redline | dd49e60a45e3962b98b32d0ae9a1256ae1e60ba2b696a005fe221e32f96d996b

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe
Size

479KB
MD5

db47b4c37825cb2fd9c877a3b03020d7
SHA1

7fad71f30334c02815023d7006be1949db1cdc23
SHA256

b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c
SHA512

a8186f91990faa44876f21263fedf43701ee1228c3e04bc5306f1c141b33a47fe255a319fa1d2685ba7942d746914c5267c583f41cba2433a0ae1c7212e8287a
SSDEEP

6144:KTy+bnr+2p0yN90QEU/eH4MDtIA/3Dh/GbLz2jJ2HDI7qNV9uaYyDjjBkI4KUrZu:hMrmy90iWYeZxc+ac7qZuIzB5CrgnMK

Score

10^/10

redline dumud infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2524822.exe	family_redline
behavioral18/memory/3108-15-0x00000000008E0000-0x0000000000910000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

x6164114.exeg2524822.exe

pid process

404 x6164114.exe
3108 g2524822.exe

pid	process
404	x6164114.exe
3108	g2524822.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exex6164114.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6164114.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exex6164114.exe

description	pid	process	target process
PID 4200 wrote to memory of 404	4200	b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe	x6164114.exe
PID 4200 wrote to memory of 404	4200	b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe	x6164114.exe
PID 4200 wrote to memory of 404	4200	b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe	x6164114.exe
PID 404 wrote to memory of 3108	404	x6164114.exe	g2524822.exe
PID 404 wrote to memory of 3108	404	x6164114.exe	g2524822.exe
PID 404 wrote to memory of 3108	404	x6164114.exe	g2524822.exe

C:\Users\Admin\AppData\Local\Temp\b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe
"C:\Users\Admin\AppData\Local\Temp\b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6164114.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6164114.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2524822.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2524822.exe
3⤵
- Executes dropped EXE
PID:3108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6164114.exe
Filesize
307KB

MD5
8170600b78cee5feeee325dba0b85f28

SHA1
35b530c9313493682fd9f98acdc52ac87aba58fb

SHA256
dfc4c89ea2ad58bd400e2b9c80544a24103d9c96ee99f06715accd6884f68a8e

SHA512
8a17a334e3bd8730cef877fefe342bb1c17d74ae6f03144941ea8bfa1875b79c2d6cf2871ec06f8e636e5385696ed62018b75d20070e8b589ca01f5fa5dbf3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2524822.exe
Filesize
168KB

MD5
ddde347fce7aa6fc41141817617d97d5

SHA1
b4c2018a8cc7347d13c5e049f44c6fb904ecb7b8

SHA256
c19a443bce470b9926baa1df6a8d28ea670cdc3dc61957b27c45ac576f73648f

SHA512
f3ce1925a88ed1cb5856ac3007a9bd47863443ec83f19045165b4334fe02c463b1bff7b476786cab58b89aca6e61dac87fcce8298f01f3a5fe556eb8677f3765

Download Submit
memory/3108-14-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/3108-15-0x00000000008E0000-0x0000000000910000-memory.dmp

Filesize
192KB

Download
memory/3108-16-0x0000000005340000-0x0000000005346000-memory.dmp

Filesize
24KB

Download
memory/3108-17-0x00000000059B0000-0x0000000005FC8000-memory.dmp

Filesize
6.1MB

Download
memory/3108-18-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/3108-19-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/3108-20-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/3108-21-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/3108-22-0x0000000005450000-0x000000000549C000-memory.dmp

Filesize
304KB

Download
memory/3108-23-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/3108-24-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download