redline | c9e1bcbbab1fafcf8cc24760bccf3efac8e604baa1ea574dbe47e2dd7ac09433

Analysis

max time kernel
145s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe
Size

307KB
MD5

861644a76bd45137c176d6c5c2b82cd5
SHA1

5cfb78556e08a6c8e79f6df91cf91df3aff5308d
SHA256

91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b
SHA512

b949eb3d0296222433ead224f0905868965dfef8112a5fc33dcd07a3c88f4c1edb999889373faf09dbd06b9b072b76c5c69bcda19d95764839ebc8c2e7f5197e
SSDEEP

6144:K0y+bnr+mp0yN90QE2wSAl3Oz+7tI9w9F1OQINXV:kMrGy90vr3Oz+7tIOv1OjNXV

Score

10^/10

redline dumud infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x0009000000023276-5.dat	family_redline
behavioral17/memory/640-8-0x0000000000C00000-0x0000000000C30000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
640	g0381365.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 640	4764	91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe	91
PID 4764 wrote to memory of 640	4764	91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe	91
PID 4764 wrote to memory of 640	4764	91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe	91

C:\Users\Admin\AppData\Local\Temp\91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe
"C:\Users\Admin\AppData\Local\Temp\91764c20cbe482b1a5b8aa8c305a606675ac822cf3322e1b30d15c022219581b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0381365.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0381365.exe
  2⤵
  - Executes dropped EXE
  PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0381365.exe

Filesize
168KB

MD5
343a04fd108cdedb9ade5c50c7675872

SHA1
bd91c4bb4b6fb8ce0d2441051c7a20e2b0adfe89

SHA256
cad3a56c58679f1db99f2dfb420b4a484bb39756cbabf6fed0a5281940b47445

SHA512
7bf23230f7327c0e099a2349c4f7ebe43490d64a4b68032064b5312246a3ef2a841904bf4839644defbda19ea8b47de565e464361474b29e00adc67d57381221

Download Submit
memory/640-7-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/640-8-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/640-9-0x0000000005520000-0x0000000005526000-memory.dmp

Filesize
24KB

Download
memory/640-10-0x000000000AF70000-0x000000000B588000-memory.dmp

Filesize
6.1MB

Download
memory/640-11-0x000000000AA70000-0x000000000AB7A000-memory.dmp

Filesize
1.0MB

Download
memory/640-12-0x000000000A9A0000-0x000000000A9B2000-memory.dmp

Filesize
72KB

Download
memory/640-13-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/640-14-0x000000000AA00000-0x000000000AA3C000-memory.dmp

Filesize
240KB

Download
memory/640-15-0x000000000AB80000-0x000000000ABCC000-memory.dmp

Filesize
304KB

Download
memory/640-16-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/640-17-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads