redline | edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a

General

Target

edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a.exe
Size

784KB
MD5

714805bd8109996472f4189ca7b9ff4a
SHA1

83e108972ca2d957247d4e7c3fd169711bc4a023
SHA256

edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a
SHA512

a3367510710e3003fd57e644271e7afda87f4d0f7edc2da15d265a9241f5af3b21e438cd35ebdcf50367b299443edf9d3962efc167cfcb47f191b47032196a20
SSDEEP

12288:bMr4y903OYeX3R4nkd9E7iesLEsTbgmCToCS94BxhPKJr7V3h/bxW/sBtj73aD49:7ytY4K7XsGm2oCkG/MZh/4MN3aDQkX6

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2336	x7722174.exe
4128	x4726676.exe
2664	h3318778.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7722174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4726676.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 2336	3776	edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a.exe	70
PID 3776 wrote to memory of 2336	3776	edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a.exe	70
PID 3776 wrote to memory of 2336	3776	edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a.exe	70
PID 2336 wrote to memory of 4128	2336	x7722174.exe	71
PID 2336 wrote to memory of 4128	2336	x7722174.exe	71
PID 2336 wrote to memory of 4128	2336	x7722174.exe	71
PID 4128 wrote to memory of 2664	4128	x4726676.exe	72
PID 4128 wrote to memory of 2664	4128	x4726676.exe	72
PID 4128 wrote to memory of 2664	4128	x4726676.exe	72

C:\Users\Admin\AppData\Local\Temp\edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a.exe
"C:\Users\Admin\AppData\Local\Temp\edb960ffa763b80612e244f7c395e2f30040c46963a6e06369f046d207ce655a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722174.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722174.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4726676.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4726676.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3318778.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3318778.exe
      4⤵
      Executes dropped EXE
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722174.exe

Filesize
682KB

MD5
7211463dd7bfb6dab314d674e46b3245

SHA1
43a6d294ca29520d36f03704275b69bb142e3a64

SHA256
ccf9648f3540ed38b13a1a8b871ad6c4135617bb02faaf3098674750cf99964a

SHA512
c93fb175794b1a0a4b787f979ad1fd7d95b06eac15f13c97a980f3da0b1ef89cd916df38d5be360804af5058ae4ee20f0e4829376a40804df87adb104da65f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7722174.exe

Filesize
682KB

MD5
7211463dd7bfb6dab314d674e46b3245

SHA1
43a6d294ca29520d36f03704275b69bb142e3a64

SHA256
ccf9648f3540ed38b13a1a8b871ad6c4135617bb02faaf3098674750cf99964a

SHA512
c93fb175794b1a0a4b787f979ad1fd7d95b06eac15f13c97a980f3da0b1ef89cd916df38d5be360804af5058ae4ee20f0e4829376a40804df87adb104da65f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4726676.exe

Filesize
292KB

MD5
94274022337d34c8cb0ec47fac34d02f

SHA1
e3d1e15e890d9e037991f2e36aeedad07d2d39a3

SHA256
21bce7b0290c990aa7a3919338e99743c9b7c0aa417c59034607cea2c9ffd2a2

SHA512
fa4f09f796edba878a24f87437282f8db5586843121faf459d8b2b2a6a2676e60275611daefed58913622cae0bd58b2b0079a5d6eaad5ede90859ac494a97ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4726676.exe

Filesize
292KB

MD5
94274022337d34c8cb0ec47fac34d02f

SHA1
e3d1e15e890d9e037991f2e36aeedad07d2d39a3

SHA256
21bce7b0290c990aa7a3919338e99743c9b7c0aa417c59034607cea2c9ffd2a2

SHA512
fa4f09f796edba878a24f87437282f8db5586843121faf459d8b2b2a6a2676e60275611daefed58913622cae0bd58b2b0079a5d6eaad5ede90859ac494a97ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3318778.exe

Filesize
174KB

MD5
962adc167c8bd0f1ca27bdc29745d46f

SHA1
93dc8bc933704024e32f054b6a564e439d932200

SHA256
114f5294a93be6ecc8adb9942a00c8a67cd3167c1493c760cd0ef923b486846b

SHA512
dd0205457cfa38bad337c30f70ef4dff7c7bd8dd95623d503af3ba240de5e4d08c6a7cf5637ca88a5dfba29de00139a229340c44bc01235e5446f86a40fa3682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3318778.exe

Filesize
174KB

MD5
962adc167c8bd0f1ca27bdc29745d46f

SHA1
93dc8bc933704024e32f054b6a564e439d932200

SHA256
114f5294a93be6ecc8adb9942a00c8a67cd3167c1493c760cd0ef923b486846b

SHA512
dd0205457cfa38bad337c30f70ef4dff7c7bd8dd95623d503af3ba240de5e4d08c6a7cf5637ca88a5dfba29de00139a229340c44bc01235e5446f86a40fa3682

Download Submit
memory/2664-21-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/2664-22-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-23-0x00000000027B0000-0x00000000027B6000-memory.dmp

Filesize
24KB

Download
memory/2664-24-0x000000000A940000-0x000000000AF46000-memory.dmp

Filesize
6.0MB

Download
memory/2664-25-0x000000000A440000-0x000000000A54A000-memory.dmp

Filesize
1.0MB

Download
memory/2664-26-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/2664-27-0x000000000A390000-0x000000000A3CE000-memory.dmp

Filesize
248KB

Download
memory/2664-28-0x000000000A3D0000-0x000000000A41B000-memory.dmp

Filesize
300KB

Download
memory/2664-29-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads