redline | 3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef

General

Target

3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef.exe
Size

785KB
MD5

89efee6a2fc51ea8e21800bfb74f57da
SHA1

fc145e355fde7ad7f047ca6ab9d5bde41f3f775a
SHA256

3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef
SHA512

ac61cf7e41913064be5353f303fc1c5fee0173d136162fa84972cefec7008c4c6392ff1a1d39f0fff6c2d5ef458e76e3b2570720fa0bce871d224559654daa11
SSDEEP

12288:MMrky90mIQYYVHyilOhQoLPwbf2jVOERMV+HN6ElIkDsN5+YR080WpO2uIZlFbh:oy9EYV/lObtdRA+t61PP+YR08TO7Eh

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1692	x8981464.exe
640	x4136239.exe
3568	h5517099.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8981464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4136239.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 1692	4520	3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef.exe	70
PID 4520 wrote to memory of 1692	4520	3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef.exe	70
PID 4520 wrote to memory of 1692	4520	3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef.exe	70
PID 1692 wrote to memory of 640	1692	x8981464.exe	71
PID 1692 wrote to memory of 640	1692	x8981464.exe	71
PID 1692 wrote to memory of 640	1692	x8981464.exe	71
PID 640 wrote to memory of 3568	640	x4136239.exe	72
PID 640 wrote to memory of 3568	640	x4136239.exe	72
PID 640 wrote to memory of 3568	640	x4136239.exe	72

C:\Users\Admin\AppData\Local\Temp\3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef.exe
"C:\Users\Admin\AppData\Local\Temp\3e92c49f0f00e96ea33adce151f5c8e45d99bbb6df4fc47878bcf638ecaa56ef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8981464.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8981464.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4136239.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4136239.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5517099.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5517099.exe
      4⤵
      Executes dropped EXE
      PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8981464.exe

Filesize
683KB

MD5
bc6bf94e1b8eb27f346015982bb657d3

SHA1
094614c86cc96b7bd25a3609bf0a2a9fe1363ec6

SHA256
8041d482403ee0573e4aa3646493fbcb517f735c3c2dcc8c5d81401452684423

SHA512
0046ce98261a5675ff5b85457c3bfcb0b2ac58f85873921882e07cc971862736ce5d97d6f334e349ccae21e436ef4ca500f3171912df9fc672f21a406bc9aafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8981464.exe

Filesize
683KB

MD5
bc6bf94e1b8eb27f346015982bb657d3

SHA1
094614c86cc96b7bd25a3609bf0a2a9fe1363ec6

SHA256
8041d482403ee0573e4aa3646493fbcb517f735c3c2dcc8c5d81401452684423

SHA512
0046ce98261a5675ff5b85457c3bfcb0b2ac58f85873921882e07cc971862736ce5d97d6f334e349ccae21e436ef4ca500f3171912df9fc672f21a406bc9aafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4136239.exe

Filesize
292KB

MD5
7dbfbc8fb507057fdd99de6f0071c17c

SHA1
a64065376edb7e68e5cb526a915816b1ab436b98

SHA256
657ba9f45a0bf71d21560e887096f910d53d6b2e4ce5efdd2aaf751628309163

SHA512
8740236c44f98f3022c7d142c9505aeb39be0bb3c95cbbaa429456b736358b0efa72ba1868a984c18c16fba926782e37c3c08201d508520fc62af7c3e264de72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4136239.exe

Filesize
292KB

MD5
7dbfbc8fb507057fdd99de6f0071c17c

SHA1
a64065376edb7e68e5cb526a915816b1ab436b98

SHA256
657ba9f45a0bf71d21560e887096f910d53d6b2e4ce5efdd2aaf751628309163

SHA512
8740236c44f98f3022c7d142c9505aeb39be0bb3c95cbbaa429456b736358b0efa72ba1868a984c18c16fba926782e37c3c08201d508520fc62af7c3e264de72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5517099.exe

Filesize
174KB

MD5
e0f9f2383b278c4d611687e763d0e060

SHA1
985b0a4eac7ae289a2f3173cb4711d6457f9f918

SHA256
5789db302ac9e177ca1de457f1977e979673056da8099f7e13d6d068935965e8

SHA512
ec9edb3a21b3fe16ed805b57f9a7c5d8d5a400c803cd737a916064dbe3a61b229e357acdd6d419da5fb98e67748b28d8c538e0b53f666b8cdf2dc6df68c2b371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5517099.exe

Filesize
174KB

MD5
e0f9f2383b278c4d611687e763d0e060

SHA1
985b0a4eac7ae289a2f3173cb4711d6457f9f918

SHA256
5789db302ac9e177ca1de457f1977e979673056da8099f7e13d6d068935965e8

SHA512
ec9edb3a21b3fe16ed805b57f9a7c5d8d5a400c803cd737a916064dbe3a61b229e357acdd6d419da5fb98e67748b28d8c538e0b53f666b8cdf2dc6df68c2b371

Download Submit
memory/3568-21-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/3568-22-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download
memory/3568-23-0x0000000004D00000-0x0000000004D06000-memory.dmp

Filesize
24KB

Download
memory/3568-24-0x000000000A730000-0x000000000AD36000-memory.dmp

Filesize
6.0MB

Download
memory/3568-25-0x000000000A250000-0x000000000A35A000-memory.dmp

Filesize
1.0MB

Download
memory/3568-26-0x000000000A180000-0x000000000A192000-memory.dmp

Filesize
72KB

Download
memory/3568-27-0x000000000A1E0000-0x000000000A21E000-memory.dmp

Filesize
248KB

Download
memory/3568-28-0x000000000A360000-0x000000000A3AB000-memory.dmp

Filesize
300KB

Download
memory/3568-29-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads