redline | 2dc65011521e7ad60108888f5371fb028a91e927b1073cb9289f80fd02ee1763

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe
Size

769KB
MD5

7b850001f5713cbeaa0078d2b4a1f406
SHA1

e68fde0f08bd2353d118de3cefcbf2e6aca2ce7b
SHA256

75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af
SHA512

e1f35bd08f29bb6452ef58f318f7e911826b6f57e4418069a07e26d46599837acb2ed238da7179b253fbe57626d3f4886cf819cdf85b76de1bb5e42fa0ae6e9e
SSDEEP

12288:9Mroy90eCrZAz38uIrbDgTncDTLc97yZe6r5H+LcPyK:lyUaz38rrvgQfLc1ylwoPh

Score

10^/10

redline lamp infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral8/memory/3988-22-0x00000000006D0000-0x000000000075C000-memory.dmp	family_redline
behavioral8/memory/3988-28-0x00000000006D0000-0x000000000075C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x6866899.exex4779072.exeg8365769.exe

pid	Process
3932	x6866899.exe
1836	x4779072.exe
3988	g8365769.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x6866899.exex4779072.exe75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6866899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4779072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exex6866899.exex4779072.exe

description	pid	Process	procid_target
PID 3012 wrote to memory of 3932	3012	75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe	81
PID 3012 wrote to memory of 3932	3012	75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe	81
PID 3012 wrote to memory of 3932	3012	75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe	81
PID 3932 wrote to memory of 1836	3932	x6866899.exe	82
PID 3932 wrote to memory of 1836	3932	x6866899.exe	82
PID 3932 wrote to memory of 1836	3932	x6866899.exe	82
PID 1836 wrote to memory of 3988	1836	x4779072.exe	84
PID 1836 wrote to memory of 3988	1836	x4779072.exe	84
PID 1836 wrote to memory of 3988	1836	x4779072.exe	84

C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe
"C:\Users\Admin\AppData\Local\Temp\75ccbf328f1e4ec3537ebd63e6afcf1b951f8765d8b1c734b87a7073333332af.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe
      4⤵
      Executes dropped EXE
      PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6866899.exe

Filesize
613KB

MD5
0d74ab24e242b7cacf54e7df4ff3597e

SHA1
9f5ecfb7094dc3d1aabd10873a30cfb0001e4005

SHA256
9f6925744a1b8a4cd53b1ebed74368cf83102d0fac9558a5f0fbd18ff6b9bdb8

SHA512
fe371b5bd82fc59e5d4352bd79a6384591468cc3a019de11bdd970baacd9774d7d5d2611c2ab20a0b20fdc91ee438fb72edc58fe687016d4bab84ccbbf0e7d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4779072.exe

Filesize
512KB

MD5
e91ac55b71e6d56bddac7d4e45064b1b

SHA1
abd7dcf468214d6da8ddde9e7e651c05da392122

SHA256
b0729c509d86fe1225f5e94aaf9e294af26b08bddc8e9540fbfff3d540a66dca

SHA512
88c64079dff803bdaf845645c20b42af5c24bb99499a737e9171e1ef8a14b01fa0e9aefda16e1269cc9e184816826b54f40e267f1f71956492fd244a5facf49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8365769.exe

Filesize
489KB

MD5
b7783cdc0396cd24a59e17372a37fc61

SHA1
804dee18f4a5c9c5c573e5e37701953eac30637c

SHA256
a9db81ad6c398811946bb2166ae1a87e4404a03debe5a97b75c080a23d712f4f

SHA512
ed445f8f69438af0827006f252354da7b485c31a99abe670c155a7c2a625d6e6cf34d1cfecf444f94788673a4cae33645c47da27a22698f1fefddc7503345f73

Download Submit
memory/3988-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/3988-22-0x00000000006D0000-0x000000000075C000-memory.dmp

Filesize
560KB

Download
memory/3988-28-0x00000000006D0000-0x000000000075C000-memory.dmp

Filesize
560KB

Download
memory/3988-29-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/3988-30-0x0000000002550000-0x0000000002556000-memory.dmp

Filesize
24KB

Download
memory/3988-31-0x000000000A150000-0x000000000A768000-memory.dmp

Filesize
6.1MB

Download
memory/3988-32-0x000000000A770000-0x000000000A87A000-memory.dmp

Filesize
1.0MB

Download
memory/3988-33-0x0000000006E30000-0x0000000006E42000-memory.dmp

Filesize
72KB

Download
memory/3988-34-0x0000000006E50000-0x0000000006E8C000-memory.dmp

Filesize
240KB

Download
memory/3988-35-0x0000000006B40000-0x0000000006B8C000-memory.dmp

Filesize
304KB

Download