redline | 6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352

General

Target

6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352.exe
Size

567KB
MD5

3a970eab241cdd7856b9273ee874968e
SHA1

b16da4acac823e3a4570713ba8ecd2aa82914b27
SHA256

6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352
SHA512

8442f60f13f3cc0dab782ea1cfca4c5bb39d630715aa77014db7494f0fe18221567821f25048b536562a4dd6245983c578ba03653569826b454e5d83baec8f43
SSDEEP

12288:pMrgy90U917FPRKYVB0On8+lTmfd48MONSekP5m2xfD6:xyXVRKA0OnW68bNSvm2h6

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4604	v8725202.exe
4892	a7937048.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8725202.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 4900	4892	a7937048.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4808	4892	WerFault.exe	72

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4604	2204	6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352.exe	71
PID 2204 wrote to memory of 4604	2204	6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352.exe	71
PID 2204 wrote to memory of 4604	2204	6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352.exe	71
PID 4604 wrote to memory of 4892	4604	v8725202.exe	72
PID 4604 wrote to memory of 4892	4604	v8725202.exe	72
PID 4604 wrote to memory of 4892	4604	v8725202.exe	72
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74
PID 4892 wrote to memory of 4900	4892	a7937048.exe	74

C:\Users\Admin\AppData\Local\Temp\6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352.exe
"C:\Users\Admin\AppData\Local\Temp\6e52623e20133000d7ac05223f999bb6ac813b124a8a2ceaf5f71098bd1bd352.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8725202.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8725202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7937048.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7937048.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 572
      4⤵
      Program crash
      PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8725202.exe

Filesize
466KB

MD5
f53018d3ebe95742e19482a28f5fe972

SHA1
c853852c13aa62c8771e308b0b95e704392f82c5

SHA256
b6e8e3fe64d68905545030654e3d050fe7352efd1e2ad690490fa3f197b8f123

SHA512
e7a299a5aee45c6273e284ed9ef653326a7d78f47279d807eaa18ec9f23bd06f35cabbc0759fab3f9078cb41fb28ef30f386ab74187efedd7877f32396d59c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8725202.exe

Filesize
466KB

MD5
f53018d3ebe95742e19482a28f5fe972

SHA1
c853852c13aa62c8771e308b0b95e704392f82c5

SHA256
b6e8e3fe64d68905545030654e3d050fe7352efd1e2ad690490fa3f197b8f123

SHA512
e7a299a5aee45c6273e284ed9ef653326a7d78f47279d807eaa18ec9f23bd06f35cabbc0759fab3f9078cb41fb28ef30f386ab74187efedd7877f32396d59c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7937048.exe

Filesize
707KB

MD5
ccd98cb772457f3b15a2f3a52bfa8fae

SHA1
297b57ccc8b0cad6c947d2fc0c0e7fde571a6a6a

SHA256
667df179e0e6579e075f9a41a5f0b7441aaa6e18f0a0549b0ea006c08452fc1f

SHA512
cbe147f8d6097162b7a5ca480253ed4a9012106db90f89a3e3da4ff7f375cd51c5594a764766080b50c013762cd84dcad6e9ccc5be43b23ca8341a9158531f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7937048.exe

Filesize
707KB

MD5
ccd98cb772457f3b15a2f3a52bfa8fae

SHA1
297b57ccc8b0cad6c947d2fc0c0e7fde571a6a6a

SHA256
667df179e0e6579e075f9a41a5f0b7441aaa6e18f0a0549b0ea006c08452fc1f

SHA512
cbe147f8d6097162b7a5ca480253ed4a9012106db90f89a3e3da4ff7f375cd51c5594a764766080b50c013762cd84dcad6e9ccc5be43b23ca8341a9158531f12

Download Submit
memory/4900-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4900-18-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/4900-19-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/4900-20-0x000000000E890000-0x000000000EE96000-memory.dmp

Filesize
6.0MB

Download
memory/4900-21-0x000000000E390000-0x000000000E49A000-memory.dmp

Filesize
1.0MB

Download
memory/4900-22-0x0000000001180000-0x0000000001192000-memory.dmp

Filesize
72KB

Download
memory/4900-23-0x000000000E280000-0x000000000E2BE000-memory.dmp

Filesize
248KB

Download
memory/4900-24-0x0000000006940000-0x000000000698B000-memory.dmp

Filesize
300KB

Download
memory/4900-29-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads