redline | c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2

General

Target

c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2.exe
Size

785KB
MD5

c012953d7a8d9aa39337e0e88f056747
SHA1

f3482f68b8210d4807ff2aff3f38ef4303d4ae3e
SHA256

c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2
SHA512

21f33515653d617879e76986594c3208192e6d0717be7cb12d5a86b3935dec211dc270efa6b8515b0da6f1727b9b3e3c54931c1e5db86e49045f2262c9a37b1c
SSDEEP

12288:cMr6y90WeDHKSk5XIpv+J8pbfLLPq6oBADYnRqUYjOFWmFaxZubSM4azU1MH:GyVRXIRrfHSFA8Rff+TFaBH

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2132	x0963719.exe
3520	x8886218.exe
1556	h6586906.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8886218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0963719.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2132	4916	c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2.exe	85
PID 4916 wrote to memory of 2132	4916	c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2.exe	85
PID 4916 wrote to memory of 2132	4916	c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2.exe	85
PID 2132 wrote to memory of 3520	2132	x0963719.exe	86
PID 2132 wrote to memory of 3520	2132	x0963719.exe	86
PID 2132 wrote to memory of 3520	2132	x0963719.exe	86
PID 3520 wrote to memory of 1556	3520	x8886218.exe	87
PID 3520 wrote to memory of 1556	3520	x8886218.exe	87
PID 3520 wrote to memory of 1556	3520	x8886218.exe	87

C:\Users\Admin\AppData\Local\Temp\c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2.exe
"C:\Users\Admin\AppData\Local\Temp\c4abe6f8506a8f156c97d37ad06c37aa68520f7c3481a02251508eb43e8e6ce2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0963719.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0963719.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8886218.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8886218.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6586906.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6586906.exe
      4⤵
      Executes dropped EXE
      PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0963719.exe

Filesize
683KB

MD5
bb0141fd36e25ce2dc6d5f566a794454

SHA1
af822af9bc387337a950f5e72dcab6678cd45bd0

SHA256
3c56fd35c60d2803a4f398a2afdba4737237bd8daeb4bd6bd75e72d36cdbb892

SHA512
4bb597620573eb824308bb2569cdce95be2bca949b239141e8d599d8043c4eac55629046a321da62d0562e4b6055cf1b1c4f8da7ac66434d897bc28b38b67fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0963719.exe

Filesize
683KB

MD5
bb0141fd36e25ce2dc6d5f566a794454

SHA1
af822af9bc387337a950f5e72dcab6678cd45bd0

SHA256
3c56fd35c60d2803a4f398a2afdba4737237bd8daeb4bd6bd75e72d36cdbb892

SHA512
4bb597620573eb824308bb2569cdce95be2bca949b239141e8d599d8043c4eac55629046a321da62d0562e4b6055cf1b1c4f8da7ac66434d897bc28b38b67fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8886218.exe

Filesize
292KB

MD5
5a64de40c77207593476981f4ea710ac

SHA1
985e6cf047ed41a48a8800f1ed748fed509b2320

SHA256
a034ce2992ad5332c687ddcd11b570130fd5efa61c6342b3e9e3694f12bc2463

SHA512
caf35ae47d771063b94bb4406ab27b13d34c04f77095eeffe95c9a0f2a84d759620d4e906a0a801d9f4cfb7c88fe757e87c1b9ffa9779e4be0fe9d13646aa96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8886218.exe

Filesize
292KB

MD5
5a64de40c77207593476981f4ea710ac

SHA1
985e6cf047ed41a48a8800f1ed748fed509b2320

SHA256
a034ce2992ad5332c687ddcd11b570130fd5efa61c6342b3e9e3694f12bc2463

SHA512
caf35ae47d771063b94bb4406ab27b13d34c04f77095eeffe95c9a0f2a84d759620d4e906a0a801d9f4cfb7c88fe757e87c1b9ffa9779e4be0fe9d13646aa96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6586906.exe

Filesize
174KB

MD5
8d2136bdcb8a0d82cb6d5c3ab1021931

SHA1
f7b6bc4c46b22575fa6d68beaa7c7fe58dbd23bc

SHA256
60781d06a360ae9f08d91ee6b98bf750f4c70074470eb00a8a2732116ee7ddce

SHA512
2eefdd513adc6a68ccede13b8d316ed6b5319e9f653d3c60537b90b5977e87f3df188697d92a773bc414d06e7a23e211320d882b6868eedfccd510e61078d415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6586906.exe

Filesize
174KB

MD5
8d2136bdcb8a0d82cb6d5c3ab1021931

SHA1
f7b6bc4c46b22575fa6d68beaa7c7fe58dbd23bc

SHA256
60781d06a360ae9f08d91ee6b98bf750f4c70074470eb00a8a2732116ee7ddce

SHA512
2eefdd513adc6a68ccede13b8d316ed6b5319e9f653d3c60537b90b5977e87f3df188697d92a773bc414d06e7a23e211320d882b6868eedfccd510e61078d415

Download Submit
memory/1556-21-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-22-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/1556-23-0x0000000004CE0000-0x0000000004CE6000-memory.dmp

Filesize
24KB

Download
memory/1556-24-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/1556-25-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download
memory/1556-27-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1556-26-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/1556-28-0x0000000004E00000-0x0000000004E3C000-memory.dmp

Filesize
240KB

Download
memory/1556-29-0x0000000004E40000-0x0000000004E8C000-memory.dmp

Filesize
304KB

Download
memory/1556-30-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-31-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads