redline | 2dc65011521e7ad60108888f5371fb028a91e927b1073cb9289f80fd02ee1763

Analysis

max time kernel
132s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe
Size

479KB
MD5

7747534e219072927bd32135135ae16e
SHA1

09d12fe65a0042fd7f9a78d161a4c1193bf61c42
SHA256

77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2
SHA512

05976911d28cfb4c68217e152f6896b74a0d541429052454899c062131a04948a9ba48b3ac84823482c8a69695ad08e7e73c20e9df51859d9bebf3bf4b861cc9
SSDEEP

12288:RMr+y90ywjI0R2o/+h6H7yB9VCqUr6ObeGTlq:DyvMRZ+0H7m7xUe+LA

Score

10^/10

redline divan infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

divan

217.196.96.102:4132

Attributes

auth_value
b414986bebd7f5a3ec9aee0341b8e769

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9035707.exe	family_redline
behavioral9/memory/4020-15-0x0000000000AE0000-0x0000000000B0E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

x3879233.exeg9035707.exe

pid process

1132 x3879233.exe
4020 g9035707.exe

pid	process
1132	x3879233.exe
4020	g9035707.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exex3879233.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3879233.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exex3879233.exe

description	pid	process	target process
PID 1816 wrote to memory of 1132	1816	77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe	x3879233.exe
PID 1816 wrote to memory of 1132	1816	77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe	x3879233.exe
PID 1816 wrote to memory of 1132	1816	77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe	x3879233.exe
PID 1132 wrote to memory of 4020	1132	x3879233.exe	g9035707.exe
PID 1132 wrote to memory of 4020	1132	x3879233.exe	g9035707.exe
PID 1132 wrote to memory of 4020	1132	x3879233.exe	g9035707.exe

C:\Users\Admin\AppData\Local\Temp\77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe
"C:\Users\Admin\AppData\Local\Temp\77ba6e93030c34c0c9c7b7ce05174d89515be6f64d93ad8fd6c5a7efd813f4c2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3879233.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3879233.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9035707.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9035707.exe
3⤵
- Executes dropped EXE
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3879233.exe

Filesize
307KB

MD5
1058e8d26b56e112ade4e39e6675c1ff

SHA1
f19dcb886309166b47c7983335320ae83f30715b

SHA256
c7fc2af4211d0e1bfb36ec00830794f9b622d55d640460cceebf6bf187b4b4c7

SHA512
aa385d90077e56f02a3f89f4f6c5fe2052e98a623fdf3b126a816b02966cdb850194e0c8326fb8cd0272b14f66513e07866648ebe32fae15dfcf716c7238dde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9035707.exe

Filesize
168KB

MD5
b60b9b563cb08af8d28fe8ec1d0bfc40

SHA1
73f32a18ab403da701ae60cedf5ae65dd4070f5e

SHA256
ae8323c9d4a938df9667f4e94ad76fb589d70a89de20bf4d36ac5ee96fde008a

SHA512
a877e24575c15427eccf3221807d315d311e6fe65df66522d3287aeac9750ba0fe194935142639338bcb17af91407d9ee2c59196c22f45b02709c6cf3ff04d8c

Download Submit
memory/4020-14-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/4020-15-0x0000000000AE0000-0x0000000000B0E000-memory.dmp

Filesize
184KB

Download
memory/4020-16-0x0000000002E00000-0x0000000002E06000-memory.dmp

Filesize
24KB

Download
memory/4020-17-0x000000000AF70000-0x000000000B588000-memory.dmp

Filesize
6.1MB

Download
memory/4020-18-0x000000000AA90000-0x000000000AB9A000-memory.dmp

Filesize
1.0MB

Download
memory/4020-19-0x000000000A9C0000-0x000000000A9D2000-memory.dmp

Filesize
72KB

Download
memory/4020-21-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-20-0x000000000AA20000-0x000000000AA5C000-memory.dmp

Filesize
240KB

Download
memory/4020-22-0x0000000002E40000-0x0000000002E8C000-memory.dmp

Filesize
304KB

Download
memory/4020-23-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/4020-24-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download