redline | fea4a5268fd3fad5b4772bcf4ef021d104110cff4b7bd43f6ad10ebcab7b0916

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77.exe
Size

307KB
MD5

b16e53bf8c31df4612c6d929fe180180
SHA1

89b65a826c47294d98c3377d4255588874e126d8
SHA256

7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77
SHA512

c0b0173bf1440693c36fa7c0cbc76ba8643a2487694eb69255181433d69b29ffcf6089c49604600331570ad5a886f176052e79e7dbcc5e4219e0db4e17fb49b3
SSDEEP

6144:KRy+bnr+ep0yN90QEuwSAldxTiKxsNsnqYzp2XzB6Keg:vMrmy90rrd0sn5tosg

Score

10^/10

redline dumud infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x0009000000023402-5.dat	family_redline
behavioral14/memory/452-8-0x0000000000680000-0x00000000006B0000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
452	g7847907.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 452	2064	7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77.exe	83
PID 2064 wrote to memory of 452	2064	7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77.exe	83
PID 2064 wrote to memory of 452	2064	7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77.exe	83

C:\Users\Admin\AppData\Local\Temp\7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77.exe
"C:\Users\Admin\AppData\Local\Temp\7d7131e8413b3c93cdef92a3c5fc4874d5c98935874642f451bb7fa887f9ac77.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7847907.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7847907.exe
  2⤵
  - Executes dropped EXE
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g7847907.exe

Filesize
168KB

MD5
81f68822d19104305bdd0882aba3403e

SHA1
d94d613353d62c5df63f5df88185c47dd307346a

SHA256
c1874b4ff67ae37ad64be9f96b29c74c981575880f73521825cafd32c0123e99

SHA512
f6808c8fe0d0bf3b23cb197af13600b57e7cc38b4cb833edbb4a9a33871b12538a40db2c885244ea276d764db4b00a476108daf59a6229bb14274dabc021a116

Download Submit
memory/452-7-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/452-8-0x0000000000680000-0x00000000006B0000-memory.dmp

Filesize
192KB

Download
memory/452-9-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/452-10-0x0000000005790000-0x0000000005DA8000-memory.dmp

Filesize
6.1MB

Download
memory/452-11-0x0000000005280000-0x000000000538A000-memory.dmp

Filesize
1.0MB

Download
memory/452-12-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/452-13-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/452-14-0x0000000073EE0000-0x0000000074690000-memory.dmp

Filesize
7.7MB

Download
memory/452-15-0x00000000051F0000-0x000000000523C000-memory.dmp

Filesize
304KB

Download
memory/452-16-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/452-17-0x0000000073EE0000-0x0000000074690000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads