redline | 1fdd5f3e8505e6e6d5694fd5bb78388c9f5ca6f38c5a2c066159adca4a10d217

Analysis

max time kernel
141s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe
Size

771KB
MD5

7ffad6f51f9598958204eca8679690b0
SHA1

aac9ca0423c177d041dcb22832f581d8c39bc184
SHA256

ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4
SHA512

6a0feb1278e1bc5742a4b8909a6818743841e0d16b935d659fe6a60cd9837563ea5ea7ef9973afa1cc64c41681e140d5e7c85300346c875d1b17571aaff41430
SSDEEP

12288:uMrLy90EtWzfh9lViybaDJcyMYLk4hC+D+SjbIyWAcDSGb1cqSU0Rzyqj:xyfWFARJcyjJhBNmdcqL0wqj

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral8/memory/4260-22-0x00000000005C0000-0x000000000064C000-memory.dmp	family_redline
behavioral8/memory/4260-28-0x00000000005C0000-0x000000000064C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3568	x5396804.exe
1952	x3011045.exe
4260	g5243225.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5396804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3011045.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3568	4620	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe	91
PID 4620 wrote to memory of 3568	4620	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe	91
PID 4620 wrote to memory of 3568	4620	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe	91
PID 3568 wrote to memory of 1952	3568	x5396804.exe	92
PID 3568 wrote to memory of 1952	3568	x5396804.exe	92
PID 3568 wrote to memory of 1952	3568	x5396804.exe	92
PID 1952 wrote to memory of 4260	1952	x3011045.exe	93
PID 1952 wrote to memory of 4260	1952	x3011045.exe	93
PID 1952 wrote to memory of 4260	1952	x3011045.exe	93

C:\Users\Admin\AppData\Local\Temp\ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe
"C:\Users\Admin\AppData\Local\Temp\ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5396804.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5396804.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3011045.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3011045.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5243225.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5243225.exe
      4⤵
      Executes dropped EXE
      PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5396804.exe

Filesize
616KB

MD5
5776e55e4d2ff7e0335f68bcca639c44

SHA1
753d68485b4b086ac1481ee1f1e4aa5f5d960afb

SHA256
9c4239bf16e8b8e477e8f53d5cbbe45c6818e87454274749788bb0369f47c590

SHA512
199d4116faf9a094a30ec1908612d7b695e4517ffc0890fd7c3de1b8d225fdb9e95b4edf862f0059f0448dc60f16928e3801b77031e607f32dfaf56f4a0ce020

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3011045.exe

Filesize
515KB

MD5
12dc6d82b6ce257ffc4af0125bd14396

SHA1
ce273d0cee373800fea60a9c8f3795294bce4cf8

SHA256
428af94e3a3a6a7d70b98f99c7a4bf867ec190287f6062a34e0ba16c6c27521d

SHA512
0676e3dac90ff0bfd55f0fa3efbbe899ee1c8a6fdcfa6918654dbb47636b192ef0cff0877789c239a454ab2a0eea14e6d28cd53177a521a26b069dc4e3bf9d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5243225.exe

Filesize
492KB

MD5
2c019fe9be415b2bd07d1c1493776a31

SHA1
73c6ed8cca7be66b903ff20b75479af6ad53f2c1

SHA256
8c613af780df9cae77d603395e79ebead4165d889ec7cc4a585bbffa0d817e96

SHA512
86542984fa994b61732092ecd148590d6321d6fb46d23e229906ff4219b34933c3a3558a3adbe121b8c08f2f81a346b87ff2224737896f31512fddbcf1fb3855

Download Submit
memory/4260-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4260-22-0x00000000005C0000-0x000000000064C000-memory.dmp

Filesize
560KB

Download
memory/4260-28-0x00000000005C0000-0x000000000064C000-memory.dmp

Filesize
560KB

Download
memory/4260-29-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/4260-30-0x0000000002380000-0x0000000002386000-memory.dmp

Filesize
24KB

Download
memory/4260-31-0x0000000005140000-0x0000000005758000-memory.dmp

Filesize
6.1MB

Download
memory/4260-32-0x0000000004BB0000-0x0000000004CBA000-memory.dmp

Filesize
1.0MB

Download
memory/4260-33-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/4260-34-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/4260-35-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads