redline | 0ff9bc0436d6052b24d3174a3e4aeb590fa03a5b78a09d0b6a5a4084006891e2

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
Size

769KB
MD5

1256f708f701022984164fbee3ae9434
SHA1

4c7032f4aea509e7dab6d37602c79e2478611936
SHA256

8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171
SHA512

0b045b632fb716c67ceacf43bed145e119f540ebcf1b427a78f84ea6055377643ee0919f8cbad7ffd034afb2f444a9eda5f6ae127ffce89be0a774e170510917
SSDEEP

12288:8Mrsy90bwIM4l9soPBH8D0eRmQWnFQ3oas8VuA0Nb7+yZQvMou61+T:gyqZKcHM0ZnGYaxUA0Nbi+QkB61+T

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral13/memory/4552-22-0x0000000000610000-0x000000000069C000-memory.dmp	family_redline
behavioral13/memory/4552-28-0x0000000000610000-0x000000000069C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x1200585.exex5437816.exeg0536891.exe

pid process

876 x1200585.exe
1924 x5437816.exe
4552 g0536891.exe

pid	process
876	x1200585.exe
1924	x5437816.exe
4552	g0536891.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exex1200585.exex5437816.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1200585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5437816.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exex1200585.exex5437816.exe

description	pid	process	target process
PID 3460 wrote to memory of 876	3460	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe	x1200585.exe
PID 3460 wrote to memory of 876	3460	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe	x1200585.exe
PID 3460 wrote to memory of 876	3460	8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe	x1200585.exe
PID 876 wrote to memory of 1924	876	x1200585.exe	x5437816.exe
PID 876 wrote to memory of 1924	876	x1200585.exe	x5437816.exe
PID 876 wrote to memory of 1924	876	x1200585.exe	x5437816.exe
PID 1924 wrote to memory of 4552	1924	x5437816.exe	g0536891.exe
PID 1924 wrote to memory of 4552	1924	x5437816.exe	g0536891.exe
PID 1924 wrote to memory of 4552	1924	x5437816.exe	g0536891.exe

C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
"C:\Users\Admin\AppData\Local\Temp\8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
4⤵
- Executes dropped EXE
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1200585.exe
Filesize
613KB

MD5
4b68535d9ae7b13cf3ff2f073670fb2d

SHA1
3ab1babe56d11fa75a053a052cc21eae84258cf6

SHA256
ccf88160200e2eef59471125da41cf531f00d6be48b568e48f89373a12f76a32

SHA512
e7239d21f30c08b4676f08a26d5ecc6c469e9933fa3913039a9ab11c810c52c3599ee00bb4a660fdf1028736d48dd7fb05f8e7b04bfe663ff40b0596e5b98b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5437816.exe
Filesize
512KB

MD5
32956c577b9a017f545b468acd8a5ae8

SHA1
b507c3abdcefdf7496d5e7548ffe076967f4a043

SHA256
4343f9ba64b5d33cde391141404af6dbe47608e4fb6c56ff20c43a1c1329bf1a

SHA512
fdec719616daeddf386e91c279430699a23debe9318a9717d940963b43b9175ae6bdfad1c17251f698769a30dd4466ff4a45854bd34784f9544f88f3476097df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0536891.exe
Filesize
491KB

MD5
f172d470fc8f5a1f32456a418bcb6517

SHA1
7cedee0bcbcdb6ec4d0aa1c96cb781b58085c020

SHA256
29637e8c1a1ec7bffd145a7e2d3c0dd547d367d43c1a611fac2d21ebac4996b9

SHA512
f8f43a4c3ef3e7d0d79ad23ad29956d3a2c8d4e8bebbae7cdce7f0ca4ae5dd28408e3c0725ac65173a6b6bafb7c2b38e64f58b0339f4a4754eab76eadc21cc22

Download Submit
memory/4552-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4552-22-0x0000000000610000-0x000000000069C000-memory.dmp

Filesize
560KB

Download
memory/4552-28-0x0000000000610000-0x000000000069C000-memory.dmp

Filesize
560KB

Download
memory/4552-29-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/4552-30-0x00000000024E0000-0x00000000024E6000-memory.dmp

Filesize
24KB

Download
memory/4552-31-0x000000000A000000-0x000000000A618000-memory.dmp

Filesize
6.1MB

Download
memory/4552-32-0x000000000A6B0000-0x000000000A7BA000-memory.dmp

Filesize
1.0MB

Download
memory/4552-33-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

Filesize
72KB

Download
memory/4552-34-0x000000000A800000-0x000000000A83C000-memory.dmp

Filesize
240KB

Download
memory/4552-35-0x000000000A870000-0x000000000A8BC000-memory.dmp

Filesize
304KB

Download