redline | 2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9

Analysis

max time kernel
165s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9.exe
Size

1.1MB
MD5

e5a1f4432336171e77847bda5eb40a61
SHA1

370c3af2d2ec9032b3fbb12a3e8fd201a06218a5
SHA256

2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9
SHA512

405c872409652edb5ab8a011577bb3d11a1999ee0b5ca8abbdbc947502f0496a5085a6e70227f6dd8138bc832bab6b6fa45e2f9c73e0657437a14849dc294a52
SSDEEP

24576:yyoiimrpfKQCneNCZl/pF8WXwN+L5y29BcajFlCBSw:Zo6rAQCneEZ1/8WAILTvcajFlg

Score

10^/10

redline lutyr infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000230d6-36.dat	family_redline
behavioral1/files/0x00060000000230d6-37.dat	family_redline
behavioral1/memory/1600-39-0x0000000000D50000-0x0000000000D8E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3284	jv6gU2mg.exe
4448	gV1cb6rm.exe
3664	uJ8UV7an.exe
5068	ID7NX8QR.exe
3232	1jh73Yx6.exe
1600	2sT687me.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jv6gU2mg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gV1cb6rm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uJ8UV7an.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ID7NX8QR.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3284	4288	2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9.exe	87
PID 4288 wrote to memory of 3284	4288	2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9.exe	87
PID 4288 wrote to memory of 3284	4288	2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9.exe	87
PID 3284 wrote to memory of 4448	3284	jv6gU2mg.exe	88
PID 3284 wrote to memory of 4448	3284	jv6gU2mg.exe	88
PID 3284 wrote to memory of 4448	3284	jv6gU2mg.exe	88
PID 4448 wrote to memory of 3664	4448	gV1cb6rm.exe	89
PID 4448 wrote to memory of 3664	4448	gV1cb6rm.exe	89
PID 4448 wrote to memory of 3664	4448	gV1cb6rm.exe	89
PID 3664 wrote to memory of 5068	3664	uJ8UV7an.exe	90
PID 3664 wrote to memory of 5068	3664	uJ8UV7an.exe	90
PID 3664 wrote to memory of 5068	3664	uJ8UV7an.exe	90
PID 5068 wrote to memory of 3232	5068	ID7NX8QR.exe	91
PID 5068 wrote to memory of 3232	5068	ID7NX8QR.exe	91
PID 5068 wrote to memory of 3232	5068	ID7NX8QR.exe	91
PID 5068 wrote to memory of 1600	5068	ID7NX8QR.exe	92
PID 5068 wrote to memory of 1600	5068	ID7NX8QR.exe	92
PID 5068 wrote to memory of 1600	5068	ID7NX8QR.exe	92

C:\Users\Admin\AppData\Local\Temp\2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9.exe
"C:\Users\Admin\AppData\Local\Temp\2ef90d61cfb1761d9da5e8b56ea935d326f04e80decc30122e3b5336612adfa9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jv6gU2mg.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jv6gU2mg.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV1cb6rm.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV1cb6rm.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uJ8UV7an.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uJ8UV7an.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ID7NX8QR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ID7NX8QR.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh73Yx6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh73Yx6.exe
        6⤵
        Executes dropped EXE
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sT687me.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sT687me.exe
        6⤵
        Executes dropped EXE
        
        PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jv6gU2mg.exe

Filesize
1001KB

MD5
e85f67a71e8a2ee7d83c4a1e884f7be9

SHA1
e1d1e7550c55103118cb5f0c50a0ec24e3bdabc6

SHA256
740b072c82029e4d7a04d57532f550ddefa619acc2b7126d304e576e6af6326a

SHA512
da7f733f739d5aacdd518ee22364a06b49f7ecba0e23c39cc3bf6eb7362b47956865e3568ee7bd35a2a20532017f0a2d10cdda419e384b37ba6ea61a31524434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jv6gU2mg.exe

Filesize
1001KB

MD5
e85f67a71e8a2ee7d83c4a1e884f7be9

SHA1
e1d1e7550c55103118cb5f0c50a0ec24e3bdabc6

SHA256
740b072c82029e4d7a04d57532f550ddefa619acc2b7126d304e576e6af6326a

SHA512
da7f733f739d5aacdd518ee22364a06b49f7ecba0e23c39cc3bf6eb7362b47956865e3568ee7bd35a2a20532017f0a2d10cdda419e384b37ba6ea61a31524434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV1cb6rm.exe

Filesize
816KB

MD5
e8a7c32be0f424a8698910522f108d92

SHA1
4aa81f0e454e3c71fe70c91f73d61b424927ec02

SHA256
1442fb1a62f4b2d80f9415659b95a06ddf0e270155ca4dbba7778580bd1d7c40

SHA512
bf8248c634e98ca8ca2e27dfdf29cb1a021dcb068ce79a8b79e3544d30fa6775af96e5ad91346d317d56b1ff9c4f5b17e69843ad2d0243573123b1d083ae7050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV1cb6rm.exe

Filesize
816KB

MD5
e8a7c32be0f424a8698910522f108d92

SHA1
4aa81f0e454e3c71fe70c91f73d61b424927ec02

SHA256
1442fb1a62f4b2d80f9415659b95a06ddf0e270155ca4dbba7778580bd1d7c40

SHA512
bf8248c634e98ca8ca2e27dfdf29cb1a021dcb068ce79a8b79e3544d30fa6775af96e5ad91346d317d56b1ff9c4f5b17e69843ad2d0243573123b1d083ae7050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uJ8UV7an.exe

Filesize
522KB

MD5
f478af5325d1f89d70b44702211072ac

SHA1
db273731646d02fd42ff5d660fb241ef9118937a

SHA256
628568e66eeb1475e1a58c54a188ff2f99bce2548cc0820057208ca0f126f146

SHA512
b71fca6802496cf400ab698e320f48745ba1c96ea5003ae7e38abda9a08c8c80120e93d3c100332c81e25265241324b680b5e8d6d2a9f793c0329319e6d3507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uJ8UV7an.exe

Filesize
522KB

MD5
f478af5325d1f89d70b44702211072ac

SHA1
db273731646d02fd42ff5d660fb241ef9118937a

SHA256
628568e66eeb1475e1a58c54a188ff2f99bce2548cc0820057208ca0f126f146

SHA512
b71fca6802496cf400ab698e320f48745ba1c96ea5003ae7e38abda9a08c8c80120e93d3c100332c81e25265241324b680b5e8d6d2a9f793c0329319e6d3507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ID7NX8QR.exe

Filesize
326KB

MD5
d3dd6d370c25ccd4ffed7ee29b416099

SHA1
94ac0478fb9b57256ceed3b8460a3d940117a4b7

SHA256
a1cf6db5f38a3462499fdeee882396cc496f33d6565785b763ac772fad2ba14a

SHA512
b88a2743281696d941395ad41eb9c3d3504636595bc08290d40fedfd4ab68d6ffe36360fc513ac2cc547dc04a33e5f059a7d6d1c8c50975476287d29382ba9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ID7NX8QR.exe

Filesize
326KB

MD5
d3dd6d370c25ccd4ffed7ee29b416099

SHA1
94ac0478fb9b57256ceed3b8460a3d940117a4b7

SHA256
a1cf6db5f38a3462499fdeee882396cc496f33d6565785b763ac772fad2ba14a

SHA512
b88a2743281696d941395ad41eb9c3d3504636595bc08290d40fedfd4ab68d6ffe36360fc513ac2cc547dc04a33e5f059a7d6d1c8c50975476287d29382ba9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh73Yx6.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh73Yx6.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sT687me.exe

Filesize
221KB

MD5
01049ad554e125fa5ca1b051001e2577

SHA1
e37c45d0e25ff4b557b62faec9f69f19b8a45abc

SHA256
c1736d048596863b8af2dc1b05e0bcb27ac2aa1aaa9541e10aff956413618bdd

SHA512
2aac69ad39b8b9ceb4a4f8e77c399a8624c1c61a3eef904345a3abb973afcc529a9933fc5a66783f540ea8ca0ffad565dbfb3d799b512eefe70d67b3f508e4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sT687me.exe

Filesize
221KB

MD5
01049ad554e125fa5ca1b051001e2577

SHA1
e37c45d0e25ff4b557b62faec9f69f19b8a45abc

SHA256
c1736d048596863b8af2dc1b05e0bcb27ac2aa1aaa9541e10aff956413618bdd

SHA512
2aac69ad39b8b9ceb4a4f8e77c399a8624c1c61a3eef904345a3abb973afcc529a9933fc5a66783f540ea8ca0ffad565dbfb3d799b512eefe70d67b3f508e4eb

Download Submit
memory/1600-38-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-39-0x0000000000D50000-0x0000000000D8E000-memory.dmp

Filesize
248KB

Download
memory/1600-40-0x0000000008140000-0x00000000086E4000-memory.dmp

Filesize
5.6MB

Download
memory/1600-41-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/1600-42-0x0000000007C30000-0x0000000007CC2000-memory.dmp

Filesize
584KB

Download
memory/1600-43-0x0000000007E90000-0x0000000007EA0000-memory.dmp

Filesize
64KB

Download
memory/1600-44-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/1600-45-0x0000000007E90000-0x0000000007EA0000-memory.dmp

Filesize
64KB

Download
memory/1600-46-0x0000000008D10000-0x0000000009328000-memory.dmp

Filesize
6.1MB

Download
memory/1600-47-0x0000000008800000-0x000000000890A000-memory.dmp

Filesize
1.0MB

Download
memory/1600-48-0x0000000007E20000-0x0000000007E32000-memory.dmp

Filesize
72KB

Download
memory/1600-49-0x00000000080A0000-0x00000000080DC000-memory.dmp

Filesize
240KB

Download
memory/1600-50-0x00000000080E0000-0x000000000812C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads