redline | ffca01eab57ad303c53af864d96d53e1fe5339d089ece9c9288d685395588b09

General

Target

93c1cf125b85fb3d837c268f1a522d43.exe
Size

769KB
MD5

93c1cf125b85fb3d837c268f1a522d43
SHA1

021b4c910e6c9af13c94f77b6f5e88a1480c82a9
SHA256

ffca01eab57ad303c53af864d96d53e1fe5339d089ece9c9288d685395588b09
SHA512

c700c65674e875ca0f1a460ac20407a48067806d4f99af805f53fbd9b533de603b491d3f0c439c7203aff86e424fe5d99a9360452413a362ee5aa36d0a63bd30
SSDEEP

12288:PMrAy90FvlyVN8Ha8xmcAGaIevzTUZczWOQO7vw0wRgPoS3bHvit1j:by6wN7gmcOFzlWOJ7YVRioS3bPM

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4156	x0552834.exe
2320	x5553196.exe
4428	g7001085.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	93c1cf125b85fb3d837c268f1a522d43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	93c1cf125b85fb3d837c268f1a522d43.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0552834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0552834.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5553196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5553196.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 4156	1160	93c1cf125b85fb3d837c268f1a522d43.exe	90
PID 1160 wrote to memory of 4156	1160	93c1cf125b85fb3d837c268f1a522d43.exe	90
PID 1160 wrote to memory of 4156	1160	93c1cf125b85fb3d837c268f1a522d43.exe	90
PID 4156 wrote to memory of 2320	4156	x0552834.exe	91
PID 4156 wrote to memory of 2320	4156	x0552834.exe	91
PID 4156 wrote to memory of 2320	4156	x0552834.exe	91
PID 2320 wrote to memory of 4428	2320	x5553196.exe	92
PID 2320 wrote to memory of 4428	2320	x5553196.exe	92
PID 2320 wrote to memory of 4428	2320	x5553196.exe	92

C:\Users\Admin\AppData\Local\Temp\93c1cf125b85fb3d837c268f1a522d43.exe
"C:\Users\Admin\AppData\Local\Temp\93c1cf125b85fb3d837c268f1a522d43.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0552834.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0552834.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5553196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5553196.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7001085.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7001085.exe
      4⤵
      Executes dropped EXE
      PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0552834.exe

Filesize
614KB

MD5
3212a7b9507efaf1ccec34710828bc95

SHA1
e34a13af94b3d4574b18d72ba610663e8ce4141e

SHA256
28c46720aebd12e25ba56f969c8122d653499523318ac5ad6a0a498ca8671c4e

SHA512
752b5d8dcb01869a5b06877c01276936a39581629022b8200a00a3a71a616bf38dc16a60bf3d640ae42e4ae19f18daabfdaa915e74766bec8718f83a133a3915

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0552834.exe

Filesize
614KB

MD5
3212a7b9507efaf1ccec34710828bc95

SHA1
e34a13af94b3d4574b18d72ba610663e8ce4141e

SHA256
28c46720aebd12e25ba56f969c8122d653499523318ac5ad6a0a498ca8671c4e

SHA512
752b5d8dcb01869a5b06877c01276936a39581629022b8200a00a3a71a616bf38dc16a60bf3d640ae42e4ae19f18daabfdaa915e74766bec8718f83a133a3915

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5553196.exe

Filesize
513KB

MD5
f67e7a52656d409b8f8d8fc455806615

SHA1
0875151c252084b81c49636397ceb30c965e5f29

SHA256
73a00aa402abe61449146a11ca364d0684c23ec2b221cfcc449c596f573680ca

SHA512
7acd1b664bc4e7024234efa27709e7f88a62653376a8abcd8027692f6992fc7f1256026522b45109cb856c8d139ce8004b85115226364509f142c5c3e7818054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5553196.exe

Filesize
513KB

MD5
f67e7a52656d409b8f8d8fc455806615

SHA1
0875151c252084b81c49636397ceb30c965e5f29

SHA256
73a00aa402abe61449146a11ca364d0684c23ec2b221cfcc449c596f573680ca

SHA512
7acd1b664bc4e7024234efa27709e7f88a62653376a8abcd8027692f6992fc7f1256026522b45109cb856c8d139ce8004b85115226364509f142c5c3e7818054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7001085.exe

Filesize
492KB

MD5
92afdf44d1c33960ab452a8c274282db

SHA1
60c7376a52f74f0799ee2a574782e9855af28efe

SHA256
e12a3d43b1f8a35e75f3bf09ea5422ef10bccfa19a8b2e131259f7b4be5333d2

SHA512
31ee981dd21ffe2498d74cf7713df410d55b6a9f9894c571b6d05bd372402362f051b0f87cbcb62d9723c145593eb53dd8c04cdb72836adf9c71b82170a83e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7001085.exe

Filesize
492KB

MD5
92afdf44d1c33960ab452a8c274282db

SHA1
60c7376a52f74f0799ee2a574782e9855af28efe

SHA256
e12a3d43b1f8a35e75f3bf09ea5422ef10bccfa19a8b2e131259f7b4be5333d2

SHA512
31ee981dd21ffe2498d74cf7713df410d55b6a9f9894c571b6d05bd372402362f051b0f87cbcb62d9723c145593eb53dd8c04cdb72836adf9c71b82170a83e1f

Download Submit
memory/4428-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4428-155-0x0000000001FF0000-0x000000000207C000-memory.dmp

Filesize
560KB

Download
memory/4428-161-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-162-0x0000000001FF0000-0x000000000207C000-memory.dmp

Filesize
560KB

Download
memory/4428-163-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/4428-164-0x00000000050B0000-0x00000000056C8000-memory.dmp

Filesize
6.1MB

Download
memory/4428-165-0x0000000004A90000-0x0000000004B9A000-memory.dmp

Filesize
1.0MB

Download
memory/4428-166-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4428-168-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4428-167-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4428-169-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

Filesize
240KB

Download
memory/4428-170-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-171-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing