redline | 8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90

General

Target

8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe
Size

770KB
MD5

8ba8ddc444effbf74a138ca0a90e50c2
SHA1

75709ce592f541f11317cfad0a863e9365fda4f5
SHA256

8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90
SHA512

485bda8be82255c619cc0259df7d8029169623d81a61dd25bf4956c48099e31c05ef9e207c907bfe381dcf09c0cc550fe7abac86b03bee70a8e98eed0000153c
SSDEEP

12288:TMrsy90RaffCIVUsp29r8fgcrrv/nDbuiYfrgggEzeaGJ+At2+bBnsj+sX:nyffqI6SGFkr3XudgggEzonVnsZX

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
904	x3853214.exe
4936	x9056304.exe
4612	g0581496.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9056304.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3853214.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3853214.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9056304.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 904	4416	8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe	69
PID 4416 wrote to memory of 904	4416	8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe	69
PID 4416 wrote to memory of 904	4416	8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe	69
PID 904 wrote to memory of 4936	904	x3853214.exe	70
PID 904 wrote to memory of 4936	904	x3853214.exe	70
PID 904 wrote to memory of 4936	904	x3853214.exe	70
PID 4936 wrote to memory of 4612	4936	x9056304.exe	71
PID 4936 wrote to memory of 4612	4936	x9056304.exe	71
PID 4936 wrote to memory of 4612	4936	x9056304.exe	71

C:\Users\Admin\AppData\Local\Temp\8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe
"C:\Users\Admin\AppData\Local\Temp\8102ae4cd92635372b9b16d9d25b0f9245765d8ba20a0cfb554f964521e31c90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3853214.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3853214.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9056304.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9056304.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0581496.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0581496.exe
      4⤵
      Executes dropped EXE
      PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3853214.exe

Filesize
614KB

MD5
00cadf244c9c111d0d8843f629a63b03

SHA1
fc1ed26b80099aedccd89a1d3a5b41543d72bab7

SHA256
88a1c9d2ea278430046f08676ee5c3e6a0ce76cebe19b8934e940044fc42811c

SHA512
29f3f5c124a0f3bf35ae44faea9296833ad69eea4549cdfec9aa581fecedf57fff5513e45c2193e50555a8d396c24dd26f25aa333e80388ef5c3f7fcaf44466f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3853214.exe

Filesize
614KB

MD5
00cadf244c9c111d0d8843f629a63b03

SHA1
fc1ed26b80099aedccd89a1d3a5b41543d72bab7

SHA256
88a1c9d2ea278430046f08676ee5c3e6a0ce76cebe19b8934e940044fc42811c

SHA512
29f3f5c124a0f3bf35ae44faea9296833ad69eea4549cdfec9aa581fecedf57fff5513e45c2193e50555a8d396c24dd26f25aa333e80388ef5c3f7fcaf44466f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9056304.exe

Filesize
513KB

MD5
9e30154f557c123fc0b4c6c2b5ad3f83

SHA1
3bad8013bdb4997a15a442b2cec4c0d15faa602e

SHA256
67cd76eef9adb345e3cca704a4b4f33118f31dd251f2c31be6f0df3a025d5e61

SHA512
22050ce492886fb3c04b946f70c2906710dccbae2635e0cf30b78010e8ea371feea100e5581ecd1740fff581b619edcca052038c4260433274681c8666b63988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9056304.exe

Filesize
513KB

MD5
9e30154f557c123fc0b4c6c2b5ad3f83

SHA1
3bad8013bdb4997a15a442b2cec4c0d15faa602e

SHA256
67cd76eef9adb345e3cca704a4b4f33118f31dd251f2c31be6f0df3a025d5e61

SHA512
22050ce492886fb3c04b946f70c2906710dccbae2635e0cf30b78010e8ea371feea100e5581ecd1740fff581b619edcca052038c4260433274681c8666b63988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0581496.exe

Filesize
492KB

MD5
4e388f00994b9dfef6c4fea41f5c96bb

SHA1
2d0a7ec38369aa6dd2cef8ce43f1c761994fcf7d

SHA256
898204c0b908ce5b6f42e7fea32081ad3790a33601daf068c7b8811b930a9d61

SHA512
174b6b802ead65bde1d4efd5a9b9e6ecff349c9575cf053c60d92bb937bd631b279100b06a3f7a81d85fb5618438d37a9a9df3cbe0d13fca565bfc9ff0661b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0581496.exe

Filesize
492KB

MD5
4e388f00994b9dfef6c4fea41f5c96bb

SHA1
2d0a7ec38369aa6dd2cef8ce43f1c761994fcf7d

SHA256
898204c0b908ce5b6f42e7fea32081ad3790a33601daf068c7b8811b930a9d61

SHA512
174b6b802ead65bde1d4efd5a9b9e6ecff349c9575cf053c60d92bb937bd631b279100b06a3f7a81d85fb5618438d37a9a9df3cbe0d13fca565bfc9ff0661b99

Download Submit
memory/4612-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4612-138-0x00000000005A0000-0x000000000062C000-memory.dmp

Filesize
560KB

Download
memory/4612-145-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/4612-146-0x00000000005A0000-0x000000000062C000-memory.dmp

Filesize
560KB

Download
memory/4612-147-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/4612-148-0x0000000002370000-0x0000000002376000-memory.dmp

Filesize
24KB

Download
memory/4612-149-0x0000000004AC0000-0x00000000050C6000-memory.dmp

Filesize
6.0MB

Download
memory/4612-150-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/4612-151-0x0000000005290000-0x00000000052A2000-memory.dmp

Filesize
72KB

Download
memory/4612-152-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4612-153-0x0000000005320000-0x000000000536B000-memory.dmp

Filesize
300KB

Download
memory/4612-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4612-155-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing