redline | b20d3b5caab986390a57d9b858c330d6fa12fa368809dfc94b90991735dc89d1

Analysis

max time kernel
132s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe
Size

488KB
MD5

f5127b719ba22e54d6bcf513f4cbe0d7
SHA1

a353c309287004081e231952b8c022fcfd97f156
SHA256

c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e
SHA512

2c13e2921750cbe16b12165464c42055cf3212635f242299b7b4e95774d294b058ebaba9fe53ed23755d88ade74af5e39e5ca9f22c456263071996f271628e7e
SSDEEP

12288:MMrAy90NvJh+0ie0+oyxA/gQTxeEYdlF69CSrV:EyQj+U0+1xA/9TYEQF69ZV

Score

10^/10

redline debro infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

debro

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral21/files/0x0008000000023427-13.dat	family_redline
behavioral21/memory/2884-15-0x00000000007D0000-0x00000000007FE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4684	x9899559.exe
2884	f5957030.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9899559.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4684	1964	c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe	82
PID 1964 wrote to memory of 4684	1964	c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe	82
PID 1964 wrote to memory of 4684	1964	c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe	82
PID 4684 wrote to memory of 2884	4684	x9899559.exe	83
PID 4684 wrote to memory of 2884	4684	x9899559.exe	83
PID 4684 wrote to memory of 2884	4684	x9899559.exe	83

C:\Users\Admin\AppData\Local\Temp\c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe
"C:\Users\Admin\AppData\Local\Temp\c467adbd485a649a7ae2b7f63d49aaa84868c2b05a43f328f7e2377a5126099e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9899559.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9899559.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5957030.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5957030.exe
    3⤵
    - Executes dropped EXE
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9899559.exe

Filesize
316KB

MD5
acf2f1e7608dff6d13c0d7eb977d8fae

SHA1
521b70268d2d9ee9b88d92e018cc0b1e1617c2b5

SHA256
0691b5a648eb75146ff1c98264b40a610cecafe4f5a7c2399c6ae1e3ab936d08

SHA512
5ce95cd430ef5c5694cda6c9915d57492b9cc4b41880fc518eaeb4d982f9d4c0bc0e2bf40b58b207af77eadcefb4af7a03f8a8854a81d2592a0e2fcd48a0fa60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5957030.exe

Filesize
168KB

MD5
24fcc03280e8514857d0f5d036c1c8f1

SHA1
8e14128b1ee347b66292d223b5c8a8de249d6a46

SHA256
de022de4f980f527032baaccf14f21c73aae534887b65d8112db10d395ed182a

SHA512
1d46f73ec4e2eafc90f6437877eb8123eebd26c200b33f2e600653164917041aeff645b56581e1f0b1b1c10ade0a641232d80d37d1d64ad1b23ec42d30c6739e

Download Submit
memory/2884-14-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2884-15-0x00000000007D0000-0x00000000007FE000-memory.dmp

Filesize
184KB

Download
memory/2884-16-0x00000000029B0000-0x00000000029B6000-memory.dmp

Filesize
24KB

Download
memory/2884-17-0x000000000ABB0000-0x000000000B1C8000-memory.dmp

Filesize
6.1MB

Download
memory/2884-18-0x000000000A6A0000-0x000000000A7AA000-memory.dmp

Filesize
1.0MB

Download
memory/2884-19-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/2884-20-0x000000000A5D0000-0x000000000A60C000-memory.dmp

Filesize
240KB

Download
memory/2884-21-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2884-22-0x0000000002AF0000-0x0000000002B3C000-memory.dmp

Filesize
304KB

Download
memory/2884-23-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2884-24-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads