redline | 0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be

General

Target

0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be.exe
Size

696KB
MD5

c2b522f7efa7fda19f5e14f21d88f8ac
SHA1

6cce421e7b2dd16ebdea11bf6f05a27a3d110325
SHA256

0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be
SHA512

7751024b600fef0e3ac7377c8b4659e5dea00ffbed200320b00a132fdf2c32eca9c2cc77fd5edff5da16ad9feb4ae0e5f6333d9be24f4596696295e6994cf00d
SSDEEP

12288:WMrSy90lw0TpNbX1ZjJu15eqx8DV+H0EZPiJSB7pecgidvQdV85Vskm5IOjtQYkm:UyCpF1pJuxx4V+H7qgpgid438rLQIOJ/

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4600	x0957439.exe
2936	x8906595.exe
3788	h7770973.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0957439.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8906595.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4600	4188	0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be.exe	86
PID 4188 wrote to memory of 4600	4188	0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be.exe	86
PID 4188 wrote to memory of 4600	4188	0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be.exe	86
PID 4600 wrote to memory of 2936	4600	x0957439.exe	88
PID 4600 wrote to memory of 2936	4600	x0957439.exe	88
PID 4600 wrote to memory of 2936	4600	x0957439.exe	88
PID 2936 wrote to memory of 3788	2936	x8906595.exe	89
PID 2936 wrote to memory of 3788	2936	x8906595.exe	89
PID 2936 wrote to memory of 3788	2936	x8906595.exe	89

C:\Users\Admin\AppData\Local\Temp\0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be.exe
"C:\Users\Admin\AppData\Local\Temp\0511382eaf984196b106692f4556af32b0c4bef9f1f4002fa0728012bfe138be.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0957439.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0957439.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8906595.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8906595.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7770973.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7770973.exe
      4⤵
      Executes dropped EXE
      PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0957439.exe

Filesize
595KB

MD5
f29a2ff47dd99c500c9e988dee149711

SHA1
49aa5e6db5357fadf865fe75fee7a6672db7839c

SHA256
364dc54e7a816dcbcefb645810e193b7a6a0d630bcabed5fc18f07eaec9e17cc

SHA512
b77f373afb10b97dfaa74604577986a09e081c0efbd9d3a23a29bb7671f50074bba127d0217efaffbf01e5e6862cdb5fa7fbef235871dd802967236abb5d3a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0957439.exe

Filesize
595KB

MD5
f29a2ff47dd99c500c9e988dee149711

SHA1
49aa5e6db5357fadf865fe75fee7a6672db7839c

SHA256
364dc54e7a816dcbcefb645810e193b7a6a0d630bcabed5fc18f07eaec9e17cc

SHA512
b77f373afb10b97dfaa74604577986a09e081c0efbd9d3a23a29bb7671f50074bba127d0217efaffbf01e5e6862cdb5fa7fbef235871dd802967236abb5d3a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8906595.exe

Filesize
292KB

MD5
e9c95352391cd987c410dae74a98c8e8

SHA1
04412d55753386ec81df6e637a086092a99f3e02

SHA256
027d2458497d0e69d18a2e6243eb919e044c814c05ea9d90e72492e31d2d693d

SHA512
44b3c180e515cc7fc3be312809749164f0750663d3a3a7eca5f6350b5ebff380f517b8051c35ea5d187b5a6ef02b2e4d85d6a4e67db814c28aabbee0adf86e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8906595.exe

Filesize
292KB

MD5
e9c95352391cd987c410dae74a98c8e8

SHA1
04412d55753386ec81df6e637a086092a99f3e02

SHA256
027d2458497d0e69d18a2e6243eb919e044c814c05ea9d90e72492e31d2d693d

SHA512
44b3c180e515cc7fc3be312809749164f0750663d3a3a7eca5f6350b5ebff380f517b8051c35ea5d187b5a6ef02b2e4d85d6a4e67db814c28aabbee0adf86e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7770973.exe

Filesize
174KB

MD5
04fb0d91dfe18c550e865a62d2c0f6b9

SHA1
e9757c2ecfc4424811b0f92d512593427e742100

SHA256
e6126067d75049b2757d0f5ed3460e7d528cb4c6fd05f25fb207303fe39a238a

SHA512
b83bd720ced7f1c8a39606a5235ecbf7ee58fa52dc307529c742037d9c7a7e48f7a254491cc2cd29422c6a8b6aae344151bf75397608d8878d5689e222033e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7770973.exe

Filesize
174KB

MD5
04fb0d91dfe18c550e865a62d2c0f6b9

SHA1
e9757c2ecfc4424811b0f92d512593427e742100

SHA256
e6126067d75049b2757d0f5ed3460e7d528cb4c6fd05f25fb207303fe39a238a

SHA512
b83bd720ced7f1c8a39606a5235ecbf7ee58fa52dc307529c742037d9c7a7e48f7a254491cc2cd29422c6a8b6aae344151bf75397608d8878d5689e222033e88

Download Submit
memory/3788-23-0x0000000002F10000-0x0000000002F16000-memory.dmp

Filesize
24KB

Download
memory/3788-22-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3788-21-0x0000000000D70000-0x0000000000DA0000-memory.dmp

Filesize
192KB

Download
memory/3788-24-0x0000000005E80000-0x0000000006498000-memory.dmp

Filesize
6.1MB

Download
memory/3788-25-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/3788-27-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/3788-26-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/3788-28-0x00000000058A0000-0x00000000058DC000-memory.dmp

Filesize
240KB

Download
memory/3788-29-0x00000000058E0000-0x000000000592C000-memory.dmp

Filesize
304KB

Download
memory/3788-30-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3788-31-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads