redline | 730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01

General

Target

730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe
Size

662KB
MD5

1ed3b89ce055490ab9d70ca02d71ebb0
SHA1

427137db27b5febe5e08c1e9325d6f73c79e68da
SHA256

730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01
SHA512

666b6b9a85ed230ea4a5a6e08f2b19daebcb68d3f600cf60b3f3c453887828fd9e4d20667ecc572b144e9c4c1947f4e7bbf6c40a7efc1c79c7a9fa70e7f3170e
SSDEEP

12288:YMrPy90dJ0rhb8I/c9hg29FURqzlEf7b7df3oYgpriGq/2Q:XyuJ0rhwI/Ma29nzlkb7dfopp6OQ

Score

10^/10

redline lada infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lada

C2

77.91.124.82:19071

Attributes

auth_value
252f78fed0684205b098417688fa33e2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

y8005731.exey3752219.exem5502380.exen5685214.exe

pid process

2716 y8005731.exe
4856 y3752219.exe
4428 m5502380.exe
2732 n5685214.exe

pid	process
2716	y8005731.exe
4856	y3752219.exe
4428	m5502380.exe
2732	n5685214.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exey8005731.exey3752219.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8005731.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3752219.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exey8005731.exey3752219.exe

description	pid	process	target process
PID 4432 wrote to memory of 2716	4432	730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe	y8005731.exe
PID 4432 wrote to memory of 2716	4432	730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe	y8005731.exe
PID 4432 wrote to memory of 2716	4432	730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe	y8005731.exe
PID 2716 wrote to memory of 4856	2716	y8005731.exe	y3752219.exe
PID 2716 wrote to memory of 4856	2716	y8005731.exe	y3752219.exe
PID 2716 wrote to memory of 4856	2716	y8005731.exe	y3752219.exe
PID 4856 wrote to memory of 4428	4856	y3752219.exe	m5502380.exe
PID 4856 wrote to memory of 4428	4856	y3752219.exe	m5502380.exe
PID 4856 wrote to memory of 4428	4856	y3752219.exe	m5502380.exe
PID 4856 wrote to memory of 2732	4856	y3752219.exe	n5685214.exe
PID 4856 wrote to memory of 2732	4856	y3752219.exe	n5685214.exe
PID 4856 wrote to memory of 2732	4856	y3752219.exe	n5685214.exe

C:\Users\Admin\AppData\Local\Temp\730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe
"C:\Users\Admin\AppData\Local\Temp\730106e083e822cd18c1a4c6ea80e8c2a2ee6a3a72bd6179e19e09500bda5b01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exe
4⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exe
4⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exe
Filesize
560KB

MD5
5911efd37d8e225934767b127fb5189b

SHA1
e421abf7b6aa5142b7b42b811ae54e384126b3d9

SHA256
e8ad3a8e522e652b31f7025095a920ca10af6f9a60074c79c2f27b06b702f109

SHA512
1d911e645d7230dd6df394fe2fda947f0fb6bf008d6caff864233301e10efae46a2483085c761415e0d085ff756c5847681793362ec4e74b5aef50543f037368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8005731.exe
Filesize
560KB

MD5
5911efd37d8e225934767b127fb5189b

SHA1
e421abf7b6aa5142b7b42b811ae54e384126b3d9

SHA256
e8ad3a8e522e652b31f7025095a920ca10af6f9a60074c79c2f27b06b702f109

SHA512
1d911e645d7230dd6df394fe2fda947f0fb6bf008d6caff864233301e10efae46a2483085c761415e0d085ff756c5847681793362ec4e74b5aef50543f037368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exe
Filesize
272KB

MD5
726fa26a88a1b7c66618edaaa90f4b25

SHA1
7002d08106999f709d8554eda0bc282f99fb1853

SHA256
8f8b36940cec398f4ddc7f6c2bd8688513973ab86104d6dbe6528f79ea6d7491

SHA512
232823720cd406529eff43805956fde2d12d37d3c6b572b11fc10e7050f2deac1db70dec46eabc00c88a1b9f0688ad3f480100060f33f8ffd3b21c989b006ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3752219.exe
Filesize
272KB

MD5
726fa26a88a1b7c66618edaaa90f4b25

SHA1
7002d08106999f709d8554eda0bc282f99fb1853

SHA256
8f8b36940cec398f4ddc7f6c2bd8688513973ab86104d6dbe6528f79ea6d7491

SHA512
232823720cd406529eff43805956fde2d12d37d3c6b572b11fc10e7050f2deac1db70dec46eabc00c88a1b9f0688ad3f480100060f33f8ffd3b21c989b006ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exe
Filesize
142KB

MD5
95c15514dc5935ece6d461abc131c134

SHA1
1d4072474b8e3080a506b7d26eb36860aeeba385

SHA256
7f083065a22dfd6a9f87777b81f55eb0f5abbbb043f371c72acf224484b7489d

SHA512
ca0d13fafae44be29ddbf18fed7e072f057dde6e730221bf3099d5c77fa559b7e8d9bd217eacdadb060b4aaab20a70740e21d086ce6508d85ba5525f941cc9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5502380.exe
Filesize
142KB

MD5
95c15514dc5935ece6d461abc131c134

SHA1
1d4072474b8e3080a506b7d26eb36860aeeba385

SHA256
7f083065a22dfd6a9f87777b81f55eb0f5abbbb043f371c72acf224484b7489d

SHA512
ca0d13fafae44be29ddbf18fed7e072f057dde6e730221bf3099d5c77fa559b7e8d9bd217eacdadb060b4aaab20a70740e21d086ce6508d85ba5525f941cc9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exe
Filesize
174KB

MD5
82b87916b108486eb40d064dc4998a6a

SHA1
83c756bbd367599429d5ebd78c2d0602210be7de

SHA256
95df9fa15294d0d74014ce47743676be345df96e02174da08f9aac6cff894daf

SHA512
37b36d141bd4cfa76a88bcf25807938f9b08683adc3a10a804544427d018bf7ae1bce2fb0f5074552792fee6fd281f1d8d00cdef7d592c78b8c7dd8a3f43c357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5685214.exe
Filesize
174KB

MD5
82b87916b108486eb40d064dc4998a6a

SHA1
83c756bbd367599429d5ebd78c2d0602210be7de

SHA256
95df9fa15294d0d74014ce47743676be345df96e02174da08f9aac6cff894daf

SHA512
37b36d141bd4cfa76a88bcf25807938f9b08683adc3a10a804544427d018bf7ae1bce2fb0f5074552792fee6fd281f1d8d00cdef7d592c78b8c7dd8a3f43c357

Download Submit
memory/2732-24-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/2732-25-0x0000000073340000-0x0000000073A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-26-0x0000000002F70000-0x0000000002F76000-memory.dmp

Filesize
24KB

Download
memory/2732-27-0x0000000005BE0000-0x00000000061E6000-memory.dmp

Filesize
6.0MB

Download
memory/2732-28-0x00000000056E0000-0x00000000057EA000-memory.dmp

Filesize
1.0MB

Download
memory/2732-29-0x0000000005600000-0x0000000005612000-memory.dmp

Filesize
72KB

Download
memory/2732-30-0x0000000005660000-0x000000000569E000-memory.dmp

Filesize
248KB

Download
memory/2732-31-0x00000000057F0000-0x000000000583B000-memory.dmp

Filesize
300KB

Download
memory/2732-32-0x0000000073340000-0x0000000073A2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads