redline | 486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f

General

Target

486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe
Size

770KB
MD5

9c89817c1c4cdaca0845c056977f94bc
SHA1

085a246c91e89a9c00b75d3e1d54403dfc4956bb
SHA256

486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f
SHA512

c205774bf56513171951313d559498bcca6dfeb7f3e940a24c17806ab67cf2096547ede9b6b13257c351200742c5a3b85797e38830971aaa6715854d52156272
SSDEEP

12288:HMrey90cdNcO42gqGx6PhX+ZM3tnpZ44pxaPZUL75p34h9GdXF94sVriUqNYCc:5yDO2r2kp3pfT34h9SYAN

Score

10^/10

redline masha infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2996	x0044241.exe
620	x2884213.exe
4536	f1863895.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0044241.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2884213.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2884213.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0044241.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 2996	3396	486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe	70
PID 3396 wrote to memory of 2996	3396	486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe	70
PID 3396 wrote to memory of 2996	3396	486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe	70
PID 2996 wrote to memory of 620	2996	x0044241.exe	71
PID 2996 wrote to memory of 620	2996	x0044241.exe	71
PID 2996 wrote to memory of 620	2996	x0044241.exe	71
PID 620 wrote to memory of 4536	620	x2884213.exe	72
PID 620 wrote to memory of 4536	620	x2884213.exe	72
PID 620 wrote to memory of 4536	620	x2884213.exe	72

C:\Users\Admin\AppData\Local\Temp\486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe
"C:\Users\Admin\AppData\Local\Temp\486a9338c04da31e101367e9ca09bbda96b525740aea077b783d98af9571865f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0044241.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0044241.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2884213.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2884213.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1863895.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1863895.exe
      4⤵
      Executes dropped EXE
      PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0044241.exe

Filesize
614KB

MD5
e8f6a4e8c6bbdde55fa49b74a8a46789

SHA1
48455b6b598e70cc7bf828a4b321c9ec62656a27

SHA256
71c234e28f314b521aa9ef3e6df52a01fb2b8c311550031a4c62248155460985

SHA512
53f36c05d4ee5f868d706b8d38c2af1f1de36c960b77800e1a25f06e5ca7552c14d1b0b1f97f9bdbb7304183d36b06dc850189710f2ad267474d83e2b837614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0044241.exe

Filesize
614KB

MD5
e8f6a4e8c6bbdde55fa49b74a8a46789

SHA1
48455b6b598e70cc7bf828a4b321c9ec62656a27

SHA256
71c234e28f314b521aa9ef3e6df52a01fb2b8c311550031a4c62248155460985

SHA512
53f36c05d4ee5f868d706b8d38c2af1f1de36c960b77800e1a25f06e5ca7552c14d1b0b1f97f9bdbb7304183d36b06dc850189710f2ad267474d83e2b837614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2884213.exe

Filesize
513KB

MD5
130ceeb429f5c652f9286b98616de749

SHA1
560e2aadf4b32bc36b8963a17e4cfbb087bb7517

SHA256
e09fed3161e80d0b6cd1b1b7e3a6ba59b17e81bdc4ad565f9966158db9a09349

SHA512
9dc96d596853e3bf7015dcc59a80245e144b60090cb8e8412062428ecddc4a389c307de39c3913d60715775ad81ec3bde0f3e4d51290212aa8f4ed15ce620107

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2884213.exe

Filesize
513KB

MD5
130ceeb429f5c652f9286b98616de749

SHA1
560e2aadf4b32bc36b8963a17e4cfbb087bb7517

SHA256
e09fed3161e80d0b6cd1b1b7e3a6ba59b17e81bdc4ad565f9966158db9a09349

SHA512
9dc96d596853e3bf7015dcc59a80245e144b60090cb8e8412062428ecddc4a389c307de39c3913d60715775ad81ec3bde0f3e4d51290212aa8f4ed15ce620107

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1863895.exe

Filesize
489KB

MD5
ffe890d17a90f5456db3f933fbffe74f

SHA1
9e6b555d812ec15a379a5708873f839cfd285723

SHA256
2bdb519c8a3861fa063b8ce53a6ed5c2322d993726a9c24007e3d839cd2bd969

SHA512
705c4af43bb4eecb5657d4de27519477cc492cad2983a39b29dfa0c40981e61698463cc999d7343884228423e960744305cc4b57074e11438de931fb0a614688

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f1863895.exe

Filesize
489KB

MD5
ffe890d17a90f5456db3f933fbffe74f

SHA1
9e6b555d812ec15a379a5708873f839cfd285723

SHA256
2bdb519c8a3861fa063b8ce53a6ed5c2322d993726a9c24007e3d839cd2bd969

SHA512
705c4af43bb4eecb5657d4de27519477cc492cad2983a39b29dfa0c40981e61698463cc999d7343884228423e960744305cc4b57074e11438de931fb0a614688

Download Submit
memory/4536-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4536-138-0x0000000001FC0000-0x000000000204C000-memory.dmp

Filesize
560KB

Download
memory/4536-145-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/4536-146-0x0000000001FC0000-0x000000000204C000-memory.dmp

Filesize
560KB

Download
memory/4536-147-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/4536-148-0x00000000023A0000-0x00000000023A6000-memory.dmp

Filesize
24KB

Download
memory/4536-149-0x00000000049C0000-0x0000000004FC6000-memory.dmp

Filesize
6.0MB

Download
memory/4536-150-0x0000000005020000-0x000000000512A000-memory.dmp

Filesize
1.0MB

Download
memory/4536-151-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/4536-152-0x0000000005170000-0x00000000051AE000-memory.dmp

Filesize
248KB

Download
memory/4536-153-0x00000000051E0000-0x000000000522B000-memory.dmp

Filesize
300KB

Download
memory/4536-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4536-155-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing