redline | 9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed

General

Target

9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed.exe
Size

1.1MB
MD5

e33647f3fd0300d9f4e9b09fc7a8aefc
SHA1

8ec5e7fee0ad88a5a4e34bb5f7e53e4c07d9db95
SHA256

9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed
SHA512

82967cd4ce656350b370dd49aeea9852bcdbae802858aa11ef378a12314f1f9526c0919be601385abc84f47c5e8469fcb88762b91ca012322298512ac834bb12
SSDEEP

24576:Qy36I5WatRvczYSdL1Cp0Bvv9iOyxtRAfTpgNTMr3:XlWatRU9J1CWtFiO+RAfTpOT

Score

10^/10

redline horda infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

horda

C2

194.49.94.152:19053

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/600-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2492	nh1OI72.exe
4756	oZ1JN67.exe
1884	2Tp7524.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nh1OI72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	oZ1JN67.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 600	1884	2Tp7524.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4192	1884	WerFault.exe	73

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2492	5088	9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed.exe	71
PID 5088 wrote to memory of 2492	5088	9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed.exe	71
PID 5088 wrote to memory of 2492	5088	9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed.exe	71
PID 2492 wrote to memory of 4756	2492	nh1OI72.exe	72
PID 2492 wrote to memory of 4756	2492	nh1OI72.exe	72
PID 2492 wrote to memory of 4756	2492	nh1OI72.exe	72
PID 4756 wrote to memory of 1884	4756	oZ1JN67.exe	73
PID 4756 wrote to memory of 1884	4756	oZ1JN67.exe	73
PID 4756 wrote to memory of 1884	4756	oZ1JN67.exe	73
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75
PID 1884 wrote to memory of 600	1884	2Tp7524.exe	75

C:\Users\Admin\AppData\Local\Temp\9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed.exe
"C:\Users\Admin\AppData\Local\Temp\9a419c16bb37cea0998a337f42e71a977b970b475b3372da1b5cacfddb37afed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh1OI72.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh1OI72.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ1JN67.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ1JN67.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Tp7524.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Tp7524.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 592
        5⤵
        Program crash
        
        PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh1OI72.exe

Filesize
936KB

MD5
fe33804b06473fed0f9e55ed163c004c

SHA1
78817f3d816c0e2e2c9b5f4f461ad03d8d2b686b

SHA256
92d38503409a268d4ea2b3a482d335cbdec803d24c8b6c0d220b19cc5d130006

SHA512
6136190bc6162d00f6b6a68e207bde7c758d3cb2f856b85f08fee464d19cd9911e5d92f4b1e483ab587aed75e414f29a7d5f2b3ebfc9f342faa7d565ccfb4e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nh1OI72.exe

Filesize
936KB

MD5
fe33804b06473fed0f9e55ed163c004c

SHA1
78817f3d816c0e2e2c9b5f4f461ad03d8d2b686b

SHA256
92d38503409a268d4ea2b3a482d335cbdec803d24c8b6c0d220b19cc5d130006

SHA512
6136190bc6162d00f6b6a68e207bde7c758d3cb2f856b85f08fee464d19cd9911e5d92f4b1e483ab587aed75e414f29a7d5f2b3ebfc9f342faa7d565ccfb4e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ1JN67.exe

Filesize
812KB

MD5
20624a0145993b31e6ace19904c555a8

SHA1
b9484b81aacda8c7bb7ed9700ccc287e7d9e00a0

SHA256
ce1e2600a063dc9a402cc162b0ac4a29f03ad2cac9448c1b9883792bec730e90

SHA512
3ca293e5fdb68e34f004e54dbd567c1dfb070f486b2b58e62250d60346a0b9d7931632d9e9a4f0b2b0cd2ee4e6592f3c5d73929c6654afdef2e801da795adcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oZ1JN67.exe

Filesize
812KB

MD5
20624a0145993b31e6ace19904c555a8

SHA1
b9484b81aacda8c7bb7ed9700ccc287e7d9e00a0

SHA256
ce1e2600a063dc9a402cc162b0ac4a29f03ad2cac9448c1b9883792bec730e90

SHA512
3ca293e5fdb68e34f004e54dbd567c1dfb070f486b2b58e62250d60346a0b9d7931632d9e9a4f0b2b0cd2ee4e6592f3c5d73929c6654afdef2e801da795adcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Tp7524.exe

Filesize
432KB

MD5
cf2e430dd76dc3201beb024082472c03

SHA1
123339c017953f27e3a73992fae096fccce3d4f6

SHA256
50daddd046fbb4d9cc2e9bb8ca0d572017f58163d3c7583bb84be2546228c1d5

SHA512
dbe9b4f84df746827bbf726b5fcbb6cb5f31d506317a083a6b1b082477c5f5ee1eb5482fdb24f2ea297d66bba6464efff648fe97ce8d23bf0516754bc18caf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Tp7524.exe

Filesize
432KB

MD5
cf2e430dd76dc3201beb024082472c03

SHA1
123339c017953f27e3a73992fae096fccce3d4f6

SHA256
50daddd046fbb4d9cc2e9bb8ca0d572017f58163d3c7583bb84be2546228c1d5

SHA512
dbe9b4f84df746827bbf726b5fcbb6cb5f31d506317a083a6b1b082477c5f5ee1eb5482fdb24f2ea297d66bba6464efff648fe97ce8d23bf0516754bc18caf0b

Download Submit
memory/600-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/600-25-0x0000000073720000-0x0000000073E0E000-memory.dmp

Filesize
6.9MB

Download
memory/600-26-0x000000000BFA0000-0x000000000C49E000-memory.dmp

Filesize
5.0MB

Download
memory/600-27-0x000000000BB80000-0x000000000BC12000-memory.dmp

Filesize
584KB

Download
memory/600-28-0x000000000BB40000-0x000000000BB4A000-memory.dmp

Filesize
40KB

Download
memory/600-29-0x000000000CAB0000-0x000000000D0B6000-memory.dmp

Filesize
6.0MB

Download
memory/600-30-0x000000000BE70000-0x000000000BF7A000-memory.dmp

Filesize
1.0MB

Download
memory/600-31-0x000000000BDA0000-0x000000000BDB2000-memory.dmp

Filesize
72KB

Download
memory/600-32-0x000000000BE00000-0x000000000BE3E000-memory.dmp

Filesize
248KB

Download
memory/600-33-0x000000000C4A0000-0x000000000C4EB000-memory.dmp

Filesize
300KB

Download
memory/600-38-0x0000000073720000-0x0000000073E0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads