redline | 6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6

General

Target

6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6.exe
Size

520KB
MD5

32563931769e79ec7324397bd5b0d83e
SHA1

dee7c93bdc30ff0b39cabf00457a0f56153d9e9c
SHA256

6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6
SHA512

d23f6fa8da3879bf3a75dc43f2b50207560b6885268eadb4dd81483b265bf82552540a59d309b7b802a802df83e9b996af7e1dfda2c48266365cd370eb5147ac
SSDEEP

12288:lMrUy90RigiPH8vKhF5DhCDOTZRIvnt6MZVwIG:9yIvKhUGvIvBZVwR

Score

10^/10

redline trush infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1556	v3007141.exe
2812	a7016954.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3007141.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 3600	2812	a7016954.exe	73

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4620	2812	WerFault.exe	71

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 1556	4004	6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6.exe	70
PID 4004 wrote to memory of 1556	4004	6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6.exe	70
PID 4004 wrote to memory of 1556	4004	6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6.exe	70
PID 1556 wrote to memory of 2812	1556	v3007141.exe	71
PID 1556 wrote to memory of 2812	1556	v3007141.exe	71
PID 1556 wrote to memory of 2812	1556	v3007141.exe	71
PID 2812 wrote to memory of 3332	2812	a7016954.exe	72
PID 2812 wrote to memory of 3332	2812	a7016954.exe	72
PID 2812 wrote to memory of 3332	2812	a7016954.exe	72
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73
PID 2812 wrote to memory of 3600	2812	a7016954.exe	73

C:\Users\Admin\AppData\Local\Temp\6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6.exe
"C:\Users\Admin\AppData\Local\Temp\6b95623fff1ab2402a0f3ac5dd979d99f8b2d70f51e16b30548f9a8363ffc7b6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007141.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007141.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7016954.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7016954.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 572
      4⤵
      Program crash
      PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007141.exe

Filesize
418KB

MD5
f84ff0837879ebc35653c25321914941

SHA1
24e28e08c5a834e6dfefff06d6ab53583f396177

SHA256
5ca9b08d3b7de7b4788b1dc2463dc57c2e1d91c1de6ae9cba7675cb2c011e287

SHA512
6948453f10288c78d9cef22e1eb487cdf72a84f971b68f5449789b79ca2cef0ce92430b24cf8e132e19c7841291f7328640df794c056e62b6d55be0779564e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007141.exe

Filesize
418KB

MD5
f84ff0837879ebc35653c25321914941

SHA1
24e28e08c5a834e6dfefff06d6ab53583f396177

SHA256
5ca9b08d3b7de7b4788b1dc2463dc57c2e1d91c1de6ae9cba7675cb2c011e287

SHA512
6948453f10288c78d9cef22e1eb487cdf72a84f971b68f5449789b79ca2cef0ce92430b24cf8e132e19c7841291f7328640df794c056e62b6d55be0779564e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7016954.exe

Filesize
384KB

MD5
7baf990c21c8077df34eb0e744333d3b

SHA1
29870016e28fbb59f28f39a3e22bf1383db8f90b

SHA256
97c044d1a5bdb0353e864755b5c857b447d32b51f1fa25eefafed7439a98e4e3

SHA512
e8abbca11eeffd7fc17b5375e921d52f287bf7a3cbdba300f6d88675aba5498d27c477ad714bae5ae35dc9295c650f58ade771e251fef3af0ffdaf8443193bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7016954.exe

Filesize
384KB

MD5
7baf990c21c8077df34eb0e744333d3b

SHA1
29870016e28fbb59f28f39a3e22bf1383db8f90b

SHA256
97c044d1a5bdb0353e864755b5c857b447d32b51f1fa25eefafed7439a98e4e3

SHA512
e8abbca11eeffd7fc17b5375e921d52f287bf7a3cbdba300f6d88675aba5498d27c477ad714bae5ae35dc9295c650f58ade771e251fef3af0ffdaf8443193bf2

Download Submit
memory/3600-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3600-18-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3600-19-0x000000000B5E0000-0x000000000B5E6000-memory.dmp

Filesize
24KB

Download
memory/3600-20-0x000000000EC10000-0x000000000F216000-memory.dmp

Filesize
6.0MB

Download
memory/3600-21-0x000000000E7A0000-0x000000000E8AA000-memory.dmp

Filesize
1.0MB

Download
memory/3600-22-0x000000000E6D0000-0x000000000E6E2000-memory.dmp

Filesize
72KB

Download
memory/3600-23-0x000000000E730000-0x000000000E76E000-memory.dmp

Filesize
248KB

Download
memory/3600-24-0x000000000E8B0000-0x000000000E8FB000-memory.dmp

Filesize
300KB

Download
memory/3600-29-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads