redline | 5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe

General

Target

5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe
Size

1.5MB
MD5

859dcc7c4c34d07895e38361d95dd45d
SHA1

e8f9b0822191ead93728a95bac56e05233b5a033
SHA256

5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe
SHA512

a7565da97fc7a868ec4f6dd07bea6961f366a15de0cd2619d80e2ff0c1b9c334076f1fc4e7317212e98344fca001ade21cd9889c5208bc6a28179da9ff25f1e3
SSDEEP

24576:oyWSwJ/NDfYh4mi85jlskYiMUF2tLJIE2ol1WbTqn6lgqFu7q:vWSiNDfY2mi8NarOF6qhGZ6uIu7

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23786749.exe	family_redline
behavioral1/memory/4504-35-0x0000000000A80000-0x0000000000AB0000-memory.dmp	family_redline

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23786749.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/4504-35-0x0000000000A80000-0x0000000000AB0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 5 IoCs

Processes:

i58086975.exei72720283.exei08542090.exei24385348.exea23786749.exe

pid process

3552 i58086975.exe
4916 i72720283.exe
2532 i08542090.exe
1824 i24385348.exe
4504 a23786749.exe

pid	process
3552	i58086975.exe
4916	i72720283.exe
2532	i08542090.exe
1824	i24385348.exe
4504	a23786749.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

i58086975.exei72720283.exei08542090.exei24385348.exe5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i58086975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i72720283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i08542090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i24385348.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exei58086975.exei72720283.exei08542090.exei24385348.exe

description	pid	process	target process
PID 2576 wrote to memory of 3552	2576	5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe	i58086975.exe
PID 2576 wrote to memory of 3552	2576	5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe	i58086975.exe
PID 2576 wrote to memory of 3552	2576	5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe	i58086975.exe
PID 3552 wrote to memory of 4916	3552	i58086975.exe	i72720283.exe
PID 3552 wrote to memory of 4916	3552	i58086975.exe	i72720283.exe
PID 3552 wrote to memory of 4916	3552	i58086975.exe	i72720283.exe
PID 4916 wrote to memory of 2532	4916	i72720283.exe	i08542090.exe
PID 4916 wrote to memory of 2532	4916	i72720283.exe	i08542090.exe
PID 4916 wrote to memory of 2532	4916	i72720283.exe	i08542090.exe
PID 2532 wrote to memory of 1824	2532	i08542090.exe	i24385348.exe
PID 2532 wrote to memory of 1824	2532	i08542090.exe	i24385348.exe
PID 2532 wrote to memory of 1824	2532	i08542090.exe	i24385348.exe
PID 1824 wrote to memory of 4504	1824	i24385348.exe	a23786749.exe
PID 1824 wrote to memory of 4504	1824	i24385348.exe	a23786749.exe
PID 1824 wrote to memory of 4504	1824	i24385348.exe	a23786749.exe

C:\Users\Admin\AppData\Local\Temp\5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe
"C:\Users\Admin\AppData\Local\Temp\5bb60b23436c08afdd8a63e1d850cb1088a324801cb5c9df376ec77d94e7fabe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58086975.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58086975.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72720283.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72720283.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08542090.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08542090.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24385348.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24385348.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23786749.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23786749.exe
6⤵
- Executes dropped EXE
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58086975.exe
Filesize
1.3MB

MD5
d4fc7be50692f620c7f81bffe2846639

SHA1
3fe8f1dfe8fec2cf2ee6e9997d1dc43878cb8439

SHA256
b78590b6bb22b00f15027eb19c60ebc44e03cba26bec674139b8b6bc13e1e276

SHA512
382da487366c1bf0d17073b8330073b83feecd0b6740f716eaf52c7f830a978e89ba0ef18db943cc67aeeb9181e56ebe20c4227c176493da07de08ab4c30db04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72720283.exe
Filesize
1015KB

MD5
80a8f0fb8bae873c3f5a179683e3dec8

SHA1
f031604ed90ab1934048df2528ef56a3e479bbb1

SHA256
73b48c39f4bd6d4d9e05d9c0dcda60632b2ea1617374ec5d4344a83f068f5182

SHA512
2e04540b1b7283bcaa0f0cf65606082eb9246cb713a1d63c18bdbe1bb9a460fa3191acc249dbbb05136c015dd232ceeab755e748a822ed8e682bd40b49854f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08542090.exe
Filesize
844KB

MD5
29fac08a8e0c71bd8b3e7b78edc63938

SHA1
072b6a5954e299ebd33fd2e929890f6e38442151

SHA256
4c656f4adaf84cb23f8da7e4f3a43a2b8533e9689a76f0dbe356eca8b2a438cb

SHA512
1eaf6e3169d0ac9fec08c129f960f077cf79652ee758235b17854289bdece638da3b412da929c7147fda3636e6afeb4fb8fa52104e9739e528ba87fffc15d1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24385348.exe
Filesize
371KB

MD5
41d3ef143365de801c1bd43af63d7ccd

SHA1
509edb085feed796f7f81770803604980207e399

SHA256
6485b1c6aa9c567d1883ae5faf07a28219348d6d4e03e729dad73b7861862656

SHA512
2ce1c600267a91b2a247dce470f0fd8d205f3461903877cbe3006933528acd06c472109fe27ce0807e770e0d604213c5768e13e50136d939436adc80f56163e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23786749.exe
Filesize
169KB

MD5
aed9c99e16e5b402197d2edab05c1667

SHA1
adfced98796ca0aa2fb140771ca2d2512eea8e9f

SHA256
7ac00f7f80dbc90ca31c5276d0f1452ff6a92f57df48d2fdce046ca84f41ec3a

SHA512
c0d689a57d1787f43504d4d8965802c5e5bf4d331fcb290660a8f7b7a1d0c05a63ac305aacde7732529baef98d2a3effa36999946676fc90035430a7bb5fff5b

Download Submit
memory/4504-35-0x0000000000A80000-0x0000000000AB0000-memory.dmp

Filesize
192KB

Download
memory/4504-36-0x0000000002C60000-0x0000000002C66000-memory.dmp

Filesize
24KB

Download
memory/4504-37-0x0000000005AE0000-0x00000000060F8000-memory.dmp

Filesize
6.1MB

Download
memory/4504-38-0x00000000055D0000-0x00000000056DA000-memory.dmp

Filesize
1.0MB

Download
memory/4504-39-0x00000000052F0000-0x0000000005302000-memory.dmp

Filesize
72KB

Download
memory/4504-40-0x0000000005350000-0x000000000538C000-memory.dmp

Filesize
240KB

Download
memory/4504-41-0x00000000054C0000-0x000000000550C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads