redline | ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839

Analysis

max time kernel
134s
max time network
147s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 15:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a41e28f4eec153d15b78e1621773f26.exe
Size

773KB
MD5

1a41e28f4eec153d15b78e1621773f26
SHA1

5c7dfe09f97e2875a97cf7e65d19da91ec8b85a9
SHA256

ff3e22df306eca9b6314b52e2b97d1dedca75e38d21b41cff14cbc8fe029e839
SHA512

bb2b0f95c799656e4d12f098dcfc7157967fc53ba6719248c99eeaf9d905e188cf3db39c87ffe484bb2188ad7153536f45e4e9e5476e8245d7dc1d39777ca959
SSDEEP

24576:fypqEqOuC02OGGs90ekugJrj1liNy3o1:qpqEDutHGJ3kVIE

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1988	x1762007.exe
2912	x9359883.exe
2364	f7670901.exe

Loads dropped DLL 7 IoCs

pid	Process
2268	1a41e28f4eec153d15b78e1621773f26.exe
1988	x1762007.exe
1988	x1762007.exe
2912	x9359883.exe
2912	x9359883.exe
2912	x9359883.exe
2364	f7670901.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9359883.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1a41e28f4eec153d15b78e1621773f26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a41e28f4eec153d15b78e1621773f26.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1762007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1762007.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9359883.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1988	2268	1a41e28f4eec153d15b78e1621773f26.exe	28
PID 2268 wrote to memory of 1988	2268	1a41e28f4eec153d15b78e1621773f26.exe	28
PID 2268 wrote to memory of 1988	2268	1a41e28f4eec153d15b78e1621773f26.exe	28
PID 2268 wrote to memory of 1988	2268	1a41e28f4eec153d15b78e1621773f26.exe	28
PID 2268 wrote to memory of 1988	2268	1a41e28f4eec153d15b78e1621773f26.exe	28
PID 2268 wrote to memory of 1988	2268	1a41e28f4eec153d15b78e1621773f26.exe	28
PID 2268 wrote to memory of 1988	2268	1a41e28f4eec153d15b78e1621773f26.exe	28
PID 1988 wrote to memory of 2912	1988	x1762007.exe	29
PID 1988 wrote to memory of 2912	1988	x1762007.exe	29
PID 1988 wrote to memory of 2912	1988	x1762007.exe	29
PID 1988 wrote to memory of 2912	1988	x1762007.exe	29
PID 1988 wrote to memory of 2912	1988	x1762007.exe	29
PID 1988 wrote to memory of 2912	1988	x1762007.exe	29
PID 1988 wrote to memory of 2912	1988	x1762007.exe	29
PID 2912 wrote to memory of 2364	2912	x9359883.exe	30
PID 2912 wrote to memory of 2364	2912	x9359883.exe	30
PID 2912 wrote to memory of 2364	2912	x9359883.exe	30
PID 2912 wrote to memory of 2364	2912	x9359883.exe	30
PID 2912 wrote to memory of 2364	2912	x9359883.exe	30
PID 2912 wrote to memory of 2364	2912	x9359883.exe	30
PID 2912 wrote to memory of 2364	2912	x9359883.exe	30

C:\Users\Admin\AppData\Local\Temp\1a41e28f4eec153d15b78e1621773f26.exe
"C:\Users\Admin\AppData\Local\Temp\1a41e28f4eec153d15b78e1621773f26.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1762007.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1762007.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9359883.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9359883.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1762007.exe

Filesize
617KB

MD5
f6df16bae2871aedc79c6565e0f37ef5

SHA1
574525b48efc7d990a22bfe6eeb3c0f976bdf418

SHA256
8555d6839089d414ce5929ce2f95cca072e97bc63afaedcf14ea770d6e3b3c34

SHA512
fe81b831b5c3972bf98e0ae7c3d8d30637939a9c79a5f018e754813ca7fd9dbc78e856f1309cfb36cbc63cf0f11e2990bbdb2592e6d1d9fb18b3e666405f3673

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1762007.exe

Filesize
617KB

MD5
f6df16bae2871aedc79c6565e0f37ef5

SHA1
574525b48efc7d990a22bfe6eeb3c0f976bdf418

SHA256
8555d6839089d414ce5929ce2f95cca072e97bc63afaedcf14ea770d6e3b3c34

SHA512
fe81b831b5c3972bf98e0ae7c3d8d30637939a9c79a5f018e754813ca7fd9dbc78e856f1309cfb36cbc63cf0f11e2990bbdb2592e6d1d9fb18b3e666405f3673

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9359883.exe

Filesize
516KB

MD5
8f7db7f8e0cf00797facef0f0bfdf1cd

SHA1
f451bce9b4d7731c46a34e746448fff0dc21ae11

SHA256
d211b0a63efd1e2f06e53705dbf60586255c9c6d30fc7fd6a33588720c4d64dd

SHA512
b0e3d8481900ff9a849d44abc8b3bc78ebb5c204a68bfadcbf496513a966c9200c3ade442ddf1dee97e59b7a6a8c9196c9946c1800ff5d0ce0fdc570368f4b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9359883.exe

Filesize
516KB

MD5
8f7db7f8e0cf00797facef0f0bfdf1cd

SHA1
f451bce9b4d7731c46a34e746448fff0dc21ae11

SHA256
d211b0a63efd1e2f06e53705dbf60586255c9c6d30fc7fd6a33588720c4d64dd

SHA512
b0e3d8481900ff9a849d44abc8b3bc78ebb5c204a68bfadcbf496513a966c9200c3ade442ddf1dee97e59b7a6a8c9196c9946c1800ff5d0ce0fdc570368f4b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe

Filesize
493KB

MD5
cc00bc38e5b879a9e8e6deafcfeb0b4c

SHA1
7c48d43e05fc45c346942262dc3ba51f40d56730

SHA256
b96d778f0878f7e31a9c3a8aec174ec2d32425ada7492a7a0288d6b4a0f6cfa2

SHA512
3a6c18a4b08f96121871f9fb0fddef0a326c187a528357d3800a1de7c5308024cd15b00229f04d147b909e3c702d71a1e5e20aca9cd0e2b192cb130ff769027d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe

Filesize
493KB

MD5
cc00bc38e5b879a9e8e6deafcfeb0b4c

SHA1
7c48d43e05fc45c346942262dc3ba51f40d56730

SHA256
b96d778f0878f7e31a9c3a8aec174ec2d32425ada7492a7a0288d6b4a0f6cfa2

SHA512
3a6c18a4b08f96121871f9fb0fddef0a326c187a528357d3800a1de7c5308024cd15b00229f04d147b909e3c702d71a1e5e20aca9cd0e2b192cb130ff769027d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe

Filesize
493KB

MD5
cc00bc38e5b879a9e8e6deafcfeb0b4c

SHA1
7c48d43e05fc45c346942262dc3ba51f40d56730

SHA256
b96d778f0878f7e31a9c3a8aec174ec2d32425ada7492a7a0288d6b4a0f6cfa2

SHA512
3a6c18a4b08f96121871f9fb0fddef0a326c187a528357d3800a1de7c5308024cd15b00229f04d147b909e3c702d71a1e5e20aca9cd0e2b192cb130ff769027d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1762007.exe

Filesize
617KB

MD5
f6df16bae2871aedc79c6565e0f37ef5

SHA1
574525b48efc7d990a22bfe6eeb3c0f976bdf418

SHA256
8555d6839089d414ce5929ce2f95cca072e97bc63afaedcf14ea770d6e3b3c34

SHA512
fe81b831b5c3972bf98e0ae7c3d8d30637939a9c79a5f018e754813ca7fd9dbc78e856f1309cfb36cbc63cf0f11e2990bbdb2592e6d1d9fb18b3e666405f3673

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1762007.exe

Filesize
617KB

MD5
f6df16bae2871aedc79c6565e0f37ef5

SHA1
574525b48efc7d990a22bfe6eeb3c0f976bdf418

SHA256
8555d6839089d414ce5929ce2f95cca072e97bc63afaedcf14ea770d6e3b3c34

SHA512
fe81b831b5c3972bf98e0ae7c3d8d30637939a9c79a5f018e754813ca7fd9dbc78e856f1309cfb36cbc63cf0f11e2990bbdb2592e6d1d9fb18b3e666405f3673

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9359883.exe

Filesize
516KB

MD5
8f7db7f8e0cf00797facef0f0bfdf1cd

SHA1
f451bce9b4d7731c46a34e746448fff0dc21ae11

SHA256
d211b0a63efd1e2f06e53705dbf60586255c9c6d30fc7fd6a33588720c4d64dd

SHA512
b0e3d8481900ff9a849d44abc8b3bc78ebb5c204a68bfadcbf496513a966c9200c3ade442ddf1dee97e59b7a6a8c9196c9946c1800ff5d0ce0fdc570368f4b0a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9359883.exe

Filesize
516KB

MD5
8f7db7f8e0cf00797facef0f0bfdf1cd

SHA1
f451bce9b4d7731c46a34e746448fff0dc21ae11

SHA256
d211b0a63efd1e2f06e53705dbf60586255c9c6d30fc7fd6a33588720c4d64dd

SHA512
b0e3d8481900ff9a849d44abc8b3bc78ebb5c204a68bfadcbf496513a966c9200c3ade442ddf1dee97e59b7a6a8c9196c9946c1800ff5d0ce0fdc570368f4b0a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe

Filesize
493KB

MD5
cc00bc38e5b879a9e8e6deafcfeb0b4c

SHA1
7c48d43e05fc45c346942262dc3ba51f40d56730

SHA256
b96d778f0878f7e31a9c3a8aec174ec2d32425ada7492a7a0288d6b4a0f6cfa2

SHA512
3a6c18a4b08f96121871f9fb0fddef0a326c187a528357d3800a1de7c5308024cd15b00229f04d147b909e3c702d71a1e5e20aca9cd0e2b192cb130ff769027d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe

Filesize
493KB

MD5
cc00bc38e5b879a9e8e6deafcfeb0b4c

SHA1
7c48d43e05fc45c346942262dc3ba51f40d56730

SHA256
b96d778f0878f7e31a9c3a8aec174ec2d32425ada7492a7a0288d6b4a0f6cfa2

SHA512
3a6c18a4b08f96121871f9fb0fddef0a326c187a528357d3800a1de7c5308024cd15b00229f04d147b909e3c702d71a1e5e20aca9cd0e2b192cb130ff769027d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7670901.exe

Filesize
493KB

MD5
cc00bc38e5b879a9e8e6deafcfeb0b4c

SHA1
7c48d43e05fc45c346942262dc3ba51f40d56730

SHA256
b96d778f0878f7e31a9c3a8aec174ec2d32425ada7492a7a0288d6b4a0f6cfa2

SHA512
3a6c18a4b08f96121871f9fb0fddef0a326c187a528357d3800a1de7c5308024cd15b00229f04d147b909e3c702d71a1e5e20aca9cd0e2b192cb130ff769027d

Download Submit
memory/2364-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2364-87-0x0000000000480000-0x000000000050C000-memory.dmp

Filesize
560KB

Download
memory/2364-94-0x0000000000480000-0x000000000050C000-memory.dmp

Filesize
560KB

Download
memory/2364-95-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2364-96-0x0000000001FB0000-0x0000000001FB6000-memory.dmp

Filesize
24KB

Download
memory/2364-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download