbd21010a66200299d492a05122521cf8ebfd59ccf2f537a83635039520975954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8450758.exe

Filesize
757KB

MD5
e30b3ca64b2d19e7829128b54e169285

SHA1
a8761cfe787b868b1d1119379c92a78ca5fbc43a

SHA256
fc3f079799ac5ae2812c034dcfc99c9f32b7d04fb2d3c631fd5aff7a5f7569ee

SHA512
f7901e439ebda132e905e13ce42e7f188213c6ad07b9d2a07a12588591f3e7e6817ca0cde910ca62518e7e02c7c355ae6c09f8d833404ddaa44e7775362463c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8450758.exe

Filesize
757KB

MD5
e30b3ca64b2d19e7829128b54e169285

SHA1
a8761cfe787b868b1d1119379c92a78ca5fbc43a

SHA256
fc3f079799ac5ae2812c034dcfc99c9f32b7d04fb2d3c631fd5aff7a5f7569ee

SHA512
f7901e439ebda132e905e13ce42e7f188213c6ad07b9d2a07a12588591f3e7e6817ca0cde910ca62518e7e02c7c355ae6c09f8d833404ddaa44e7775362463c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1547013.exe

Filesize
729KB

MD5
94200ab299dfc5049524a399a8a48ce4

SHA1
31782944ba5aa80de5601d6c8738ae99b865a7c8

SHA256
adbc73cf9ede1526e0411279f67147d913e2ec9a4e765e9243ebdfdd649139e6

SHA512
5670fd6ba8c752bad158e3dd4ceb9c79b94dc87aeb510ca2a177d841d7e9e797a041b98b340c524e19f4095c1907a654530765747028e3529fbd994f226f91ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1547013.exe

Filesize
729KB

MD5
94200ab299dfc5049524a399a8a48ce4

SHA1
31782944ba5aa80de5601d6c8738ae99b865a7c8

SHA256
adbc73cf9ede1526e0411279f67147d913e2ec9a4e765e9243ebdfdd649139e6

SHA512
5670fd6ba8c752bad158e3dd4ceb9c79b94dc87aeb510ca2a177d841d7e9e797a041b98b340c524e19f4095c1907a654530765747028e3529fbd994f226f91ec

Download Submit
memory/1132-154-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-155-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/1132-159-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1132-160-0x0000000004B40000-0x0000000005158000-memory.dmp

Filesize
6.1MB

Download
memory/1132-161-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/1132-162-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1132-163-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/1132-164-0x0000000005270000-0x00000000052AC000-memory.dmp

Filesize
240KB

Download
memory/1132-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-166-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/1132-167-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing