redline | c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b

General

Target

c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe
Size

1015KB
MD5

9ac130138862a0d01ed360241acd7ba5
SHA1

7d83ee72dd67efcac65e7004ec3b570cc9ca6952
SHA256

c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b
SHA512

d085b277d7ddfc5bd2bd35a1e9280e77abc69d6bc827a759872240e2bcebc2803e7b4da34e2e1569528c8c9c7e39d0e2ce72cb9d41bb741901a1a9532ac80069
SSDEEP

24576:qyACuKT7PmQ9kGdAzGDvW9+AXt0YiHsRNcHYebrzp2B7cM4:xACuKDkmAzGDm1UHsr+5HclcM

Score

10^/10

redline masha infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4204	x3780015.exe
4604	x7640943.exe
3684	f5843410.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7640943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7640943.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3780015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3780015.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4204	2672	c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe	86
PID 2672 wrote to memory of 4204	2672	c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe	86
PID 2672 wrote to memory of 4204	2672	c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe	86
PID 4204 wrote to memory of 4604	4204	x3780015.exe	87
PID 4204 wrote to memory of 4604	4204	x3780015.exe	87
PID 4204 wrote to memory of 4604	4204	x3780015.exe	87
PID 4604 wrote to memory of 3684	4604	x7640943.exe	88
PID 4604 wrote to memory of 3684	4604	x7640943.exe	88
PID 4604 wrote to memory of 3684	4604	x7640943.exe	88

C:\Users\Admin\AppData\Local\Temp\c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe
"C:\Users\Admin\AppData\Local\Temp\c526e10b5d27c008796fb11887cd2ce130f97321980404a45a1e3d80f3c8bb9b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3780015.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3780015.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7640943.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7640943.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5843410.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5843410.exe
      4⤵
      Executes dropped EXE
      PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3780015.exe

Filesize
860KB

MD5
d8604a8e014a293f266ca536aa57373b

SHA1
df050c1b8b8bb5ae9d1322db55259081b83f6241

SHA256
77a97adb9ce06ac3f0ebb244511552906da992e28f4bc529829789e6514793dc

SHA512
23ad106aad5ac40d9a7e890d7c17437738db9cff4f4d608c776db5b7f70ba6ab11657bb630d8cc3be3efb0244b822e3a7439a4614e2860ed1dd9e05b09a1d9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3780015.exe

Filesize
860KB

MD5
d8604a8e014a293f266ca536aa57373b

SHA1
df050c1b8b8bb5ae9d1322db55259081b83f6241

SHA256
77a97adb9ce06ac3f0ebb244511552906da992e28f4bc529829789e6514793dc

SHA512
23ad106aad5ac40d9a7e890d7c17437738db9cff4f4d608c776db5b7f70ba6ab11657bb630d8cc3be3efb0244b822e3a7439a4614e2860ed1dd9e05b09a1d9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7640943.exe

Filesize
758KB

MD5
7875ae728afae05ea5804372fc860e36

SHA1
276afc875af75942eab89b8d7dab0086f03f364b

SHA256
cde40b43c7cefbe91994c787855c08ac60b5cbd486e7e3cffaac113d257e091d

SHA512
6f190968151259a128bbcdc10a30db9682e2c95ad8f7fa55b835496136b240b3757fce6ec0457cfaed87a985d9377a7a971f66bd54eeac304a98d39954ffa2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7640943.exe

Filesize
758KB

MD5
7875ae728afae05ea5804372fc860e36

SHA1
276afc875af75942eab89b8d7dab0086f03f364b

SHA256
cde40b43c7cefbe91994c787855c08ac60b5cbd486e7e3cffaac113d257e091d

SHA512
6f190968151259a128bbcdc10a30db9682e2c95ad8f7fa55b835496136b240b3757fce6ec0457cfaed87a985d9377a7a971f66bd54eeac304a98d39954ffa2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5843410.exe

Filesize
729KB

MD5
ec55fadeb5fd77ecf734bc55cda59ea2

SHA1
5115523bf2ff77210c8fa2b540e11322162ab31d

SHA256
0284e45760f3c60b532db32243df0deb1fd0a8c17a7f0e5262996354670e27ff

SHA512
7bab5c71f8f6aa8e6faf83e62c35be427f747cea378f10ca74f19b355c4d9f5d2d2b21aab6d71e2ac60099c2bb175763987b639421554c1b41246e5aa1f66161

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5843410.exe

Filesize
729KB

MD5
ec55fadeb5fd77ecf734bc55cda59ea2

SHA1
5115523bf2ff77210c8fa2b540e11322162ab31d

SHA256
0284e45760f3c60b532db32243df0deb1fd0a8c17a7f0e5262996354670e27ff

SHA512
7bab5c71f8f6aa8e6faf83e62c35be427f747cea378f10ca74f19b355c4d9f5d2d2b21aab6d71e2ac60099c2bb175763987b639421554c1b41246e5aa1f66161

Download Submit
memory/3684-154-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3684-155-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/3684-159-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3684-160-0x0000000004BE0000-0x00000000051F8000-memory.dmp

Filesize
6.1MB

Download
memory/3684-161-0x0000000005220000-0x000000000532A000-memory.dmp

Filesize
1.0MB

Download
memory/3684-163-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3684-162-0x0000000005360000-0x0000000005372000-memory.dmp

Filesize
72KB

Download
memory/3684-164-0x0000000005380000-0x00000000053BC000-memory.dmp

Filesize
240KB

Download
memory/3684-165-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3684-166-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing