redline | 273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87

General

Target

273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87.exe
Size

644KB
MD5

c048782f34d7bd432cec853de8b0da1f
SHA1

386e08520b29b955d670b18355925c05923fe6a7
SHA256

273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87
SHA512

e86c5fd65b7bf3cca9c3ca3514aa9ba6efe3f5e46cf5dab30368166a0ce43844660dd4b9dc64c58d54b90a60336fc1cc6026ed70d20f989c57ff381d3fd65c69
SSDEEP

12288:uMrGy90CDg2K0kuiMJFKhpOjTQHm3mILzPMOPvYXHhC/vszwW4:4y1E2KhAFKhkjkm2ILVYHQ/vs74

Score

10^/10

redline luska infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

luska

C2

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1840	x5714449.exe
4520	x2979457.exe
4168	h8541043.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5714449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2979457.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1840	4448	273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87.exe	89
PID 4448 wrote to memory of 1840	4448	273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87.exe	89
PID 4448 wrote to memory of 1840	4448	273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87.exe	89
PID 1840 wrote to memory of 4520	1840	x5714449.exe	90
PID 1840 wrote to memory of 4520	1840	x5714449.exe	90
PID 1840 wrote to memory of 4520	1840	x5714449.exe	90
PID 4520 wrote to memory of 4168	4520	x2979457.exe	91
PID 4520 wrote to memory of 4168	4520	x2979457.exe	91
PID 4520 wrote to memory of 4168	4520	x2979457.exe	91

C:\Users\Admin\AppData\Local\Temp\273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87.exe
"C:\Users\Admin\AppData\Local\Temp\273750a0e7c7e9165f692d7ce00a8c05030df3d09e7bd5b0ee06bc3fb1862e87.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5714449.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5714449.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2979457.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2979457.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8541043.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8541043.exe
      4⤵
      Executes dropped EXE
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5714449.exe

Filesize
543KB

MD5
1f59e4a367d9fda8fa37735665227de7

SHA1
fd95ad073dbff7cb676060bb7bf77f87ec8069a9

SHA256
4b20f92caf2f6dbe45eafcdff3caca4cd24bdba5472122c5b9f4ccc206f80967

SHA512
8ccbc850cd26ad1c078d05486b1b8070c737ee61fb7eae200b3233e894d951b9441ac0437090eeee23f13dee69e60c5bb1462961e15232d2f6c1e4e941b5e75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5714449.exe

Filesize
543KB

MD5
1f59e4a367d9fda8fa37735665227de7

SHA1
fd95ad073dbff7cb676060bb7bf77f87ec8069a9

SHA256
4b20f92caf2f6dbe45eafcdff3caca4cd24bdba5472122c5b9f4ccc206f80967

SHA512
8ccbc850cd26ad1c078d05486b1b8070c737ee61fb7eae200b3233e894d951b9441ac0437090eeee23f13dee69e60c5bb1462961e15232d2f6c1e4e941b5e75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2979457.exe

Filesize
271KB

MD5
7582a5b65cb64e5085b1779c85bc2ca2

SHA1
978323bd9b4ab4db1a8cf09db1b1081c458ff481

SHA256
9b90f41154b343cfc8959383e8fbfae6d83c6d7df209ba544b697858e56c9f61

SHA512
eedad60f5425418f6b162ffa4d22bf9315f3c65b878166826e968efe1cc26b06269543d1818d2fcf19b7d2cbeb0c0463c370401a359b01c226fdd67ac2593411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2979457.exe

Filesize
271KB

MD5
7582a5b65cb64e5085b1779c85bc2ca2

SHA1
978323bd9b4ab4db1a8cf09db1b1081c458ff481

SHA256
9b90f41154b343cfc8959383e8fbfae6d83c6d7df209ba544b697858e56c9f61

SHA512
eedad60f5425418f6b162ffa4d22bf9315f3c65b878166826e968efe1cc26b06269543d1818d2fcf19b7d2cbeb0c0463c370401a359b01c226fdd67ac2593411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8541043.exe

Filesize
174KB

MD5
c1d86e06a03fe618d956250d753bc050

SHA1
843cdb50481c12405f7101475a51fa5249e88057

SHA256
3575588aeb0d49edfe9433a87fa499541c5737f6afc6e1115a264757240a15b7

SHA512
a70f0547400e0491deddae21882dbf1d376b21d3fedfdbdc185a313c48008a100b06168567dfc3482227fc162a8cd857f6cab2be2b2a789596861d86823dacb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8541043.exe

Filesize
174KB

MD5
c1d86e06a03fe618d956250d753bc050

SHA1
843cdb50481c12405f7101475a51fa5249e88057

SHA256
3575588aeb0d49edfe9433a87fa499541c5737f6afc6e1115a264757240a15b7

SHA512
a70f0547400e0491deddae21882dbf1d376b21d3fedfdbdc185a313c48008a100b06168567dfc3482227fc162a8cd857f6cab2be2b2a789596861d86823dacb9

Download Submit
memory/4168-21-0x0000000000E90000-0x0000000000EC0000-memory.dmp

Filesize
192KB

Download
memory/4168-22-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/4168-23-0x0000000002FC0000-0x0000000002FC6000-memory.dmp

Filesize
24KB

Download
memory/4168-24-0x0000000005DD0000-0x00000000063E8000-memory.dmp

Filesize
6.1MB

Download
memory/4168-25-0x00000000058E0000-0x00000000059EA000-memory.dmp

Filesize
1.0MB

Download
memory/4168-26-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/4168-27-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4168-28-0x0000000005880000-0x00000000058BC000-memory.dmp

Filesize
240KB

Download
memory/4168-29-0x00000000059F0000-0x0000000005A3C000-memory.dmp

Filesize
304KB

Download
memory/4168-30-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/4168-31-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads