redline | 9805f81a13aaa68a2026a38b70b1fdd1d76fee0ff63916c669d728c6e4dc3b7e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe
Size

767KB
MD5

4ce629f8747eda6f87736e78bdfa16a9
SHA1

17184f40285443cc76533b58363b13cd1647ad99
SHA256

2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c
SHA512

1aff9c893365d2cf73edf1634964f09c50665f6d4b057bf3ca8352c97ca9a488c5bfc17ac1d69c8d31e1b0e9800017765aba5374362a47ef758f18a66db0148a
SSDEEP

12288:cMrGy90KcRXwceOU3O7iGzGz6AOrFilv4k425Uvy2hl+nMLAUwoNTeWsIk:iy9e893OuGzGkrFiGkL5Ur+g1k

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2264-23-0x0000000001F50000-0x0000000001FDA000-memory.dmp	family_redline
behavioral4/memory/2264-28-0x0000000001F50000-0x0000000001FDA000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x4624342.exex4990759.exeg5571265.exe

pid process

376 x4624342.exe
2796 x4990759.exe
2264 g5571265.exe

pid	process
376	x4624342.exe
2796	x4990759.exe
2264	g5571265.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exex4624342.exex4990759.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4624342.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4990759.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exex4624342.exex4990759.exe

description	pid	process	target process
PID 3624 wrote to memory of 376	3624	2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe	x4624342.exe
PID 3624 wrote to memory of 376	3624	2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe	x4624342.exe
PID 3624 wrote to memory of 376	3624	2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe	x4624342.exe
PID 376 wrote to memory of 2796	376	x4624342.exe	x4990759.exe
PID 376 wrote to memory of 2796	376	x4624342.exe	x4990759.exe
PID 376 wrote to memory of 2796	376	x4624342.exe	x4990759.exe
PID 2796 wrote to memory of 2264	2796	x4990759.exe	g5571265.exe
PID 2796 wrote to memory of 2264	2796	x4990759.exe	g5571265.exe
PID 2796 wrote to memory of 2264	2796	x4990759.exe	g5571265.exe

C:\Users\Admin\AppData\Local\Temp\2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe
"C:\Users\Admin\AppData\Local\Temp\2d0e9487b9ef5db2eb0500ce9a5ed167ceb3c1f271e1a50f7283d3ed521cb67c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4624342.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4624342.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4990759.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4990759.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5571265.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5571265.exe
      4⤵
      Executes dropped EXE
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4624342.exe

Filesize
611KB

MD5
c19a070d578c3048f2bc340ea37fb1af

SHA1
17435035b49b651208fa6b4c192722563fbefab2

SHA256
48ce50fd4b83dff530aeefec5cc2017c7f13f30ed9f04c3e6e01470c2e58fd5c

SHA512
12408c547482db44a265e4a08d257806fbab9fdbfb7cfb9f879e4fa676c8ff892759fd5c0737be29c672890bf7a5e385c499a35b781355a151eb3ad38ed3bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4990759.exe

Filesize
510KB

MD5
e89512d3fcd756a0cb87d058e0277dbc

SHA1
7086afca3da78bb9f0e841dc2d6ccd5dbe59a297

SHA256
125e31fa0bda15bfd4aac4ec647fbec534a6efe26bfe16ba6c7d87511f4f7df8

SHA512
5b30c39b44e175bedd8c390b689a199a984efe3e7d778d71323f21b76f633de500ac814ec3eb8029917a06b0244274e398e90103609b58ac3cc272257112582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5571265.exe

Filesize
486KB

MD5
c56073d8d1fde5131e4a36f6823dfa52

SHA1
0c775ef3447a2f8c261e049f86f84913c8999c5e

SHA256
41c8637bda09be9a99f1c2e3eab4cf5e636e193b1d7b5f2818dba3d3f5a99bc8

SHA512
bedf40c49647054a4b35cf6484826eb4142767cd1a5258bd97a6bff437c30f4b25b764bdd742a5b9aaa4c8ffe8ee372620ae95a931a5eab1e966c8b49640df0a

Download Submit
memory/2264-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2264-23-0x0000000001F50000-0x0000000001FDA000-memory.dmp

Filesize
552KB

Download
memory/2264-28-0x0000000001F50000-0x0000000001FDA000-memory.dmp

Filesize
552KB

Download
memory/2264-29-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/2264-30-0x0000000004630000-0x0000000004636000-memory.dmp

Filesize
24KB

Download
memory/2264-31-0x0000000005140000-0x0000000005758000-memory.dmp

Filesize
6.1MB

Download
memory/2264-32-0x0000000004B80000-0x0000000004C8A000-memory.dmp

Filesize
1.0MB

Download
memory/2264-33-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/2264-34-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/2264-35-0x0000000004D40000-0x0000000004D8C000-memory.dmp

Filesize
304KB

Download