redline | 946fed7f77da1d255b9d04cb0952c91e3665b657221a11b5a971a74be3f8b0d7

General

Target

c12748db90046b82b19eb35ffb7062d5.exe
Size

770KB
MD5

c12748db90046b82b19eb35ffb7062d5
SHA1

8e143b7145346745f5794ebe663d0d05ae4b9aee
SHA256

946fed7f77da1d255b9d04cb0952c91e3665b657221a11b5a971a74be3f8b0d7
SHA512

c37d85a391d40ed0acd022e37e25ccd54e6bb1f708dc6a2b6dd72cd7b6a938695ceab3bb622dba482cbd1df951e7711d398c0f9c415cf80dd3499d339e35124b
SSDEEP

12288:SMrOy90YfhEcymQ5gBh31BCCNd2u18lhQtfuqBq+v1w39gwutPDwYpzFR3h728Q2:oyfuc7Q55CNylOfuqB2tgwGD3BcFS

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
548	x7549296.exe
1620	x1763781.exe
4200	g8224315.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7549296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7549296.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1763781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1763781.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c12748db90046b82b19eb35ffb7062d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c12748db90046b82b19eb35ffb7062d5.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 548	400	c12748db90046b82b19eb35ffb7062d5.exe	86
PID 400 wrote to memory of 548	400	c12748db90046b82b19eb35ffb7062d5.exe	86
PID 400 wrote to memory of 548	400	c12748db90046b82b19eb35ffb7062d5.exe	86
PID 548 wrote to memory of 1620	548	x7549296.exe	87
PID 548 wrote to memory of 1620	548	x7549296.exe	87
PID 548 wrote to memory of 1620	548	x7549296.exe	87
PID 1620 wrote to memory of 4200	1620	x1763781.exe	88
PID 1620 wrote to memory of 4200	1620	x1763781.exe	88
PID 1620 wrote to memory of 4200	1620	x1763781.exe	88

C:\Users\Admin\AppData\Local\Temp\c12748db90046b82b19eb35ffb7062d5.exe
"C:\Users\Admin\AppData\Local\Temp\c12748db90046b82b19eb35ffb7062d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7549296.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7549296.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1763781.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1763781.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8224315.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8224315.exe
      4⤵
      Executes dropped EXE
      PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7549296.exe

Filesize
614KB

MD5
f85bf69ee7f7c520ad2145bde79038a8

SHA1
4360a898f5414c2ebcca7dbead3ae494653caa89

SHA256
35bed902995fac37dd20ba48dbdcc85c3498ba92930e506ded7f71c1fdd14909

SHA512
2acf8c5f17b826895ef4282fd84ac085f2524ee448b74417bf295c50cf1a6c038fc64da81dd7d21e6b30b4028a1afeb08af2c37d5e1c0fdd140134892ba0fc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7549296.exe

Filesize
614KB

MD5
f85bf69ee7f7c520ad2145bde79038a8

SHA1
4360a898f5414c2ebcca7dbead3ae494653caa89

SHA256
35bed902995fac37dd20ba48dbdcc85c3498ba92930e506ded7f71c1fdd14909

SHA512
2acf8c5f17b826895ef4282fd84ac085f2524ee448b74417bf295c50cf1a6c038fc64da81dd7d21e6b30b4028a1afeb08af2c37d5e1c0fdd140134892ba0fc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1763781.exe

Filesize
513KB

MD5
907d89870cf301da287240545e67735c

SHA1
e45dd9365db471d3cffd8c1c70ed2ce0332f6753

SHA256
98cf17c4d03b4be0d3c040bb01d3f6a407ef76c0eef0bc2540e6c5f23230d4aa

SHA512
f7745548c0beb75b811dc32895fcd155acb11c21a008d64ec4c0d3a90d112ccab3d99fa7d070219305f3d9139cc5354963441f4a7dce896b2f28e7d6463ea996

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1763781.exe

Filesize
513KB

MD5
907d89870cf301da287240545e67735c

SHA1
e45dd9365db471d3cffd8c1c70ed2ce0332f6753

SHA256
98cf17c4d03b4be0d3c040bb01d3f6a407ef76c0eef0bc2540e6c5f23230d4aa

SHA512
f7745548c0beb75b811dc32895fcd155acb11c21a008d64ec4c0d3a90d112ccab3d99fa7d070219305f3d9139cc5354963441f4a7dce896b2f28e7d6463ea996

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8224315.exe

Filesize
492KB

MD5
0386c625777058526b9cc6ae4a10f20a

SHA1
62de4c2b45fffdf8845257a93c77e4fe1eeaafab

SHA256
df00a50996cf8bee826db65f9a411d3a306090acdf4bcecd8febbbc62049b39b

SHA512
512ed5e3fdd7ed8ec15563a47bc2c43f0fbb65124966ba1bd2007dd4f5ea8adc4881a874fbbe69ab901a41fc22e7a1a8e40b3d94868997de071f5f60b189812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8224315.exe

Filesize
492KB

MD5
0386c625777058526b9cc6ae4a10f20a

SHA1
62de4c2b45fffdf8845257a93c77e4fe1eeaafab

SHA256
df00a50996cf8bee826db65f9a411d3a306090acdf4bcecd8febbbc62049b39b

SHA512
512ed5e3fdd7ed8ec15563a47bc2c43f0fbb65124966ba1bd2007dd4f5ea8adc4881a874fbbe69ab901a41fc22e7a1a8e40b3d94868997de071f5f60b189812f

Download Submit
memory/4200-154-0x0000000001FA0000-0x000000000202C000-memory.dmp

Filesize
560KB

Download
memory/4200-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4200-161-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4200-162-0x0000000001FA0000-0x000000000202C000-memory.dmp

Filesize
560KB

Download
memory/4200-163-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/4200-164-0x0000000004BA0000-0x00000000051B8000-memory.dmp

Filesize
6.1MB

Download
memory/4200-165-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/4200-166-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/4200-167-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download
memory/4200-168-0x0000000005340000-0x000000000537C000-memory.dmp

Filesize
240KB

Download
memory/4200-169-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4200-170-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing