redline | 36a33e7da8ad27ce449d6bc53c6ca650bc283b8f96d5fe797187aea40e0dcc68

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exe
Size

876KB
MD5

cbb4108b51ced31cee714f2b6ad2379f
SHA1

997d33ef7a7c427c7ddf6f6e602e344aa8921049
SHA256

100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837
SHA512

ddd69d3b12724a9872433b63f39c7a3dac9c0b0687d5d08bfe04da05d7f89681af1b0ae05e886fb2ce8c89d089b62f145d79aaab4874f08da5525df2a49c1429
SSDEEP

12288:bMrMy90R7CQPeL/WMx8cSRmr8fXzw8ZPahvKGf6DMARjFlsMmSIOFMopKDD9VJ5Y:PyrRmU+mvVARJlbIY7pKDd0+Y

Score

10^/10

redline dimas infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dimas

185.161.248.75:4132

Attributes

auth_value
a5db9b1c53c704e612bccc93ccdb5539

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8932618.exe	family_redline
behavioral1/memory/4588-21-0x0000000000B80000-0x0000000000BAA000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x7375583.exex7340234.exef8932618.exe

pid process

4356 x7375583.exe
3556 x7340234.exe
4588 f8932618.exe

pid	process
4356	x7375583.exe
3556	x7340234.exe
4588	f8932618.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exex7375583.exex7340234.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7375583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7340234.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exex7375583.exex7340234.exe

description	pid	process	target process
PID 5036 wrote to memory of 4356	5036	100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exe	x7375583.exe
PID 5036 wrote to memory of 4356	5036	100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exe	x7375583.exe
PID 5036 wrote to memory of 4356	5036	100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exe	x7375583.exe
PID 4356 wrote to memory of 3556	4356	x7375583.exe	x7340234.exe
PID 4356 wrote to memory of 3556	4356	x7375583.exe	x7340234.exe
PID 4356 wrote to memory of 3556	4356	x7375583.exe	x7340234.exe
PID 3556 wrote to memory of 4588	3556	x7340234.exe	f8932618.exe
PID 3556 wrote to memory of 4588	3556	x7340234.exe	f8932618.exe
PID 3556 wrote to memory of 4588	3556	x7340234.exe	f8932618.exe

C:\Users\Admin\AppData\Local\Temp\100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exe
"C:\Users\Admin\AppData\Local\Temp\100e14f03bac13fc1c4e178555a3dd9d1c0a021aa089b6b88cb8065f8163e837.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7375583.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7375583.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7340234.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7340234.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8932618.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8932618.exe
      4⤵
      Executes dropped EXE
      PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7375583.exe

Filesize
479KB

MD5
94a16ab1f34ec0f29d397b4a13c83174

SHA1
e9edff7ceb571349e8415fc3c990a744aec6e452

SHA256
73a59b8a64828ec8569ca9cd3884346712485b90f7147885d526dbe254c3598b

SHA512
9f6ad2b381134a18aaaad2ed00811db2c0bb2bf3920a2c0b5a731d7caf723523078f9b962324c8d733bc2da4a4740d258e45ec27bb6d319c9ac0b4f19db32666

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7340234.exe

Filesize
307KB

MD5
e6db7c6a8aec0cdb69289d62b956f645

SHA1
156a322621137363426a50bc488dc25a9c1635ef

SHA256
f4733147534c679eaf1c5fca89abff0bc38ac3d2f29a24a6c2ccc24e0ab466f6

SHA512
2190a9ed1403e6300058347f5dd30ac375d3bfabc3656f74b502428307952b92664fb809c22119a5f0f96b288c0a4297a8f96d1f35e24310440c621d9f06afdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8932618.exe

Filesize
145KB

MD5
864cc39d823d48fe71d282c7316be207

SHA1
c1aadd4b1c8e2e788a4799121317e799fc9df9dd

SHA256
6f4a056282147bd4ec8a4e8765f0ba6ae4e887e4b5a5426358af0b44e009e1a5

SHA512
f64a270bf27c2f9b0a4afec95f6b8b811d635e02b340c0bfcc7de9e28887f592fadc052e0fac2fb7b52067b4eca80b1c8892ef09ce97758cd594b81aaac1c6eb

Download Submit
memory/4588-21-0x0000000000B80000-0x0000000000BAA000-memory.dmp

Filesize
168KB

Download
memory/4588-22-0x0000000005AF0000-0x0000000006108000-memory.dmp

Filesize
6.1MB

Download
memory/4588-23-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/4588-24-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/4588-25-0x00000000055F0000-0x000000000562C000-memory.dmp

Filesize
240KB

Download
memory/4588-26-0x0000000005760000-0x00000000057AC000-memory.dmp

Filesize
304KB

Download