redline | 273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd

General

Target

273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe
Size

662KB
MD5

31658a3c13d7695eabece91f964a4826
SHA1

25148111c8293d69171cb3854483aa2d6652dd74
SHA256

273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd
SHA512

24308e1a2e4d6a1c34ef754631a4ac3b543a6e39d2b1b42b367a4130cdf62372379eaf730fd727c3693c94982c74ba00d1dc0b0d8489aa0442c3fcf2f2982f2f
SSDEEP

12288:nMrUy904NJYJiWPef6O1WGM19ND4/dAvFkNut3p4USIqYkVZP7wzPu:nyfNRWi6Xr58AdHt55SkOPEzPu

Score

10^/10

redline lada infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lada

C2

77.91.124.82:19071

Attributes

auth_value
252f78fed0684205b098417688fa33e2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

y1651176.exey1831239.exem6379404.exen6715079.exe

pid process

4744 y1651176.exe
4088 y1831239.exe
2744 m6379404.exe
4680 n6715079.exe

pid	process
4744	y1651176.exe
4088	y1831239.exe
2744	m6379404.exe
4680	n6715079.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y1651176.exey1831239.exe273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1651176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1831239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exey1651176.exey1831239.exe

description	pid	process	target process
PID 1208 wrote to memory of 4744	1208	273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe	y1651176.exe
PID 1208 wrote to memory of 4744	1208	273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe	y1651176.exe
PID 1208 wrote to memory of 4744	1208	273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe	y1651176.exe
PID 4744 wrote to memory of 4088	4744	y1651176.exe	y1831239.exe
PID 4744 wrote to memory of 4088	4744	y1651176.exe	y1831239.exe
PID 4744 wrote to memory of 4088	4744	y1651176.exe	y1831239.exe
PID 4088 wrote to memory of 2744	4088	y1831239.exe	m6379404.exe
PID 4088 wrote to memory of 2744	4088	y1831239.exe	m6379404.exe
PID 4088 wrote to memory of 2744	4088	y1831239.exe	m6379404.exe
PID 4088 wrote to memory of 4680	4088	y1831239.exe	n6715079.exe
PID 4088 wrote to memory of 4680	4088	y1831239.exe	n6715079.exe
PID 4088 wrote to memory of 4680	4088	y1831239.exe	n6715079.exe

C:\Users\Admin\AppData\Local\Temp\273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe
"C:\Users\Admin\AppData\Local\Temp\273db29bd8f6b3d55e647ea0a5a0beb71fc0461a635713ad9e94e9fd3e360cdd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1651176.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1651176.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1831239.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1831239.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6379404.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6379404.exe
4⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6715079.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6715079.exe
4⤵
- Executes dropped EXE
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1651176.exe
Filesize
560KB

MD5
2139008f8e50a54719795625cae2a2a8

SHA1
984f76931ef4111ad9dcfa253d52807944fe6ddd

SHA256
d8bb0776d098ff637a3a7883cfea120cf95a3176cc8b0d7a6c538a68e52f9bac

SHA512
c928ffb58d34d6547d846384bcafeb4c2bae79a585a86464e2cd65b4214c4f4d9cc8da9b519e0dbdcfefdd9215e8a12c5ebc37352143dc37020b38e0b26ab585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1651176.exe
Filesize
560KB

MD5
2139008f8e50a54719795625cae2a2a8

SHA1
984f76931ef4111ad9dcfa253d52807944fe6ddd

SHA256
d8bb0776d098ff637a3a7883cfea120cf95a3176cc8b0d7a6c538a68e52f9bac

SHA512
c928ffb58d34d6547d846384bcafeb4c2bae79a585a86464e2cd65b4214c4f4d9cc8da9b519e0dbdcfefdd9215e8a12c5ebc37352143dc37020b38e0b26ab585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1831239.exe
Filesize
271KB

MD5
f3831393eb47983bc77d3e0d3186b65e

SHA1
06620e81c3fcbad40e1921360fccfac737e9d941

SHA256
70744c175b78054fef75b7eab8bbf8f08dcf1a1cb2608f45cd6f323d3f7c5337

SHA512
621cc9e79cb50d7c95eac6fa77a9ca29b975e2792a49fbc92ac417092a306baff5818e8b7b14edaffc8395da8748c8b32d69f0af44ada41fd7fd1e921358fe00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1831239.exe
Filesize
271KB

MD5
f3831393eb47983bc77d3e0d3186b65e

SHA1
06620e81c3fcbad40e1921360fccfac737e9d941

SHA256
70744c175b78054fef75b7eab8bbf8f08dcf1a1cb2608f45cd6f323d3f7c5337

SHA512
621cc9e79cb50d7c95eac6fa77a9ca29b975e2792a49fbc92ac417092a306baff5818e8b7b14edaffc8395da8748c8b32d69f0af44ada41fd7fd1e921358fe00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6379404.exe
Filesize
142KB

MD5
5193f4daeefb65b20df81160c2e5fb11

SHA1
d571d268e56652d656d8748f4818990a85cf17cb

SHA256
d7b846f7b78407867c9da825783132e9f3d6962248c78da666fba863e7ceaa33

SHA512
4c2811f109e37b981b57f7b7e5d3341e558508dd07a41b8534005449e30242ef665b565f44f7aa2dc3ce37e88809e169f1f83382e0d6794a16fddbec28eba346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6379404.exe
Filesize
142KB

MD5
5193f4daeefb65b20df81160c2e5fb11

SHA1
d571d268e56652d656d8748f4818990a85cf17cb

SHA256
d7b846f7b78407867c9da825783132e9f3d6962248c78da666fba863e7ceaa33

SHA512
4c2811f109e37b981b57f7b7e5d3341e558508dd07a41b8534005449e30242ef665b565f44f7aa2dc3ce37e88809e169f1f83382e0d6794a16fddbec28eba346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6715079.exe
Filesize
174KB

MD5
f74a332b0a81610aababc474aac121b5

SHA1
a3b9c3451c7c436cec2f0ec5652a539cc944d11e

SHA256
38d2baca85b0ff22162fc2abf0094f3d80775a40046863bc2f3bf168f9a25d1f

SHA512
29727b056b95870c4887d01d05f11d667c01d8a7fe465dc237183bdd6d34f5fa33b3428c419df0d07ead5dc26b93434f6b0f0c702ae21f815ee5c22eb440c4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6715079.exe
Filesize
174KB

MD5
f74a332b0a81610aababc474aac121b5

SHA1
a3b9c3451c7c436cec2f0ec5652a539cc944d11e

SHA256
38d2baca85b0ff22162fc2abf0094f3d80775a40046863bc2f3bf168f9a25d1f

SHA512
29727b056b95870c4887d01d05f11d667c01d8a7fe465dc237183bdd6d34f5fa33b3428c419df0d07ead5dc26b93434f6b0f0c702ae21f815ee5c22eb440c4a8

Download Submit
memory/4680-24-0x00000000007D0000-0x0000000000800000-memory.dmp

Filesize
192KB

Download
memory/4680-25-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/4680-26-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/4680-27-0x0000000005360000-0x000000000546A000-memory.dmp

Filesize
1.0MB

Download
memory/4680-28-0x00000000010B0000-0x00000000010C0000-memory.dmp

Filesize
64KB

Download
memory/4680-29-0x00000000052A0000-0x00000000052B2000-memory.dmp

Filesize
72KB

Download
memory/4680-30-0x0000000005300000-0x000000000533C000-memory.dmp

Filesize
240KB

Download
memory/4680-31-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/4680-32-0x00000000010B0000-0x00000000010C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads