redline | d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a

General

Target

d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe
Size

784KB
MD5

51c9ee25aaa18e5d6f4e972d5d5cfd2d
SHA1

b41cd9b3bbc50eec073ba951d043d50855249b52
SHA256

d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a
SHA512

798ff8d4f18301ce40f56c7b61dd9d182143ddde9af68c0af4d057a40e7ce7a3519238494a858a1d74ebb355de1e93acd60b9f1eafd01b5ddf21a1267211e192
SSDEEP

12288:TMrIy90KTex558mXKEFPItyzOYDnlrO3gnRr9rSYZA6NgCNzPrp9h/KcUEG7G0BW:TyF+8mNatyzxDl62dSGNDd9MEklBW

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4908	x0719101.exe
4544	x2457753.exe
1040	h4776929.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2457753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0719101.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4908	5048	d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe	70
PID 5048 wrote to memory of 4908	5048	d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe	70
PID 5048 wrote to memory of 4908	5048	d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe	70
PID 4908 wrote to memory of 4544	4908	x0719101.exe	71
PID 4908 wrote to memory of 4544	4908	x0719101.exe	71
PID 4908 wrote to memory of 4544	4908	x0719101.exe	71
PID 4544 wrote to memory of 1040	4544	x2457753.exe	72
PID 4544 wrote to memory of 1040	4544	x2457753.exe	72
PID 4544 wrote to memory of 1040	4544	x2457753.exe	72

C:\Users\Admin\AppData\Local\Temp\d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe
"C:\Users\Admin\AppData\Local\Temp\d619cd70c85869ded3aef847689945ebcb35cf743f24e3aa7396e15ec557303a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe
      4⤵
      Executes dropped EXE
      PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe

Filesize
683KB

MD5
1bc56701ce55735a0c4365e2dcf03f70

SHA1
a074d478b585cfcdf2bacd7b4e77b7a4e7967865

SHA256
a742172a730cc19210ddeb91d6ff01720ec59279437bf78fc84620ec78df51e7

SHA512
a1ed210cc6cdd89ad74d2bd8de46a9a3e29836c920b2ed45d95f1a3902b66ec0e37d4180e2d8023bdc433708d5aecccb793a974911314319b235fbf1ae873743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0719101.exe

Filesize
683KB

MD5
1bc56701ce55735a0c4365e2dcf03f70

SHA1
a074d478b585cfcdf2bacd7b4e77b7a4e7967865

SHA256
a742172a730cc19210ddeb91d6ff01720ec59279437bf78fc84620ec78df51e7

SHA512
a1ed210cc6cdd89ad74d2bd8de46a9a3e29836c920b2ed45d95f1a3902b66ec0e37d4180e2d8023bdc433708d5aecccb793a974911314319b235fbf1ae873743

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe

Filesize
292KB

MD5
223dd37df1d8a9fcb3dd3b3f17c24e40

SHA1
2b8814f0454d650d66c518ab6ee6f3b2fa3802db

SHA256
ef7d281b8c1c2a4bff98130652f71e31719878374de97a2bf7f4e28f41ab7909

SHA512
670162542e476824fdb153f43f4e99e40ac44cfb0ae13c7c2ea138dfe31e2d2a1497fae24880e8b2b3b4cdd4114ace88f033166677c2f73e97e7f6fb729f3757

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2457753.exe

Filesize
292KB

MD5
223dd37df1d8a9fcb3dd3b3f17c24e40

SHA1
2b8814f0454d650d66c518ab6ee6f3b2fa3802db

SHA256
ef7d281b8c1c2a4bff98130652f71e31719878374de97a2bf7f4e28f41ab7909

SHA512
670162542e476824fdb153f43f4e99e40ac44cfb0ae13c7c2ea138dfe31e2d2a1497fae24880e8b2b3b4cdd4114ace88f033166677c2f73e97e7f6fb729f3757

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe

Filesize
174KB

MD5
f086fc5f65273ca2479b5a3b126ea427

SHA1
a87200a7a777655ea2c646ed324346866f0f5bb1

SHA256
cc7369937d7fd737d788aaa0cb699a52d1a24be4ca87843a1c6086673a3249dc

SHA512
32ee5b3828e27110d9a62c9cfb5dda1e73bfacc55647e6026b42225da97db17bcc8983d46f825abc764ac32396f62d2ba4a75eba94a3d1860a3c3d6ebc8a2608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4776929.exe

Filesize
174KB

MD5
f086fc5f65273ca2479b5a3b126ea427

SHA1
a87200a7a777655ea2c646ed324346866f0f5bb1

SHA256
cc7369937d7fd737d788aaa0cb699a52d1a24be4ca87843a1c6086673a3249dc

SHA512
32ee5b3828e27110d9a62c9cfb5dda1e73bfacc55647e6026b42225da97db17bcc8983d46f825abc764ac32396f62d2ba4a75eba94a3d1860a3c3d6ebc8a2608

Download Submit
memory/1040-22-0x0000000072C10000-0x00000000732FE000-memory.dmp

Filesize
6.9MB

Download
memory/1040-21-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/1040-23-0x0000000000DD0000-0x0000000000DD6000-memory.dmp

Filesize
24KB

Download
memory/1040-24-0x000000000A900000-0x000000000AF06000-memory.dmp

Filesize
6.0MB

Download
memory/1040-25-0x000000000A440000-0x000000000A54A000-memory.dmp

Filesize
1.0MB

Download
memory/1040-26-0x000000000A370000-0x000000000A382000-memory.dmp

Filesize
72KB

Download
memory/1040-27-0x000000000A3D0000-0x000000000A40E000-memory.dmp

Filesize
248KB

Download
memory/1040-28-0x000000000A550000-0x000000000A59B000-memory.dmp

Filesize
300KB

Download
memory/1040-29-0x0000000072C10000-0x00000000732FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads