redline | 9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3

General

Target

9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3.exe
Size

1.1MB
MD5

72a55d56801200ba83de054f0376890f
SHA1

193be6ede2fa6cac96c468b9ac794556d2348b75
SHA256

9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3
SHA512

6cf8e49b5783fba09b6aedfa39511897b0b0a09676aa2097f887b6745ac72f2fe04aaac6e175bd137cbd510631abf2eb05f97df7287d2de26bfd50dc04cac3cd
SSDEEP

24576:9ywp6NYMdsvT0NID3P1zqg+IGyTfSA98Semzs9jFsKlgsHh6Sef:YwRwNStT+InbSVSe+sVFPb

Score

10^/10

redline gigant infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231c8-26.dat	family_redline
behavioral1/files/0x00070000000231c8-27.dat	family_redline
behavioral1/memory/3300-28-0x0000000000770000-0x00000000007AE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4168	vu4TM4Sh.exe
3472	sK6VE6Zh.exe
4848	hg3hi9EG.exe
3300	2cP470rp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vu4TM4Sh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sK6VE6Zh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hg3hi9EG.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4168	4604	9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3.exe	87
PID 4604 wrote to memory of 4168	4604	9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3.exe	87
PID 4604 wrote to memory of 4168	4604	9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3.exe	87
PID 4168 wrote to memory of 3472	4168	vu4TM4Sh.exe	88
PID 4168 wrote to memory of 3472	4168	vu4TM4Sh.exe	88
PID 4168 wrote to memory of 3472	4168	vu4TM4Sh.exe	88
PID 3472 wrote to memory of 4848	3472	sK6VE6Zh.exe	90
PID 3472 wrote to memory of 4848	3472	sK6VE6Zh.exe	90
PID 3472 wrote to memory of 4848	3472	sK6VE6Zh.exe	90
PID 4848 wrote to memory of 3300	4848	hg3hi9EG.exe	91
PID 4848 wrote to memory of 3300	4848	hg3hi9EG.exe	91
PID 4848 wrote to memory of 3300	4848	hg3hi9EG.exe	91

C:\Users\Admin\AppData\Local\Temp\9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3.exe
"C:\Users\Admin\AppData\Local\Temp\9d0d5eb52397f632e5444fe9df1201b36607fe516f37c4c6cba2d77b04dd70a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vu4TM4Sh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vu4TM4Sh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sK6VE6Zh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sK6VE6Zh.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hg3hi9EG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hg3hi9EG.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cP470rp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cP470rp.exe
        5⤵
        Executes dropped EXE
        
        PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vu4TM4Sh.exe

Filesize
1010KB

MD5
d50a35ea2734964d5de013003b530b4b

SHA1
c83a150ee24d3bc2f911a2bfc0254a76d78cf17e

SHA256
25a3b2d38a8ba7601266cea7fa330c7622f667b4e518ff52c68c6646c0901d4a

SHA512
dab0a774ec6755a1612478803bb81d64faeeca5ffdd130b815406cf0cc21ee6f3db591100a602766b24b45bac274071fe041d78c39b09a2ec9d3a24db73d2c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vu4TM4Sh.exe

Filesize
1010KB

MD5
d50a35ea2734964d5de013003b530b4b

SHA1
c83a150ee24d3bc2f911a2bfc0254a76d78cf17e

SHA256
25a3b2d38a8ba7601266cea7fa330c7622f667b4e518ff52c68c6646c0901d4a

SHA512
dab0a774ec6755a1612478803bb81d64faeeca5ffdd130b815406cf0cc21ee6f3db591100a602766b24b45bac274071fe041d78c39b09a2ec9d3a24db73d2c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sK6VE6Zh.exe

Filesize
821KB

MD5
58f50982f8e0b369a3977deddd073b3f

SHA1
ffb6ef8465f5ba9945fb5269aab7aed229a6018e

SHA256
567bd745475984b325f46f7983867bcea17635b343eecd0f383b877569a86e09

SHA512
059c499cbe77060be8516403a8e132c8c34a9d368ff71fddc835e85c44694bb105b8315aa7affad2762ddb3fa546961ca3e54339e4c0e6fa0a6c6c45569a580f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sK6VE6Zh.exe

Filesize
821KB

MD5
58f50982f8e0b369a3977deddd073b3f

SHA1
ffb6ef8465f5ba9945fb5269aab7aed229a6018e

SHA256
567bd745475984b325f46f7983867bcea17635b343eecd0f383b877569a86e09

SHA512
059c499cbe77060be8516403a8e132c8c34a9d368ff71fddc835e85c44694bb105b8315aa7affad2762ddb3fa546961ca3e54339e4c0e6fa0a6c6c45569a580f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hg3hi9EG.exe

Filesize
296KB

MD5
5c03cb8456598585657651a44ff094bf

SHA1
e327d1b04f6e0b9f2cd195374ef20727cc9cdd51

SHA256
c7f128919730dbbe9dbbfeaef15cb2450f330ab691079667a5990d988e44c313

SHA512
963ecf13d687e843c719b355969646c0d96de6f33e80387007e848f113e1100bc63e345c0b5697df287480ff740065a024374ce73f9729621d8ddfcbf6d8919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hg3hi9EG.exe

Filesize
296KB

MD5
5c03cb8456598585657651a44ff094bf

SHA1
e327d1b04f6e0b9f2cd195374ef20727cc9cdd51

SHA256
c7f128919730dbbe9dbbfeaef15cb2450f330ab691079667a5990d988e44c313

SHA512
963ecf13d687e843c719b355969646c0d96de6f33e80387007e848f113e1100bc63e345c0b5697df287480ff740065a024374ce73f9729621d8ddfcbf6d8919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cP470rp.exe

Filesize
230KB

MD5
9fa9caa35aa765e7d0c069e766b037ad

SHA1
0df489135eaafaaf66899502e66d087772f58d65

SHA256
6ebf14da30ba7f6c0c13965c793e5d3f6efa4882b7737eb91a6613e760c7e26d

SHA512
6c9321f50100e7ad3481ecb71796b41ac6e531fff316f8f215ef4cf282f4c72b284e4280b8e9685f5455b08c674ff926bb6f7f5d6fb332d9661d7d136bdaa212

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2cP470rp.exe

Filesize
230KB

MD5
9fa9caa35aa765e7d0c069e766b037ad

SHA1
0df489135eaafaaf66899502e66d087772f58d65

SHA256
6ebf14da30ba7f6c0c13965c793e5d3f6efa4882b7737eb91a6613e760c7e26d

SHA512
6c9321f50100e7ad3481ecb71796b41ac6e531fff316f8f215ef4cf282f4c72b284e4280b8e9685f5455b08c674ff926bb6f7f5d6fb332d9661d7d136bdaa212

Download Submit
memory/3300-28-0x0000000000770000-0x00000000007AE000-memory.dmp

Filesize
248KB

Download
memory/3300-29-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/3300-30-0x0000000007B80000-0x0000000008124000-memory.dmp

Filesize
5.6MB

Download
memory/3300-31-0x0000000007670000-0x0000000007702000-memory.dmp

Filesize
584KB

Download
memory/3300-32-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/3300-33-0x0000000007730000-0x000000000773A000-memory.dmp

Filesize
40KB

Download
memory/3300-34-0x0000000008750000-0x0000000008D68000-memory.dmp

Filesize
6.1MB

Download
memory/3300-35-0x0000000007A00000-0x0000000007B0A000-memory.dmp

Filesize
1.0MB

Download
memory/3300-36-0x0000000007910000-0x0000000007922000-memory.dmp

Filesize
72KB

Download
memory/3300-37-0x0000000007970000-0x00000000079AC000-memory.dmp

Filesize
240KB

Download
memory/3300-38-0x00000000079B0000-0x00000000079FC000-memory.dmp

Filesize
304KB

Download
memory/3300-39-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/3300-40-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads