redline | ebd9a15280a9fbd641ead11a6ab911fd72dcd48a6226e2e161005aebc9f70813

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff.exe
Size

770KB
MD5

83a0b6e4f1d22cc04a1e71e2a1d91fd8
SHA1

821336b6dc6d6a24ca7e382c11effb72cb2d9941
SHA256

3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff
SHA512

b57843085032b44bb6c4709fadf2cf92b4b3f5f0c2286be68537398b7598eec27d99cc45be29a6288bffda1ceaf25470d770372e1e69495577c4a1ab80a761e6
SSDEEP

12288:xMrZy90QDhktUAdoxHlYHWOsfaGDfb5usCn3cvuBpAFMWYmZHxWySefYlKrcvx0H:4yPDFAzuiGDAsCcu7WMWYkxWRTlKrc0

Score

10^/10

redline debro infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

debro

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x00080000000233d5-19.dat	family_redline
behavioral5/memory/4556-21-0x0000000000760000-0x000000000078E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4312	x4162830.exe
2168	x4127652.exe
4556	f5875111.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4162830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4127652.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4312	1980	3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff.exe	81
PID 1980 wrote to memory of 4312	1980	3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff.exe	81
PID 1980 wrote to memory of 4312	1980	3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff.exe	81
PID 4312 wrote to memory of 2168	4312	x4162830.exe	82
PID 4312 wrote to memory of 2168	4312	x4162830.exe	82
PID 4312 wrote to memory of 2168	4312	x4162830.exe	82
PID 2168 wrote to memory of 4556	2168	x4127652.exe	83
PID 2168 wrote to memory of 4556	2168	x4127652.exe	83
PID 2168 wrote to memory of 4556	2168	x4127652.exe	83

C:\Users\Admin\AppData\Local\Temp\3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff.exe
"C:\Users\Admin\AppData\Local\Temp\3b6c76223119e79b6acba7a08a08422dc0bb17cdae5f311dad3a1c1db39610ff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4162830.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4162830.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4127652.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4127652.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5875111.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5875111.exe
      4⤵
      Executes dropped EXE
      PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4162830.exe

Filesize
488KB

MD5
d2baad5181035b853d37213e96ab5cb0

SHA1
ea7d2a47054b24b4c3f9569f6440e241448696c2

SHA256
149cd41e04afd54119c40358aa55b0d0de72a8c1e612ff1d1d4d79ab20ba8a01

SHA512
074df38a24e951caa6f69cda76683bcd9058e0ff87406a96f8d18a95998484a55e3401f89c59f28ffe029fcf581f028e40da8cf0d24deef53b1662539df3e291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4127652.exe

Filesize
316KB

MD5
0dfa00ef7dd88c58d78e4340dd5ae2dc

SHA1
3c1612fd08f43f64ca684bd81f1d96fbb6a2e7f6

SHA256
66e75d8b2b30497bc2d658cff1612173503234cdd343219cabe22954ef5ed726

SHA512
65587f99b60a881ab906592dba93e724b5fae1e3269e1792c7878e55fe68fc5eaafc4a3e0c397044cf8f805332e87380b090ee60c67061aebb2178fef9b6509a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5875111.exe

Filesize
168KB

MD5
e10039f9013490e8cda467f1f754cd85

SHA1
37ed33ecd5455d4bdf2e52a975069717581b3931

SHA256
507f56c424e6e8c6eaab75a80dae68a710d5a54b69cc232abed8ed8023355e7a

SHA512
ff520466d9ee1c6591da19f3f8de6c05a56ece708f2044169a649e5c3f8513d3beb880d58d556979a47d6f5adffc0f20703d4500ab03ef2e7862e6691ed02647

Download Submit
memory/4556-21-0x0000000000760000-0x000000000078E000-memory.dmp

Filesize
184KB

Download
memory/4556-22-0x00000000029F0000-0x00000000029F6000-memory.dmp

Filesize
24KB

Download
memory/4556-23-0x000000000AC40000-0x000000000B258000-memory.dmp

Filesize
6.1MB

Download
memory/4556-24-0x000000000A730000-0x000000000A83A000-memory.dmp

Filesize
1.0MB

Download
memory/4556-25-0x000000000A640000-0x000000000A652000-memory.dmp

Filesize
72KB

Download
memory/4556-26-0x000000000A6A0000-0x000000000A6DC000-memory.dmp

Filesize
240KB

Download
memory/4556-27-0x0000000002950000-0x000000000299C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads