redline | 2dc65011521e7ad60108888f5371fb028a91e927b1073cb9289f80fd02ee1763

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe
Size

771KB
MD5

7ffad6f51f9598958204eca8679690b0
SHA1

aac9ca0423c177d041dcb22832f581d8c39bc184
SHA256

ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4
SHA512

6a0feb1278e1bc5742a4b8909a6818743841e0d16b935d659fe6a60cd9837563ea5ea7ef9973afa1cc64c41681e140d5e7c85300346c875d1b17571aaff41430
SSDEEP

12288:uMrLy90EtWzfh9lViybaDJcyMYLk4hC+D+SjbIyWAcDSGb1cqSU0Rzyqj:xyfWFARJcyjJhBNmdcqL0wqj

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral20/memory/3388-22-0x0000000002040000-0x00000000020CC000-memory.dmp	family_redline
behavioral20/memory/3388-28-0x0000000002040000-0x00000000020CC000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x5396804.exex3011045.exeg5243225.exe

pid process

4720 x5396804.exe
2684 x3011045.exe
3388 g5243225.exe

pid	process
4720	x5396804.exe
2684	x3011045.exe
3388	g5243225.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x5396804.exex3011045.execa9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5396804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3011045.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exex5396804.exex3011045.exe

description	pid	process	target process
PID 4912 wrote to memory of 4720	4912	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe	x5396804.exe
PID 4912 wrote to memory of 4720	4912	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe	x5396804.exe
PID 4912 wrote to memory of 4720	4912	ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe	x5396804.exe
PID 4720 wrote to memory of 2684	4720	x5396804.exe	x3011045.exe
PID 4720 wrote to memory of 2684	4720	x5396804.exe	x3011045.exe
PID 4720 wrote to memory of 2684	4720	x5396804.exe	x3011045.exe
PID 2684 wrote to memory of 3388	2684	x3011045.exe	g5243225.exe
PID 2684 wrote to memory of 3388	2684	x3011045.exe	g5243225.exe
PID 2684 wrote to memory of 3388	2684	x3011045.exe	g5243225.exe

C:\Users\Admin\AppData\Local\Temp\ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe
"C:\Users\Admin\AppData\Local\Temp\ca9f07873920ecd0518ecf148ae1351a8ecb3ce1fe033aa44b45de07f87202a4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5396804.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5396804.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3011045.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3011045.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5243225.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5243225.exe
4⤵
- Executes dropped EXE
PID:3388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5396804.exe
Filesize
616KB

MD5
5776e55e4d2ff7e0335f68bcca639c44

SHA1
753d68485b4b086ac1481ee1f1e4aa5f5d960afb

SHA256
9c4239bf16e8b8e477e8f53d5cbbe45c6818e87454274749788bb0369f47c590

SHA512
199d4116faf9a094a30ec1908612d7b695e4517ffc0890fd7c3de1b8d225fdb9e95b4edf862f0059f0448dc60f16928e3801b77031e607f32dfaf56f4a0ce020

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3011045.exe
Filesize
515KB

MD5
12dc6d82b6ce257ffc4af0125bd14396

SHA1
ce273d0cee373800fea60a9c8f3795294bce4cf8

SHA256
428af94e3a3a6a7d70b98f99c7a4bf867ec190287f6062a34e0ba16c6c27521d

SHA512
0676e3dac90ff0bfd55f0fa3efbbe899ee1c8a6fdcfa6918654dbb47636b192ef0cff0877789c239a454ab2a0eea14e6d28cd53177a521a26b069dc4e3bf9d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5243225.exe
Filesize
492KB

MD5
2c019fe9be415b2bd07d1c1493776a31

SHA1
73c6ed8cca7be66b903ff20b75479af6ad53f2c1

SHA256
8c613af780df9cae77d603395e79ebead4165d889ec7cc4a585bbffa0d817e96

SHA512
86542984fa994b61732092ecd148590d6321d6fb46d23e229906ff4219b34933c3a3558a3adbe121b8c08f2f81a346b87ff2224737896f31512fddbcf1fb3855

Download Submit
memory/3388-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/3388-22-0x0000000002040000-0x00000000020CC000-memory.dmp

Filesize
560KB

Download
memory/3388-28-0x0000000002040000-0x00000000020CC000-memory.dmp

Filesize
560KB

Download
memory/3388-29-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3388-30-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/3388-31-0x0000000005010000-0x0000000005628000-memory.dmp

Filesize
6.1MB

Download
memory/3388-32-0x0000000004A80000-0x0000000004B8A000-memory.dmp

Filesize
1.0MB

Download
memory/3388-33-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/3388-34-0x0000000004BD0000-0x0000000004C0C000-memory.dmp

Filesize
240KB

Download
memory/3388-35-0x0000000004C40000-0x0000000004C8C000-memory.dmp

Filesize
304KB

Download