redline | f66854431dc57070e060e776be18cba0992366fab22b71f8cf929b91c81a6c26

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exe
Size

768KB
MD5

39bf80eb44acf1a81fada3d27fc3d228
SHA1

ab1b7c12d61733d2ff88c01c76fff9d8bdd15b0e
SHA256

82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f
SHA512

726d3d9f8990f6e0ad6d00d35dfb69d316bfe474a94bb429cb34a580b86c7e3750bcb0d05e6bb0731efea28123beb399da4d2d492351a9f275165d45f6a47096
SSDEEP

24576:XyHqqDah9D/bplKzYEkXOsb/xnZIuPhG:iKqSD/bHOYEM/ZiuZ

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral17/memory/3520-22-0x00000000007C0000-0x000000000084C000-memory.dmp	family_redline
behavioral17/memory/3520-28-0x00000000007C0000-0x000000000084C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x3861992.exex0499880.exeg0964284.exe

pid process

1544 x3861992.exe
800 x0499880.exe
3520 g0964284.exe

pid	process
1544	x3861992.exe
800	x0499880.exe
3520	g0964284.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exex3861992.exex0499880.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3861992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0499880.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exex3861992.exex0499880.exe

description	pid	process	target process
PID 5016 wrote to memory of 1544	5016	82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exe	x3861992.exe
PID 5016 wrote to memory of 1544	5016	82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exe	x3861992.exe
PID 5016 wrote to memory of 1544	5016	82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exe	x3861992.exe
PID 1544 wrote to memory of 800	1544	x3861992.exe	x0499880.exe
PID 1544 wrote to memory of 800	1544	x3861992.exe	x0499880.exe
PID 1544 wrote to memory of 800	1544	x3861992.exe	x0499880.exe
PID 800 wrote to memory of 3520	800	x0499880.exe	g0964284.exe
PID 800 wrote to memory of 3520	800	x0499880.exe	g0964284.exe
PID 800 wrote to memory of 3520	800	x0499880.exe	g0964284.exe

C:\Users\Admin\AppData\Local\Temp\82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exe
"C:\Users\Admin\AppData\Local\Temp\82e97b51cae4985f5a2abc5bbe0fe4c23fb25fa8072e45d5e34ec789cb7fcc5f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3861992.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3861992.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0499880.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0499880.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0964284.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0964284.exe
      4⤵
      Executes dropped EXE
      PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3861992.exe

Filesize
613KB

MD5
f8fd51a60aeb20176c23847c641bd685

SHA1
cfa7f926a0eaaaab32d12089a30a8686cd4781c8

SHA256
df3628ba060a96d1d39c4c3fe2a35d166fbfbf13e1e71bf02a4061c4b85d2a8a

SHA512
cb6365432e6c1670419a941e6830eb0254572c50d5e22ca330564858a7e67b6480152a4ea86c4b54c7067994ed29ae7a3eaf65fbe33e4dc67cad093820a2a52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0499880.exe

Filesize
512KB

MD5
cb02179f1b4ec56ac46106ab3c8a6da4

SHA1
a158e77fd9fe8bc718ae3a53c107e61b5d74685c

SHA256
53778a922e24dc3e0446fc86ddfa3f04e6592e7fbc71dd416c928c8bd3c87de4

SHA512
c4279e99940ad08636c24bc5d6abf8da86ae924ceae3ca4486cbdd9138234ab4f4ada98065610cd6cb53c6b00dfeaba7c007120d465fcdf510d8198d65d6a6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0964284.exe

Filesize
492KB

MD5
f543fa9e3d44db6851ca3a1af6a094c2

SHA1
4aa6879c80ef145d11f95810c41b7c5733e81f7a

SHA256
408ef900484b44fb7d41ebe3c3a8c06ce8f13cfc791803374666b15847272736

SHA512
efda8c364c056a0b12ac94f3606f9f93bfc6325378e57f148ae3b400cb6a31774705d083fb9ffa739c2b8c7441aba58c03481202e9df63fc14cb1fcd9aac0aa6

Download Submit
memory/3520-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/3520-22-0x00000000007C0000-0x000000000084C000-memory.dmp

Filesize
560KB

Download
memory/3520-29-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/3520-28-0x00000000007C0000-0x000000000084C000-memory.dmp

Filesize
560KB

Download
memory/3520-30-0x00000000025F0000-0x00000000025F6000-memory.dmp

Filesize
24KB

Download
memory/3520-31-0x000000000A6E0000-0x000000000ACF8000-memory.dmp

Filesize
6.1MB

Download
memory/3520-32-0x000000000A0C0000-0x000000000A1CA000-memory.dmp

Filesize
1.0MB

Download
memory/3520-33-0x0000000006BD0000-0x0000000006BE2000-memory.dmp

Filesize
72KB

Download
memory/3520-34-0x0000000006BF0000-0x0000000006C2C000-memory.dmp

Filesize
240KB

Download
memory/3520-35-0x0000000006C80000-0x0000000006CCC000-memory.dmp

Filesize
304KB

Download