redline | b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210

General

Target

b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe
Size

1.3MB
MD5

73433d21fa9f1146b510c5d6cf635181
SHA1

0e4732528e7127948b9905261350c8c3c7eb2708
SHA256

b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210
SHA512

c9341b26f07f7ae09ee590e47429efa4d0c43f6b2f35466222d909f263e8c3caf58df335953d0f35370dc8bfc625560ecc467ef36502fe334988fb403ccb9971
SSDEEP

24576:/yG4bqoBkT4+iP+Pbou1A9tZxCFAmiYCrpwdSHuaLdl9:KG4bqopP+DDAz/miY20mfL7

Score

10^/10

redline horda infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1176-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
5108	WW6Wq37.exe
2540	aV6fu17.exe
1636	2rN7166.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WW6Wq37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aV6fu17.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1176	1636	2rN7166.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3656	1636	WerFault.exe	73

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 5108	4584	b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe	71
PID 4584 wrote to memory of 5108	4584	b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe	71
PID 4584 wrote to memory of 5108	4584	b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe	71
PID 5108 wrote to memory of 2540	5108	WW6Wq37.exe	72
PID 5108 wrote to memory of 2540	5108	WW6Wq37.exe	72
PID 5108 wrote to memory of 2540	5108	WW6Wq37.exe	72
PID 2540 wrote to memory of 1636	2540	aV6fu17.exe	73
PID 2540 wrote to memory of 1636	2540	aV6fu17.exe	73
PID 2540 wrote to memory of 1636	2540	aV6fu17.exe	73
PID 1636 wrote to memory of 4916	1636	2rN7166.exe	75
PID 1636 wrote to memory of 4916	1636	2rN7166.exe	75
PID 1636 wrote to memory of 4916	1636	2rN7166.exe	75
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76
PID 1636 wrote to memory of 1176	1636	2rN7166.exe	76

C:\Users\Admin\AppData\Local\Temp\b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe
"C:\Users\Admin\AppData\Local\Temp\b5316985a1a10908baf2bb08ffb4b6a35e9169a1d8d274f349c9363a39628210.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WW6Wq37.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WW6Wq37.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aV6fu17.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aV6fu17.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rN7166.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rN7166.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4916
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 608
        5⤵
        Program crash
        
        PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WW6Wq37.exe

Filesize
1.0MB

MD5
250c19d7eb62c8843fbd0e97ec4cec60

SHA1
024190b077ad509aa8cabef0d16f8d5b126b4c41

SHA256
c8ea3f5801c2994c941b51bbeb7b3beead10532926d34fbddc53743a25fee395

SHA512
3c01ac9448f1df8342ee1047cf1b8e55bfc1f550c6c5e95665e5f0a698dd2e9c6664baa38b0edfa1f4f08222ee0edfd91a90886c1445624e0174427bac064fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WW6Wq37.exe

Filesize
1.0MB

MD5
250c19d7eb62c8843fbd0e97ec4cec60

SHA1
024190b077ad509aa8cabef0d16f8d5b126b4c41

SHA256
c8ea3f5801c2994c941b51bbeb7b3beead10532926d34fbddc53743a25fee395

SHA512
3c01ac9448f1df8342ee1047cf1b8e55bfc1f550c6c5e95665e5f0a698dd2e9c6664baa38b0edfa1f4f08222ee0edfd91a90886c1445624e0174427bac064fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aV6fu17.exe

Filesize
946KB

MD5
e50fa73beb76198fc0833e493dcb13aa

SHA1
c9584d49179d4128c03636d0bae7b963c7680081

SHA256
de745081e7f1e7b90cada7b37b8469512c1e5c9eb89bb7e0e27ab38a5d03c7eb

SHA512
2a2e5299496e08c8b686ddde156a087d5962ff3f4c658cb9c28f8f0f365a292014dfb968a068ff0194e0d72e857d37738cac9f644df9dd1366b7e54ad1d6ff7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aV6fu17.exe

Filesize
946KB

MD5
e50fa73beb76198fc0833e493dcb13aa

SHA1
c9584d49179d4128c03636d0bae7b963c7680081

SHA256
de745081e7f1e7b90cada7b37b8469512c1e5c9eb89bb7e0e27ab38a5d03c7eb

SHA512
2a2e5299496e08c8b686ddde156a087d5962ff3f4c658cb9c28f8f0f365a292014dfb968a068ff0194e0d72e857d37738cac9f644df9dd1366b7e54ad1d6ff7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rN7166.exe

Filesize
1.1MB

MD5
337da97bb85cf1c5cf97fc37e008fa6b

SHA1
60ef1e81ed36b75bd141d5a950104a625093264a

SHA256
20ed878c80abc2f62a34399d361a05682967e11b00ed42600fe8ce8fa0cbba98

SHA512
16d02fd5145313ca822d059239b6857fc0d12be1215dce354ca955c1f94146c9a6bf67201c4b1d74d3feb9248df4452895c2e258378607ec1868a1713e0326b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2rN7166.exe

Filesize
1.1MB

MD5
337da97bb85cf1c5cf97fc37e008fa6b

SHA1
60ef1e81ed36b75bd141d5a950104a625093264a

SHA256
20ed878c80abc2f62a34399d361a05682967e11b00ed42600fe8ce8fa0cbba98

SHA512
16d02fd5145313ca822d059239b6857fc0d12be1215dce354ca955c1f94146c9a6bf67201c4b1d74d3feb9248df4452895c2e258378607ec1868a1713e0326b9

Download Submit
memory/1176-26-0x000000000BE20000-0x000000000C31E000-memory.dmp

Filesize
5.0MB

Download
memory/1176-25-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/1176-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1176-27-0x000000000B9C0000-0x000000000BA52000-memory.dmp

Filesize
584KB

Download
memory/1176-28-0x000000000B990000-0x000000000B99A000-memory.dmp

Filesize
40KB

Download
memory/1176-29-0x000000000C930000-0x000000000CF36000-memory.dmp

Filesize
6.0MB

Download
memory/1176-30-0x000000000BCD0000-0x000000000BDDA000-memory.dmp

Filesize
1.0MB

Download
memory/1176-31-0x000000000BBF0000-0x000000000BC02000-memory.dmp

Filesize
72KB

Download
memory/1176-32-0x000000000BC50000-0x000000000BC8E000-memory.dmp

Filesize
248KB

Download
memory/1176-33-0x000000000C320000-0x000000000C36B000-memory.dmp

Filesize
300KB

Download
memory/1176-44-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads