redline | 9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7

General

Target

9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7.exe
Size

696KB
MD5

37f9a50aa72a4e981856d313d839b505
SHA1

1aaf01b4080bbb9b27e0eb66d9bf1e0014d93cd7
SHA256

9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7
SHA512

1b3cdc274d5de5dcd7a6624410e7f01256229c42c1fefdf8671abf7fcc7fd467dcfcc7ebac63dd2911cff1b38061cc2dc5e5a3a456c06fc0ff93f27ca9462517
SSDEEP

12288:oMr5y90dD8gvqLQejnQYdkFAfYpQ+Z2eIRTXgT8ZIe:hyJJLNjnTmY+Z2TR7ae

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2648	x6719982.exe
4416	x0552480.exe
2404	h9407697.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6719982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0552480.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 2648	5116	9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7.exe	70
PID 5116 wrote to memory of 2648	5116	9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7.exe	70
PID 5116 wrote to memory of 2648	5116	9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7.exe	70
PID 2648 wrote to memory of 4416	2648	x6719982.exe	71
PID 2648 wrote to memory of 4416	2648	x6719982.exe	71
PID 2648 wrote to memory of 4416	2648	x6719982.exe	71
PID 4416 wrote to memory of 2404	4416	x0552480.exe	72
PID 4416 wrote to memory of 2404	4416	x0552480.exe	72
PID 4416 wrote to memory of 2404	4416	x0552480.exe	72

C:\Users\Admin\AppData\Local\Temp\9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7.exe
"C:\Users\Admin\AppData\Local\Temp\9eb005eeac5d582bc3a490b2c35f720e73d0ad19292cf297a0b93c70ce7e2fa7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6719982.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6719982.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0552480.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0552480.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h9407697.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h9407697.exe
      4⤵
      Executes dropped EXE
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6719982.exe

Filesize
594KB

MD5
a8c00d6ea9338cdfd5f23f0f087327b0

SHA1
84207ea83ce8e6dbaa2b114f7c956bd006586ff0

SHA256
ece7fb65f66d3378d97c16b6313f91141a9c3286a890fb229ea849eab4346fc4

SHA512
a0afdd0693fe9359a828275136bf309e13605685e3b12714257ca10776217384fad487e93e7c26df68a74bb8d51ec5d3c41af9562e34c83f04ab76b727adc5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6719982.exe

Filesize
594KB

MD5
a8c00d6ea9338cdfd5f23f0f087327b0

SHA1
84207ea83ce8e6dbaa2b114f7c956bd006586ff0

SHA256
ece7fb65f66d3378d97c16b6313f91141a9c3286a890fb229ea849eab4346fc4

SHA512
a0afdd0693fe9359a828275136bf309e13605685e3b12714257ca10776217384fad487e93e7c26df68a74bb8d51ec5d3c41af9562e34c83f04ab76b727adc5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0552480.exe

Filesize
292KB

MD5
c58210d0b95eeb3611ce07ec46280129

SHA1
8a517b86680ca1a71aa10018e6e257d29ba71ff8

SHA256
c944689824b050566b02bf33ebfc75255f395551a9cd404a944747ac74308040

SHA512
3c8c845e79426e1cc5756b39f7a126602ca361980e1645ed9e0d06be0d92c6e7d3d844d7b45c922945262295136cab06afd8be23c8fc915dad73ec0164d9ee30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0552480.exe

Filesize
292KB

MD5
c58210d0b95eeb3611ce07ec46280129

SHA1
8a517b86680ca1a71aa10018e6e257d29ba71ff8

SHA256
c944689824b050566b02bf33ebfc75255f395551a9cd404a944747ac74308040

SHA512
3c8c845e79426e1cc5756b39f7a126602ca361980e1645ed9e0d06be0d92c6e7d3d844d7b45c922945262295136cab06afd8be23c8fc915dad73ec0164d9ee30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h9407697.exe

Filesize
174KB

MD5
2963da232db6db53b13dae943ae95031

SHA1
6b7ea1cdd5032ed336aa4540c995aacb3592199a

SHA256
f05f3b67e6e282df4bf8b2c7f70d42405de64493232c5b41e9325376b6a77ec8

SHA512
e597f216c25c44e3317a7415cf9e4ddbce4f86273b8811950dbee9c24adb8f7924e4814c1c047373b7073aeef044a0b7361dd86dd97bf8f6981cafa22d99fbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h9407697.exe

Filesize
174KB

MD5
2963da232db6db53b13dae943ae95031

SHA1
6b7ea1cdd5032ed336aa4540c995aacb3592199a

SHA256
f05f3b67e6e282df4bf8b2c7f70d42405de64493232c5b41e9325376b6a77ec8

SHA512
e597f216c25c44e3317a7415cf9e4ddbce4f86273b8811950dbee9c24adb8f7924e4814c1c047373b7073aeef044a0b7361dd86dd97bf8f6981cafa22d99fbec

Download Submit
memory/2404-21-0x0000000000590000-0x00000000005C0000-memory.dmp

Filesize
192KB

Download
memory/2404-22-0x0000000073720000-0x0000000073E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-23-0x0000000004E90000-0x0000000004E96000-memory.dmp

Filesize
24KB

Download
memory/2404-24-0x00000000055F0000-0x0000000005BF6000-memory.dmp

Filesize
6.0MB

Download
memory/2404-25-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/2404-26-0x0000000005000000-0x0000000005012000-memory.dmp

Filesize
72KB

Download
memory/2404-27-0x0000000005060000-0x000000000509E000-memory.dmp

Filesize
248KB

Download
memory/2404-28-0x00000000050A0000-0x00000000050EB000-memory.dmp

Filesize
300KB

Download
memory/2404-29-0x0000000073720000-0x0000000073E0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads