redline | 7cc4ca7df1354c5dcc6727cacfda8e239f161845dfb3a7cb9889f29fad4b792a

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe
Size

769KB
MD5

9ceb7e981876441b81635ed856e5ac11
SHA1

98c6e57fa8988129fbb40b89436f4248bf02c617
SHA256

3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5
SHA512

c540769d361ec0aac69c932115cec9a39991edd7b43993fbf8850037f58787165b808a0397de62815fa3adbeab15a271513b276a0f887baf557a94a42ed6721b
SSDEEP

12288:bMrWy90ucNTOa/oSXd6k6GMAhDH3RcZcVzhvfr25meC/N7ycpyv1:9yhcN7wSsAh99rvScd/NOc6

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral9/memory/3104-21-0x0000000001F70000-0x0000000001FFC000-memory.dmp	family_redline
behavioral9/memory/3104-28-0x0000000001F70000-0x0000000001FFC000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3516	x3451041.exe
4876	x9533140.exe
3104	g4387079.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3451041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9533140.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3516	3304	3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe	82
PID 3304 wrote to memory of 3516	3304	3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe	82
PID 3304 wrote to memory of 3516	3304	3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe	82
PID 3516 wrote to memory of 4876	3516	x3451041.exe	84
PID 3516 wrote to memory of 4876	3516	x3451041.exe	84
PID 3516 wrote to memory of 4876	3516	x3451041.exe	84
PID 4876 wrote to memory of 3104	4876	x9533140.exe	85
PID 4876 wrote to memory of 3104	4876	x9533140.exe	85
PID 4876 wrote to memory of 3104	4876	x9533140.exe	85

C:\Users\Admin\AppData\Local\Temp\3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe
"C:\Users\Admin\AppData\Local\Temp\3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3451041.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3451041.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9533140.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9533140.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4387079.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4387079.exe
      4⤵
      Executes dropped EXE
      PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3451041.exe

Filesize
613KB

MD5
85e427c9257b0a8c8bedf49c79cce243

SHA1
27b41475c02ae0b7101248183190fc85f67f27e6

SHA256
3b28862d97c3be0a36fd1fb19283a3f5ec02c1ce450fedab6193832042bba304

SHA512
55163548c386076b28f57b5c7607dde49596cfeb6eb8121faa33aa841847153fab7cdcecce05a8263d8c5b8c82ab01105d3a09cf020d83bd5ea0637831a36292

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9533140.exe

Filesize
512KB

MD5
057890c139b53466ef5bbcb05515c57e

SHA1
17d1c24af2d4b793379e6327284ee17cd83085a4

SHA256
24469b80d067dd8f3702e4e57f38768755b7eda20faf24a55577313b6a13b420

SHA512
efc310031c8e7a19b33af06d33baec7474f359fdb33905f19c135564f59ac030968ef4cfa59697836211a4d26e36820899c2c9da4a8d36f2f5e6996635813b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4387079.exe

Filesize
491KB

MD5
e76acee1a8aec03021a19b513b2840eb

SHA1
0f7f101568ba939c3dde1bbee456ef558e005960

SHA256
11d122567336ec2641f0f38b47fb9f469d9b4ffee8a017f996a028b8989a597b

SHA512
dcd6da202bbcf52fadfd1d12a25eb88383e76274dbd09044e9dc40e36542b4c0791234bbb3101e1e61f48958b00dac26e7c266a65bf3bd54ddec37e2fcd8a3eb

Download Submit
memory/3104-30-0x0000000004670000-0x0000000004676000-memory.dmp

Filesize
24KB

Download
memory/3104-21-0x0000000001F70000-0x0000000001FFC000-memory.dmp

Filesize
560KB

Download
memory/3104-29-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/3104-27-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/3104-28-0x0000000001F70000-0x0000000001FFC000-memory.dmp

Filesize
560KB

Download
memory/3104-31-0x0000000004B30000-0x0000000005148000-memory.dmp

Filesize
6.1MB

Download
memory/3104-33-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/3104-34-0x0000000005330000-0x000000000536C000-memory.dmp

Filesize
240KB

Download
memory/3104-32-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/3104-35-0x00000000053A0000-0x00000000053EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads