redline | 2fa961b375e2da330a3b514d2c64bff25f393a2a58adb19f2372609308426060

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
Size

769KB
MD5

1256f708f701022984164fbee3ae9434
SHA1

4c7032f4aea509e7dab6d37602c79e2478611936
SHA256

8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171
SHA512

0b045b632fb716c67ceacf43bed145e119f540ebcf1b427a78f84ea6055377643ee0919f8cbad7ffd034afb2f444a9eda5f6ae127ffce89be0a774e170510917
SSDEEP

12288:8Mrsy90bwIM4l9soPBH8D0eRmQWnFQ3oas8VuA0Nb7+yZQvMou61+T:gyqZKcHM0ZnGYaxUA0Nbi+QkB61+T

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/memory/664-23-0x0000000001FB0000-0x000000000203C000-memory.dmp	family_redline
behavioral12/memory/664-28-0x0000000001FB0000-0x000000000203C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
832	x1200585.exe
3636	x5437816.exe
664	g0536891.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1200585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5437816.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 832	1224	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe	83
PID 1224 wrote to memory of 832	1224	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe	83
PID 1224 wrote to memory of 832	1224	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe	83
PID 832 wrote to memory of 3636	832	x1200585.exe	84
PID 832 wrote to memory of 3636	832	x1200585.exe	84
PID 832 wrote to memory of 3636	832	x1200585.exe	84
PID 3636 wrote to memory of 664	3636	x5437816.exe	85
PID 3636 wrote to memory of 664	3636	x5437816.exe	85
PID 3636 wrote to memory of 664	3636	x5437816.exe	85

C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
"C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
      4⤵
      Executes dropped EXE
      PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe

Filesize
613KB

MD5
4b68535d9ae7b13cf3ff2f073670fb2d

SHA1
3ab1babe56d11fa75a053a052cc21eae84258cf6

SHA256
ccf88160200e2eef59471125da41cf531f00d6be48b568e48f89373a12f76a32

SHA512
e7239d21f30c08b4676f08a26d5ecc6c469e9933fa3913039a9ab11c810c52c3599ee00bb4a660fdf1028736d48dd7fb05f8e7b04bfe663ff40b0596e5b98b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe

Filesize
512KB

MD5
32956c577b9a017f545b468acd8a5ae8

SHA1
b507c3abdcefdf7496d5e7548ffe076967f4a043

SHA256
4343f9ba64b5d33cde391141404af6dbe47608e4fb6c56ff20c43a1c1329bf1a

SHA512
fdec719616daeddf386e91c279430699a23debe9318a9717d940963b43b9175ae6bdfad1c17251f698769a30dd4466ff4a45854bd34784f9544f88f3476097df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe

Filesize
491KB

MD5
f172d470fc8f5a1f32456a418bcb6517

SHA1
7cedee0bcbcdb6ec4d0aa1c96cb781b58085c020

SHA256
29637e8c1a1ec7bffd145a7e2d3c0dd547d367d43c1a611fac2d21ebac4996b9

SHA512
f8f43a4c3ef3e7d0d79ad23ad29956d3a2c8d4e8bebbae7cdce7f0ca4ae5dd28408e3c0725ac65173a6b6bafb7c2b38e64f58b0339f4a4754eab76eadc21cc22

Download Submit
memory/664-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/664-23-0x0000000001FB0000-0x000000000203C000-memory.dmp

Filesize
560KB

Download
memory/664-28-0x0000000001FB0000-0x000000000203C000-memory.dmp

Filesize
560KB

Download
memory/664-29-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/664-30-0x00000000023B0000-0x00000000023B6000-memory.dmp

Filesize
24KB

Download
memory/664-31-0x0000000004B60000-0x0000000005178000-memory.dmp

Filesize
6.1MB

Download
memory/664-32-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/664-33-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/664-34-0x0000000005340000-0x000000000537C000-memory.dmp

Filesize
240KB

Download
memory/664-35-0x00000000053B0000-0x00000000053FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads