redline | c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17

General

Target

c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17.exe
Size

1.5MB
MD5

4e1033f29d7b0f7f48d70ab88e444bdf
SHA1

1993a6860c50a8abe9fb1830010054e23329f0b1
SHA256

c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17
SHA512

55d66ffade05bab05f1b7391aef5eec30048cd6a5bb31f7865b1438aaa21e3768394b850b957676670187b9084f939d9fd041471135b39456a7cf960d7910235
SSDEEP

24576:xyd31pJazr7PNQiOPDn5dbMEZcOgmE/luFKzxQcSe/Xo08WAoMGUQvDouj5NQaea:kd3nJGr71DOnLMgrE/1ee/R8WAeUQvDP

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

C2

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002345b-33.dat	family_redline
behavioral1/memory/4560-35-0x00000000002C0000-0x00000000002F0000-memory.dmp	family_redline

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002345b-33.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/4560-35-0x00000000002C0000-0x00000000002F0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 5 IoCs

pid	Process
1920	i02087503.exe
3248	i14225080.exe
1776	i10824586.exe
3828	i08997393.exe
4560	a56570727.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i02087503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i14225080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i10824586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i08997393.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1920	1288	c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17.exe	83
PID 1288 wrote to memory of 1920	1288	c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17.exe	83
PID 1288 wrote to memory of 1920	1288	c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17.exe	83
PID 1920 wrote to memory of 3248	1920	i02087503.exe	84
PID 1920 wrote to memory of 3248	1920	i02087503.exe	84
PID 1920 wrote to memory of 3248	1920	i02087503.exe	84
PID 3248 wrote to memory of 1776	3248	i14225080.exe	85
PID 3248 wrote to memory of 1776	3248	i14225080.exe	85
PID 3248 wrote to memory of 1776	3248	i14225080.exe	85
PID 1776 wrote to memory of 3828	1776	i10824586.exe	86
PID 1776 wrote to memory of 3828	1776	i10824586.exe	86
PID 1776 wrote to memory of 3828	1776	i10824586.exe	86
PID 3828 wrote to memory of 4560	3828	i08997393.exe	88
PID 3828 wrote to memory of 4560	3828	i08997393.exe	88
PID 3828 wrote to memory of 4560	3828	i08997393.exe	88

C:\Users\Admin\AppData\Local\Temp\c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17.exe
"C:\Users\Admin\AppData\Local\Temp\c81aea247f707f8f8e5d6dcc798547f48e940f24a12d6e15bd8177ab06635a17.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i02087503.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i02087503.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14225080.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14225080.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10824586.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10824586.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08997393.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08997393.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56570727.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56570727.exe
        6⤵
        Executes dropped EXE
        
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i02087503.exe

Filesize
1.3MB

MD5
c91d99ece399758b17aa9c50536972f8

SHA1
ab5466337a27d2e4ae7bf9ed45c1fcaa5a0304db

SHA256
d17b541584fd825deea2b3c711de290e35317bc5aebdef7463b03a008af0e114

SHA512
0363d0cdb29e332cb3ed2ac235cc0d2fe3448ab60db3ee43c93a92adb58b9ad0e15dc1727359476c13f640ebf6324e16d0e14209bac607a4bfbf6b56bf353da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14225080.exe

Filesize
1015KB

MD5
826ab8bf940a3b9c0154858d971624ff

SHA1
bdd62d01c5d528fceba566e8bf9eb13322e21f50

SHA256
7bfebc15c974afc55483fc09805ff5047310f94d337622d042a3fdb114f5687f

SHA512
767f7b233baa30a1591460f2e38c6459cbddf649c7f5b10f84003fa7f9524d8a5d7f511e71f80edccacc1727cfc2c91967a310603184582cda76d18f93d86546

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10824586.exe

Filesize
843KB

MD5
a80e9fdee3477138f5f704d1182ae62e

SHA1
cf971c6924333c62ba10200c99d091cf5653fe08

SHA256
e3e664427ce741b285f1a95ed469c1e56989166b7644fe861bff14f2fd237951

SHA512
65264c1861415ef71da2d527acfcc141153ae450b3d838dbe42cbe1455ab702088e5bdb5c766aa83f8ad4505f386872d3a283ce913b564f5dd34bef7037be707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08997393.exe

Filesize
371KB

MD5
2bc99c846206de9bc10ee5f16689ee46

SHA1
b25a5d965213a5f954807ef0c8f0e629e6895484

SHA256
6da03bfc5a81e265dbfc892ecc25713b308806096d9d26f8a1a0d27a08f072f6

SHA512
1482df8d7e4177d7412ed06fbfb7549cd7024de4ebd50e9ef31aa351afa385224379c8fed2a8c68562c9a5707c9aa5ad8782b88ba3796ed2b1d816628736dd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56570727.exe

Filesize
169KB

MD5
607fdf33f2d85f46c5dad178b041cc33

SHA1
806b886235fcfdeb8542f2178d8a039d7449618a

SHA256
cb315bc5393bac450f372c999eb2b7775034b2873d92d20e75e965f27f4a7dc3

SHA512
812407525df869bbce57faa33fbeca59bb2558bffad43705e8e7d0b45ce86e3abdaf8d511fcbea57d5774fa4203975a53905118f854100067d98195b4f1bc8cc

Download Submit
memory/4560-35-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/4560-36-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

Filesize
24KB

Download
memory/4560-37-0x000000000A640000-0x000000000AC58000-memory.dmp

Filesize
6.1MB

Download
memory/4560-38-0x000000000A130000-0x000000000A23A000-memory.dmp

Filesize
1.0MB

Download
memory/4560-39-0x000000000A060000-0x000000000A072000-memory.dmp

Filesize
72KB

Download
memory/4560-40-0x000000000A0C0000-0x000000000A0FC000-memory.dmp

Filesize
240KB

Download
memory/4560-41-0x0000000004650000-0x000000000469C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads