redline | 3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 14:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d_JC.exe
Size

1.1MB
MD5

27930f7be29f2457a3328583eca1da68
SHA1

e5e5e63bfb9eda185a9eddc52751c184e0c37de3
SHA256

3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d
SHA512

d6d9c61c8f4f498db7a61db3437d4e10b23f620be22936d963c71ca815e365ef5a6bc9314f8789c32b1bd5759c6b56d88274d634cbbcad1ab25df647d0b7f3eb
SSDEEP

24576:kyT8dEaIzEzoNE54jigmCwZrIqXPaYbNi6qh9vuO:zitLz0ji58qraRu

Score

10^/10

redline lutyr infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322e-36.dat	family_redline
behavioral2/files/0x000600000002322e-37.dat	family_redline
behavioral2/memory/1120-38-0x0000000000C60000-0x0000000000C9E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1384	Gd3qG0UI.exe
700	mp4Ej1Ln.exe
4600	qF0iG8uJ.exe
3824	fY4bB5Gb.exe
4824	1IU61Gk1.exe
1120	2ph652Wq.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Gd3qG0UI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mp4Ej1Ln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qF0iG8uJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	fY4bB5Gb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1384	2196	NEAS.3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d_JC.exe	87
PID 2196 wrote to memory of 1384	2196	NEAS.3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d_JC.exe	87
PID 2196 wrote to memory of 1384	2196	NEAS.3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d_JC.exe	87
PID 1384 wrote to memory of 700	1384	Gd3qG0UI.exe	89
PID 1384 wrote to memory of 700	1384	Gd3qG0UI.exe	89
PID 1384 wrote to memory of 700	1384	Gd3qG0UI.exe	89
PID 700 wrote to memory of 4600	700	mp4Ej1Ln.exe	90
PID 700 wrote to memory of 4600	700	mp4Ej1Ln.exe	90
PID 700 wrote to memory of 4600	700	mp4Ej1Ln.exe	90
PID 4600 wrote to memory of 3824	4600	qF0iG8uJ.exe	91
PID 4600 wrote to memory of 3824	4600	qF0iG8uJ.exe	91
PID 4600 wrote to memory of 3824	4600	qF0iG8uJ.exe	91
PID 3824 wrote to memory of 4824	3824	fY4bB5Gb.exe	92
PID 3824 wrote to memory of 4824	3824	fY4bB5Gb.exe	92
PID 3824 wrote to memory of 4824	3824	fY4bB5Gb.exe	92
PID 3824 wrote to memory of 1120	3824	fY4bB5Gb.exe	93
PID 3824 wrote to memory of 1120	3824	fY4bB5Gb.exe	93
PID 3824 wrote to memory of 1120	3824	fY4bB5Gb.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3d129e395c299cd8bef2a9880c62c4fe35cef2ecec681cae420f7004e248501d_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gd3qG0UI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gd3qG0UI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mp4Ej1Ln.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mp4Ej1Ln.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF0iG8uJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF0iG8uJ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fY4bB5Gb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fY4bB5Gb.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IU61Gk1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IU61Gk1.exe
        6⤵
        Executes dropped EXE
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ph652Wq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ph652Wq.exe
        6⤵
        Executes dropped EXE
        
        PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gd3qG0UI.exe

Filesize
1002KB

MD5
96d663fdefd1f2bc3765ae251fd0c564

SHA1
21fc9aa45a20b29e357e44547dd8271a5739c1ec

SHA256
1c81e0fac401292b24217787ad6a5a56ec228f5b4705e7a1841568a9ca154df8

SHA512
3988c510bc76b5c5a1f10be47acfa4b2a59c7fe5f463f0b6b8e608d8f4726f98982ad510f72e16e31d2a541937d522fdeb773cb3231faad2f594423d16778c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gd3qG0UI.exe

Filesize
1002KB

MD5
96d663fdefd1f2bc3765ae251fd0c564

SHA1
21fc9aa45a20b29e357e44547dd8271a5739c1ec

SHA256
1c81e0fac401292b24217787ad6a5a56ec228f5b4705e7a1841568a9ca154df8

SHA512
3988c510bc76b5c5a1f10be47acfa4b2a59c7fe5f463f0b6b8e608d8f4726f98982ad510f72e16e31d2a541937d522fdeb773cb3231faad2f594423d16778c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mp4Ej1Ln.exe

Filesize
816KB

MD5
309c33563a5be3d491810f371da69599

SHA1
56634132dfbde38a60fff1964a5a90812b21f290

SHA256
41971cca2480e0fcb66f19822864ea0d16d199b481883ba35696baa98f45429a

SHA512
26775a338ad678b8dde9ba1f217d194e677e3d2775b7d8735d2f192c1134a8f3f23bed3ea988bb09a4627b70681842c5fbbcd309beafd7590b95207d10e6d0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mp4Ej1Ln.exe

Filesize
816KB

MD5
309c33563a5be3d491810f371da69599

SHA1
56634132dfbde38a60fff1964a5a90812b21f290

SHA256
41971cca2480e0fcb66f19822864ea0d16d199b481883ba35696baa98f45429a

SHA512
26775a338ad678b8dde9ba1f217d194e677e3d2775b7d8735d2f192c1134a8f3f23bed3ea988bb09a4627b70681842c5fbbcd309beafd7590b95207d10e6d0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF0iG8uJ.exe

Filesize
522KB

MD5
2cd181ea2bea48a744e55dc08b769132

SHA1
cad1265cd302603ed5f3579361bb7c6efc0abda8

SHA256
a496ecdf02b3d78fab612cc40ce30571b29436a32261d8415936a28a75ebc336

SHA512
c5d8f1809e3d9fb977975c8090d8ba085c261bb5e3a1f4b49f336c5955317494bd0d5139d7ce5d46e255add9c20d8d188bafc04d5ac7296d55643d0583bfe0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF0iG8uJ.exe

Filesize
522KB

MD5
2cd181ea2bea48a744e55dc08b769132

SHA1
cad1265cd302603ed5f3579361bb7c6efc0abda8

SHA256
a496ecdf02b3d78fab612cc40ce30571b29436a32261d8415936a28a75ebc336

SHA512
c5d8f1809e3d9fb977975c8090d8ba085c261bb5e3a1f4b49f336c5955317494bd0d5139d7ce5d46e255add9c20d8d188bafc04d5ac7296d55643d0583bfe0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fY4bB5Gb.exe

Filesize
326KB

MD5
5c1f9b699859e8ba7e712342de9b741d

SHA1
0585ccec9b31089ed712ac34d2a0985a1e885bc0

SHA256
66e1748916f8bd83cb985f0cca25bade4b8952ae4bc4477380e34a7eca28465e

SHA512
8d6ac738e46a28bf3536f5fdf816776d79d8f2f8ec0418c2c8e30caffaeaf298090d0a0e8be1c95d37c624b0a399912400a4c9150c6d9254860897ff7c13dbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fY4bB5Gb.exe

Filesize
326KB

MD5
5c1f9b699859e8ba7e712342de9b741d

SHA1
0585ccec9b31089ed712ac34d2a0985a1e885bc0

SHA256
66e1748916f8bd83cb985f0cca25bade4b8952ae4bc4477380e34a7eca28465e

SHA512
8d6ac738e46a28bf3536f5fdf816776d79d8f2f8ec0418c2c8e30caffaeaf298090d0a0e8be1c95d37c624b0a399912400a4c9150c6d9254860897ff7c13dbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IU61Gk1.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IU61Gk1.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ph652Wq.exe

Filesize
221KB

MD5
dc60354eeef9ce7a4338642094b1c634

SHA1
4250f68871dc0c73e578047a69a2e08f47c50459

SHA256
9d68f0ebd46aeb48ebe82ee446642b7973bf611ef0e8ae24d29b38f2d614f62d

SHA512
47fbdc0a230319e98df18227d14cf3706ae493368e35ea036107d62e7d1b932b4a6c848c2ba76eff81674aaee43806725e02283b0b27aee5db0e8aee48485609

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ph652Wq.exe

Filesize
221KB

MD5
dc60354eeef9ce7a4338642094b1c634

SHA1
4250f68871dc0c73e578047a69a2e08f47c50459

SHA256
9d68f0ebd46aeb48ebe82ee446642b7973bf611ef0e8ae24d29b38f2d614f62d

SHA512
47fbdc0a230319e98df18227d14cf3706ae493368e35ea036107d62e7d1b932b4a6c848c2ba76eff81674aaee43806725e02283b0b27aee5db0e8aee48485609

Download Submit
memory/1120-38-0x0000000000C60000-0x0000000000C9E000-memory.dmp

Filesize
248KB

Download
memory/1120-39-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1120-40-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/1120-41-0x0000000007B90000-0x0000000007C22000-memory.dmp

Filesize
584KB

Download
memory/1120-42-0x0000000007E10000-0x0000000007E20000-memory.dmp

Filesize
64KB

Download
memory/1120-43-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/1120-44-0x0000000008C70000-0x0000000009288000-memory.dmp

Filesize
6.1MB

Download
memory/1120-45-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/1120-46-0x0000000007DF0000-0x0000000007E02000-memory.dmp

Filesize
72KB

Download
memory/1120-47-0x0000000007E60000-0x0000000007E9C000-memory.dmp

Filesize
240KB

Download
memory/1120-48-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1120-49-0x0000000007EA0000-0x0000000007EEC000-memory.dmp

Filesize
304KB

Download
memory/1120-50-0x0000000007E10000-0x0000000007E20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads