redline | 834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5

General

Target

834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5.exe
Size

785KB
MD5

b8a316643f3f908f69190f1945424b33
SHA1

0e95c8898a1cb5a78c9405fb7e61c8aa3481eb7c
SHA256

834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5
SHA512

24387ebabdf57b96dc048f34970562da61a6b70ab93158a1cf364abc8f3fb6c6d00c17742b80495a75e996d7fd727bc75f872db7c9a7ff0d0fe51d17d2a715bf
SSDEEP

12288:IMrmy90RfjIeMkpXga9VweormQkmRHBvp0xzoVQMOdTt+RthhqdW3cOzglM4H6wk:OyGf9MkJgZmBcD0m+jdx0hqAsOzgnnk

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4424	x9391359.exe
4220	x4245940.exe
3188	h8086837.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9391359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4245940.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4424	2704	834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5.exe	87
PID 2704 wrote to memory of 4424	2704	834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5.exe	87
PID 2704 wrote to memory of 4424	2704	834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5.exe	87
PID 4424 wrote to memory of 4220	4424	x9391359.exe	88
PID 4424 wrote to memory of 4220	4424	x9391359.exe	88
PID 4424 wrote to memory of 4220	4424	x9391359.exe	88
PID 4220 wrote to memory of 3188	4220	x4245940.exe	89
PID 4220 wrote to memory of 3188	4220	x4245940.exe	89
PID 4220 wrote to memory of 3188	4220	x4245940.exe	89

C:\Users\Admin\AppData\Local\Temp\834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5.exe
"C:\Users\Admin\AppData\Local\Temp\834f553bf7f862134c46eaf28039323544f129d99f68451f33cc34ff793a17f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391359.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391359.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4245940.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4245940.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8086837.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8086837.exe
      4⤵
      Executes dropped EXE
      PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391359.exe

Filesize
683KB

MD5
b3a22540fc405733acba4c71540e94f5

SHA1
aacb0adb9a3b5a6f6ecaa20673f0225cb25a3fac

SHA256
c2e3127271e3383bf30cdc0e999586664e569f51ebcda95dc1fa7c930d57c77d

SHA512
fcdfe5f4e715b607caca04c715c5df900b528695c75b0de68dfba8e095c7315e88ba2dbb5c7d2d219c77f8a16de65e8d4af87b073c439ad9bddf58ed8c11ea2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391359.exe

Filesize
683KB

MD5
b3a22540fc405733acba4c71540e94f5

SHA1
aacb0adb9a3b5a6f6ecaa20673f0225cb25a3fac

SHA256
c2e3127271e3383bf30cdc0e999586664e569f51ebcda95dc1fa7c930d57c77d

SHA512
fcdfe5f4e715b607caca04c715c5df900b528695c75b0de68dfba8e095c7315e88ba2dbb5c7d2d219c77f8a16de65e8d4af87b073c439ad9bddf58ed8c11ea2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4245940.exe

Filesize
292KB

MD5
7c6098b4c62ae39a2d1a0c72f1dc6faa

SHA1
ef9bfabd472a2abe5ad38e08fee6a8ca6688a81b

SHA256
b40f45fc9b0561f9710898d2514ef681d8afbdd07281140b75c5c112144e9b5f

SHA512
c6421c8b78be73b54e73c6a68e80a3319b918f9dc414c9ff9952589280e7d44fbbf28afb764e288510986ebca350d7a5d99e8c6a70a9587fcf750bf50949898a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4245940.exe

Filesize
292KB

MD5
7c6098b4c62ae39a2d1a0c72f1dc6faa

SHA1
ef9bfabd472a2abe5ad38e08fee6a8ca6688a81b

SHA256
b40f45fc9b0561f9710898d2514ef681d8afbdd07281140b75c5c112144e9b5f

SHA512
c6421c8b78be73b54e73c6a68e80a3319b918f9dc414c9ff9952589280e7d44fbbf28afb764e288510986ebca350d7a5d99e8c6a70a9587fcf750bf50949898a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8086837.exe

Filesize
174KB

MD5
7006ba3bf9001fddd656d2bdbbffb4f2

SHA1
88003e66c16c69e5dad50b317c980d30dc7e01d4

SHA256
6d990c8359c76ac4b4f52c0479460bc29477321cbe42533ea3b5152b5ba3f5f3

SHA512
b2df4cde682d46b1f7d7ea0c8027dc0e8ab7f6024adedbf94f396430e6a856a0b667f8e8d4ac70649b59c564e48b3516a8f2d5ae901bc102dfcf0df1a2588c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8086837.exe

Filesize
174KB

MD5
7006ba3bf9001fddd656d2bdbbffb4f2

SHA1
88003e66c16c69e5dad50b317c980d30dc7e01d4

SHA256
6d990c8359c76ac4b4f52c0479460bc29477321cbe42533ea3b5152b5ba3f5f3

SHA512
b2df4cde682d46b1f7d7ea0c8027dc0e8ab7f6024adedbf94f396430e6a856a0b667f8e8d4ac70649b59c564e48b3516a8f2d5ae901bc102dfcf0df1a2588c95

Download Submit
memory/3188-21-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3188-22-0x00000000006F0000-0x0000000000720000-memory.dmp

Filesize
192KB

Download
memory/3188-23-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3188-24-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

Filesize
24KB

Download
memory/3188-25-0x000000000ADC0000-0x000000000B3D8000-memory.dmp

Filesize
6.1MB

Download
memory/3188-26-0x000000000A920000-0x000000000AA2A000-memory.dmp

Filesize
1.0MB

Download
memory/3188-27-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3188-28-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/3188-29-0x0000000002920000-0x000000000295C000-memory.dmp

Filesize
240KB

Download
memory/3188-30-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3188-31-0x000000000A810000-0x000000000A85C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads