redline | 6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2

General

Target

6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe
Size

785KB
MD5

25dd2010403833bdf9a0ce82ebaef893
SHA1

b7735b5cf88af8fed9811bdd4d3dc628faecf263
SHA256

6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2
SHA512

fd4cc9ba6104ff0bf465eec20e76ca7c28bd0aaeacf7db97d3e02d855b641e2e592189f503daa8f937273b75f16cc6cf06c93fd626525e5799be0e2eeb9c73f6
SSDEEP

24576:2ygAYfZxMCZUx9L/OY/i8QVkwOf5uT8c:FgA2ZxMPjR/i84SE8

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3964	x3628451.exe
1672	x1324198.exe
1580	h4701601.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3628451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1324198.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3964	2300	6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe	70
PID 2300 wrote to memory of 3964	2300	6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe	70
PID 2300 wrote to memory of 3964	2300	6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe	70
PID 3964 wrote to memory of 1672	3964	x3628451.exe	71
PID 3964 wrote to memory of 1672	3964	x3628451.exe	71
PID 3964 wrote to memory of 1672	3964	x3628451.exe	71
PID 1672 wrote to memory of 1580	1672	x1324198.exe	72
PID 1672 wrote to memory of 1580	1672	x1324198.exe	72
PID 1672 wrote to memory of 1580	1672	x1324198.exe	72

C:\Users\Admin\AppData\Local\Temp\6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe
"C:\Users\Admin\AppData\Local\Temp\6391d8baef64a0551a5fde9c6a04b804f8fc88178af953cd194e40810de12bb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe
      4⤵
      Executes dropped EXE
      PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe

Filesize
683KB

MD5
06690eaf90a911194a23295d95d095de

SHA1
5e68e728f1c5f06fdc284d78e88f913398f99c33

SHA256
f77a983ce9afcff6d89d96c489d4e3b1000ba981e2b8956e2bf25446bdaec71b

SHA512
ae7bd407556283357332b139f2af6a453b5368caf5eb17f2b1ba3554f0f0a850434d43281503f2c5f990de44cd0b0e23ef5d12d5e909640186a31cdb7db162ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3628451.exe

Filesize
683KB

MD5
06690eaf90a911194a23295d95d095de

SHA1
5e68e728f1c5f06fdc284d78e88f913398f99c33

SHA256
f77a983ce9afcff6d89d96c489d4e3b1000ba981e2b8956e2bf25446bdaec71b

SHA512
ae7bd407556283357332b139f2af6a453b5368caf5eb17f2b1ba3554f0f0a850434d43281503f2c5f990de44cd0b0e23ef5d12d5e909640186a31cdb7db162ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe

Filesize
292KB

MD5
42c03c7551187693b05cfe87d8b4e006

SHA1
5655ce056ae2b28a0e2ee46556c315ca6658f8b1

SHA256
374ef19811b4688b7720b3b6929834a2290c74c8680aa302057f76688ac3628a

SHA512
b75deac420cc0474db12d26b360d5ae040887afd197fcbe72776d96f2a5a70ec1df5aaca1a0b7da80a7a36cb523f100090fba360222b7f8b3f167b969d95d886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1324198.exe

Filesize
292KB

MD5
42c03c7551187693b05cfe87d8b4e006

SHA1
5655ce056ae2b28a0e2ee46556c315ca6658f8b1

SHA256
374ef19811b4688b7720b3b6929834a2290c74c8680aa302057f76688ac3628a

SHA512
b75deac420cc0474db12d26b360d5ae040887afd197fcbe72776d96f2a5a70ec1df5aaca1a0b7da80a7a36cb523f100090fba360222b7f8b3f167b969d95d886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe

Filesize
174KB

MD5
9b8ec2d5e50778b2304b0a00aecf9b88

SHA1
e7a619d7f841468490b5440445de4a747587982f

SHA256
c181edf3a92aac4c2fc0c4340cf8da8dff97101607028147dab72947951a9a22

SHA512
3c5affb557bfb9ca8eeba7d22a641ad5e4047bc7da587d8edbc7cd5f5e8df047f327a0ce19adb212bda981dd1bec80124e0b285e3af3dad498d6a7727e6ddbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4701601.exe

Filesize
174KB

MD5
9b8ec2d5e50778b2304b0a00aecf9b88

SHA1
e7a619d7f841468490b5440445de4a747587982f

SHA256
c181edf3a92aac4c2fc0c4340cf8da8dff97101607028147dab72947951a9a22

SHA512
3c5affb557bfb9ca8eeba7d22a641ad5e4047bc7da587d8edbc7cd5f5e8df047f327a0ce19adb212bda981dd1bec80124e0b285e3af3dad498d6a7727e6ddbb7

Download Submit
memory/1580-21-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/1580-22-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/1580-23-0x0000000004DD0000-0x0000000004DD6000-memory.dmp

Filesize
24KB

Download
memory/1580-24-0x000000000A920000-0x000000000AF26000-memory.dmp

Filesize
6.0MB

Download
memory/1580-25-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/1580-26-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/1580-27-0x000000000A3B0000-0x000000000A3EE000-memory.dmp

Filesize
248KB

Download
memory/1580-28-0x000000000A530000-0x000000000A57B000-memory.dmp

Filesize
300KB

Download
memory/1580-29-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads