redline | 4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028

General

Target

4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe
Size

1014KB
MD5

2afff22e9c7c747137da4dfc53f05ff3
SHA1

7253f21d85a1deda36fa2fb4a47fcf4fd479163a
SHA256

4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028
SHA512

6e03198f35ffbd6cd208af3022d61d3d845ea338697da33dc29aeeec631414478febe1a4c8aebe447edbb75d798f93eb453eebd1f6c462ab7c16201c97a0cce3
SSDEEP

24576:vy+7mIjdVYqKAoSbnBMtUJZ6oXQBKZKdt/2:6+5rYCo2fev/

Score

10^/10

redline masha infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1924	x0373007.exe
1120	x7375159.exe
2592	f6180945.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7375159.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0373007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0373007.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7375159.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1924	3036	4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe	70
PID 3036 wrote to memory of 1924	3036	4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe	70
PID 3036 wrote to memory of 1924	3036	4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe	70
PID 1924 wrote to memory of 1120	1924	x0373007.exe	71
PID 1924 wrote to memory of 1120	1924	x0373007.exe	71
PID 1924 wrote to memory of 1120	1924	x0373007.exe	71
PID 1120 wrote to memory of 2592	1120	x7375159.exe	72
PID 1120 wrote to memory of 2592	1120	x7375159.exe	72
PID 1120 wrote to memory of 2592	1120	x7375159.exe	72

C:\Users\Admin\AppData\Local\Temp\4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe
"C:\Users\Admin\AppData\Local\Temp\4b7a113cd407d0717a42c1e39a66554672f24cd963e75b75c4d1cff727469028.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0373007.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0373007.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7375159.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7375159.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6180945.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6180945.exe
      4⤵
      Executes dropped EXE
      PID:2592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0373007.exe

Filesize
858KB

MD5
b609b5a5bdf24af8de65d83a7794be26

SHA1
b28f52ab0159f38c484f5ac013ccc59970d5b499

SHA256
c5546babcd32a8cbd4363d5f89532f7b71a5805f3559cf78d42c485879961d9a

SHA512
281481ee14e0e1afb84a48e9c4c16e28888644872dbffe496c0b9604e2abe392d953cc743955859e22fb148bb184ff7085fff53429068ebefac3e7384efb16fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0373007.exe

Filesize
858KB

MD5
b609b5a5bdf24af8de65d83a7794be26

SHA1
b28f52ab0159f38c484f5ac013ccc59970d5b499

SHA256
c5546babcd32a8cbd4363d5f89532f7b71a5805f3559cf78d42c485879961d9a

SHA512
281481ee14e0e1afb84a48e9c4c16e28888644872dbffe496c0b9604e2abe392d953cc743955859e22fb148bb184ff7085fff53429068ebefac3e7384efb16fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7375159.exe

Filesize
757KB

MD5
bb1cb7775f27fb7c76a6b877b2239792

SHA1
9593d06d1be6d3972082d39ff59a25e4c68ef308

SHA256
dd0d57852dfd5d13dd3720d753f1c465472e1bd45186437f6b61d3e1b8be78a6

SHA512
e3cbe83f68ead6897e7f7ece87aa6d3bad02bc6f8bc8736f75b6ff01407e217d76b4d720f5897bbbf6ffe3fede5524d2b2a321d513f68dc7d5e47e39d0c1994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7375159.exe

Filesize
757KB

MD5
bb1cb7775f27fb7c76a6b877b2239792

SHA1
9593d06d1be6d3972082d39ff59a25e4c68ef308

SHA256
dd0d57852dfd5d13dd3720d753f1c465472e1bd45186437f6b61d3e1b8be78a6

SHA512
e3cbe83f68ead6897e7f7ece87aa6d3bad02bc6f8bc8736f75b6ff01407e217d76b4d720f5897bbbf6ffe3fede5524d2b2a321d513f68dc7d5e47e39d0c1994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6180945.exe

Filesize
729KB

MD5
88128a9411e332bbd907ff408b63b4d4

SHA1
1865b247e9b78a747d3933161ec7805d2919bd7b

SHA256
9409b11b105d798874624621ec4ff2fc7102fe5a6e1d2fef5657bc0b2b0cebcc

SHA512
837eabec7ca852bbb13cd66ea1a8e04dcdaa516bcf911676ab722653617af8dea83b3861c46d0dc7c8a32f2e3c3bce64653f9b4bd75a5657f32e9c9370f89241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6180945.exe

Filesize
729KB

MD5
88128a9411e332bbd907ff408b63b4d4

SHA1
1865b247e9b78a747d3933161ec7805d2919bd7b

SHA256
9409b11b105d798874624621ec4ff2fc7102fe5a6e1d2fef5657bc0b2b0cebcc

SHA512
837eabec7ca852bbb13cd66ea1a8e04dcdaa516bcf911676ab722653617af8dea83b3861c46d0dc7c8a32f2e3c3bce64653f9b4bd75a5657f32e9c9370f89241

Download Submit
memory/2592-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2592-139-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/2592-143-0x0000000073280000-0x000000007396E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-144-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download
memory/2592-145-0x0000000009EC0000-0x000000000A4C6000-memory.dmp

Filesize
6.0MB

Download
memory/2592-146-0x000000000A4D0000-0x000000000A5DA000-memory.dmp

Filesize
1.0MB

Download
memory/2592-147-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2592-148-0x000000000A620000-0x000000000A65E000-memory.dmp

Filesize
248KB

Download
memory/2592-149-0x000000000A690000-0x000000000A6DB000-memory.dmp

Filesize
300KB

Download
memory/2592-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2592-151-0x0000000073280000-0x000000007396E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing