redline | 855c742abd80826b49dc1e2cc9240fbf5afcf29772ed4a5fae078555dd0f9b64

General

Target

Rh0ES6EV.exe
Size

1.1MB
MD5

eda41d4aeb1a680f6f1115003347ac6e
SHA1

094f662631a06c3efc7f6407c996a6aac4d3af00
SHA256

855c742abd80826b49dc1e2cc9240fbf5afcf29772ed4a5fae078555dd0f9b64
SHA512

7a92569be4de4ccdc8a60dc6bc62df0b3764ce8a6eba737afa6fc3a381375b03f47dd3387ce06d758fdcfd89f425eef42476688c844ce41025690dba242fbee2
SSDEEP

24576:VyorWqFGyhgEQglGijLKo/IgH51OeNgiKETcnNSJwo20FORLJ9R7:wmWqFGwg6lGijLKo/hH51OYthTWi2

Score

10^/10

redline gigant infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ee-27.dat	family_redline
behavioral2/files/0x00060000000231ee-28.dat	family_redline
behavioral2/memory/4024-29-0x00000000006F0000-0x000000000072E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3740	Gq9QY7qJ.exe
1456	VL6LF0kp.exe
4556	1vj44Ir9.exe
4024	2Ru456UT.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Rh0ES6EV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Gq9QY7qJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VL6LF0kp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 1104	4556	1vj44Ir9.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1156	4556	WerFault.exe	88
3052	1104	WerFault.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3740	2980	Rh0ES6EV.exe	85
PID 2980 wrote to memory of 3740	2980	Rh0ES6EV.exe	85
PID 2980 wrote to memory of 3740	2980	Rh0ES6EV.exe	85
PID 3740 wrote to memory of 1456	3740	Gq9QY7qJ.exe	87
PID 3740 wrote to memory of 1456	3740	Gq9QY7qJ.exe	87
PID 3740 wrote to memory of 1456	3740	Gq9QY7qJ.exe	87
PID 1456 wrote to memory of 4556	1456	VL6LF0kp.exe	88
PID 1456 wrote to memory of 4556	1456	VL6LF0kp.exe	88
PID 1456 wrote to memory of 4556	1456	VL6LF0kp.exe	88
PID 4556 wrote to memory of 2964	4556	1vj44Ir9.exe	90
PID 4556 wrote to memory of 2964	4556	1vj44Ir9.exe	90
PID 4556 wrote to memory of 2964	4556	1vj44Ir9.exe	90
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 4556 wrote to memory of 1104	4556	1vj44Ir9.exe	91
PID 1456 wrote to memory of 4024	1456	VL6LF0kp.exe	97
PID 1456 wrote to memory of 4024	1456	VL6LF0kp.exe	97
PID 1456 wrote to memory of 4024	1456	VL6LF0kp.exe	97

C:\Users\Admin\AppData\Local\Temp\Rh0ES6EV.exe
"C:\Users\Admin\AppData\Local\Temp\Rh0ES6EV.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2964
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 540
        6⤵
        Program crash
        
        PID:3052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 620
        5⤵
        Program crash
        
        PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ru456UT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ru456UT.exe
      4⤵
      Executes dropped EXE
      PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4556 -ip 4556
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1104 -ip 1104
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe

Filesize
735KB

MD5
ea4eaf3f6a8ddbf927e8e033b86ee229

SHA1
a8f63c5a3ad87e81d2794789ab9c8932e05d076a

SHA256
c9c5589f5e4159c9b3143db3ec8b92306819a91b6b130a29ab93769f168a605f

SHA512
add8d321c3eab4040c8736ce6407bd0f94bc7e4e9d3eb684101330bdda13d8e3b68aaa9df3fb3e97439c2f7f018067af45135245f8c08f77148703968dbf1520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq9QY7qJ.exe

Filesize
735KB

MD5
ea4eaf3f6a8ddbf927e8e033b86ee229

SHA1
a8f63c5a3ad87e81d2794789ab9c8932e05d076a

SHA256
c9c5589f5e4159c9b3143db3ec8b92306819a91b6b130a29ab93769f168a605f

SHA512
add8d321c3eab4040c8736ce6407bd0f94bc7e4e9d3eb684101330bdda13d8e3b68aaa9df3fb3e97439c2f7f018067af45135245f8c08f77148703968dbf1520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe

Filesize
563KB

MD5
33bc60a2c387a0f31bb3d2e7b118c3a8

SHA1
b6f27d4c91cb05738cec12e586f59abc06f391ac

SHA256
8eb1d5e0ac77bd4427d6831806d6e31ddfbd6ceb1ad588be72d48c6d1c273b87

SHA512
ab8c9815d330a4da047ff23aa802d0e9d220f2f1ffcd30d113da3a8b79bc38626f046796486948e9a55f0bb7c94e4e78fbd28a1b2c9d04ce077052d4b53437c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VL6LF0kp.exe

Filesize
563KB

MD5
33bc60a2c387a0f31bb3d2e7b118c3a8

SHA1
b6f27d4c91cb05738cec12e586f59abc06f391ac

SHA256
8eb1d5e0ac77bd4427d6831806d6e31ddfbd6ceb1ad588be72d48c6d1c273b87

SHA512
ab8c9815d330a4da047ff23aa802d0e9d220f2f1ffcd30d113da3a8b79bc38626f046796486948e9a55f0bb7c94e4e78fbd28a1b2c9d04ce077052d4b53437c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vj44Ir9.exe

Filesize
1.4MB

MD5
47c8a3a91ed2b43175bf0845388d916c

SHA1
dc5606d9a552b3f5e7fef4477b2b75cd52d9ac18

SHA256
252ccdf62eb74bebb006d989b4af0a3b2edb992317f9df584d60bc5f765839a2

SHA512
099fb46d8f575de1277fa17dac21d839bac79f444c7cf1db6fae4cc9f5f1266f1312da773c73cb5e27d7d91de9856b7c85eb01f163f0a63c56ab3c4d64f3cbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ru456UT.exe

Filesize
230KB

MD5
c66671ed7345f28c77042b575f050d1e

SHA1
d8531f39ba719e2a6678edd29834a04d0c9b86b6

SHA256
93e56b529617683c431c3090e0504a1c369b5cc36458b46a51eb93a4308210da

SHA512
14c070c39ba7a8594b72035a5a7dc68f73f381333eb80bd0cdfefc0b466e7a2cbed3ac2f962f2870f321f7838950b3d2c1d8dd76c421b0014c544e13cc3e1a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ru456UT.exe

Filesize
230KB

MD5
c66671ed7345f28c77042b575f050d1e

SHA1
d8531f39ba719e2a6678edd29834a04d0c9b86b6

SHA256
93e56b529617683c431c3090e0504a1c369b5cc36458b46a51eb93a4308210da

SHA512
14c070c39ba7a8594b72035a5a7dc68f73f381333eb80bd0cdfefc0b466e7a2cbed3ac2f962f2870f321f7838950b3d2c1d8dd76c421b0014c544e13cc3e1a99

Download Submit
memory/1104-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1104-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1104-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1104-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4024-30-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-29-0x00000000006F0000-0x000000000072E000-memory.dmp

Filesize
248KB

Download
memory/4024-31-0x0000000007970000-0x0000000007F14000-memory.dmp

Filesize
5.6MB

Download
memory/4024-32-0x00000000074B0000-0x0000000007542000-memory.dmp

Filesize
584KB

Download
memory/4024-33-0x00000000076D0000-0x00000000076E0000-memory.dmp

Filesize
64KB

Download
memory/4024-34-0x0000000007670000-0x000000000767A000-memory.dmp

Filesize
40KB

Download
memory/4024-35-0x0000000008540000-0x0000000008B58000-memory.dmp

Filesize
6.1MB

Download
memory/4024-36-0x0000000007F20000-0x000000000802A000-memory.dmp

Filesize
1.0MB

Download
memory/4024-37-0x0000000007890000-0x00000000078A2000-memory.dmp

Filesize
72KB

Download
memory/4024-38-0x00000000078F0000-0x000000000792C000-memory.dmp

Filesize
240KB

Download
memory/4024-39-0x0000000008030000-0x000000000807C000-memory.dmp

Filesize
304KB

Download
memory/4024-40-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-41-0x00000000076D0000-0x00000000076E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads