redline | eae2ebbd7384f13f7ddae701193b9c408f5b7b831268f0029bf72e137ba2d0d1

General

Target

d6f0b5f1bb6db2ac09d16f88ad40f249.exe
Size

768KB
MD5

d6f0b5f1bb6db2ac09d16f88ad40f249
SHA1

2e6960beb908b90e988588fcfab5cfa44bb07cec
SHA256

eae2ebbd7384f13f7ddae701193b9c408f5b7b831268f0029bf72e137ba2d0d1
SHA512

b1cbe50cb679c4228ca2c8f04a8d8855df1ca37991d3e96812551cd34ac865b745bf84eab5bae1ff637d96605a1ebd3d1fbee1b52bb1600edf88e21cf2c83612
SSDEEP

12288:vMrKy907an+LseVnTDWZkI1CqPSJiUzRGhkQADBpMjW8Nkyx3Zj6u+yzxFH:ly+a+L7VnGZkmTSAUUJA1wW8bx3h1+yX

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2200	x4335159.exe
2948	x3789792.exe
1476	g1033252.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d6f0b5f1bb6db2ac09d16f88ad40f249.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d6f0b5f1bb6db2ac09d16f88ad40f249.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4335159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4335159.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3789792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3789792.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2200	4712	d6f0b5f1bb6db2ac09d16f88ad40f249.exe	85
PID 4712 wrote to memory of 2200	4712	d6f0b5f1bb6db2ac09d16f88ad40f249.exe	85
PID 4712 wrote to memory of 2200	4712	d6f0b5f1bb6db2ac09d16f88ad40f249.exe	85
PID 2200 wrote to memory of 2948	2200	x4335159.exe	86
PID 2200 wrote to memory of 2948	2200	x4335159.exe	86
PID 2200 wrote to memory of 2948	2200	x4335159.exe	86
PID 2948 wrote to memory of 1476	2948	x3789792.exe	87
PID 2948 wrote to memory of 1476	2948	x3789792.exe	87
PID 2948 wrote to memory of 1476	2948	x3789792.exe	87

C:\Users\Admin\AppData\Local\Temp\d6f0b5f1bb6db2ac09d16f88ad40f249.exe
"C:\Users\Admin\AppData\Local\Temp\d6f0b5f1bb6db2ac09d16f88ad40f249.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4335159.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4335159.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3789792.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3789792.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1033252.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1033252.exe
      4⤵
      Executes dropped EXE
      PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4335159.exe

Filesize
612KB

MD5
5ff20899ef00b9870b48c8bc785d7481

SHA1
b2ae7a2044fa9dcfb036a94a4dd7164e6aae3fc9

SHA256
5d4a87160e86e781ba6fd3aa3c16668a27ce6c10c00653fa8860593d8a0d0f88

SHA512
0b641d0e6cfb1c69a30abd4588b76f2a23e796b9453502e3c4a872011ed184189cc7c411aa4f7abce36c150bb7f7ee797c20ee4c611e45e89be0c1f8b01a8cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4335159.exe

Filesize
612KB

MD5
5ff20899ef00b9870b48c8bc785d7481

SHA1
b2ae7a2044fa9dcfb036a94a4dd7164e6aae3fc9

SHA256
5d4a87160e86e781ba6fd3aa3c16668a27ce6c10c00653fa8860593d8a0d0f88

SHA512
0b641d0e6cfb1c69a30abd4588b76f2a23e796b9453502e3c4a872011ed184189cc7c411aa4f7abce36c150bb7f7ee797c20ee4c611e45e89be0c1f8b01a8cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3789792.exe

Filesize
511KB

MD5
499cd4d6667cd498fd211dd6755cc64d

SHA1
fcff8107a0d4facf6de585e884d8505a1e92c55b

SHA256
d793350bc36742bc1ac440038cf42d78154647b4ae8c073bf016f41a882cef49

SHA512
39f9f127bc8fb15177b06cb556cfc39eacf50116d14de570215c7eb925e1028147d516821081808bdb61d96243a50f75d399aac91876841b68a99b0412d1316b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3789792.exe

Filesize
511KB

MD5
499cd4d6667cd498fd211dd6755cc64d

SHA1
fcff8107a0d4facf6de585e884d8505a1e92c55b

SHA256
d793350bc36742bc1ac440038cf42d78154647b4ae8c073bf016f41a882cef49

SHA512
39f9f127bc8fb15177b06cb556cfc39eacf50116d14de570215c7eb925e1028147d516821081808bdb61d96243a50f75d399aac91876841b68a99b0412d1316b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1033252.exe

Filesize
491KB

MD5
bc2e95923f0891140b494e146ee3a25c

SHA1
e6c50500fa3ac45a34bd863c8743f70042ac0d0a

SHA256
8cc91b07254aba1b612fcf76bf9ae9497be5443d18e059f98c36a2b7f38573e3

SHA512
b7d134aef99db0c55e07f030440b4d325f5b97bb99fbdbdbb748fb0396aa64a90619d87cc4ec37c48b9aa4a58f39c81b1349caa32af6748ad39c9770892a4883

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1033252.exe

Filesize
491KB

MD5
bc2e95923f0891140b494e146ee3a25c

SHA1
e6c50500fa3ac45a34bd863c8743f70042ac0d0a

SHA256
8cc91b07254aba1b612fcf76bf9ae9497be5443d18e059f98c36a2b7f38573e3

SHA512
b7d134aef99db0c55e07f030440b4d325f5b97bb99fbdbdbb748fb0396aa64a90619d87cc4ec37c48b9aa4a58f39c81b1349caa32af6748ad39c9770892a4883

Download Submit
memory/1476-161-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1476-155-0x00000000006F0000-0x000000000077C000-memory.dmp

Filesize
560KB

Download
memory/1476-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1476-162-0x00000000006F0000-0x000000000077C000-memory.dmp

Filesize
560KB

Download
memory/1476-163-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/1476-164-0x00000000085A0000-0x0000000008BB8000-memory.dmp

Filesize
6.1MB

Download
memory/1476-165-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/1476-167-0x0000000006D00000-0x0000000006D10000-memory.dmp

Filesize
64KB

Download
memory/1476-166-0x0000000008090000-0x00000000080A2000-memory.dmp

Filesize
72KB

Download
memory/1476-168-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1476-169-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1476-170-0x0000000006D00000-0x0000000006D10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing