redline | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe
Size

292KB
MD5

5c17238da1a32ccf60825ade1dca7b70
SHA1

6d3d94d248c47c5251d4bbbe600776740d926756
SHA256

2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73
SHA512

97425dd74aa55060d41ec35f7813e953ff1ef76ba7d6b40c17b830600dec8a4482d8618ac4b83e59c88d5b167469bfd345237707491e60908ee07d1f296b84f3
SSDEEP

6144:Kny+bnr+hp0yN90QECOurNn/ayrVD193aSZfshS8S2UvycIGxm:FMr9y90lit5R5xFpwSPRXm

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0077360.exe	family_redline
behavioral5/memory/4924-8-0x0000000000430000-0x0000000000460000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

h0077360.exe

pid process

4924 h0077360.exe

pid	process
4924	h0077360.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe

description	pid	process	target process
PID 1852 wrote to memory of 4924	1852	2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe	h0077360.exe
PID 1852 wrote to memory of 4924	1852	2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe	h0077360.exe
PID 1852 wrote to memory of 4924	1852	2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe	h0077360.exe

C:\Users\Admin\AppData\Local\Temp\2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe
"C:\Users\Admin\AppData\Local\Temp\2fad2d07bb60b8be9b65ca9944135ee7696d7d2d8b32cdd3b5cf49e79641ae73.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0077360.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0077360.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:8
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0077360.exe

Filesize
174KB

MD5
dabc24871fc2b604c267f576ac7f6573

SHA1
79b6f74572a2391445b87d2f46cb0e37e48fee98

SHA256
676c7c84004823ffa7b13696b8c66c2875d69a671291d23f37741ceff0c686aa

SHA512
9372524e3fd699c446ac238c7999618474cdcb993a24dd93c4797c919dd5cf30c94e479323ede5394ebd2ab7d36dc9c550cd612c7d06c3e1b214cb419c6226c3

Download Submit
memory/4924-7-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/4924-8-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/4924-9-0x00000000027E0000-0x00000000027E6000-memory.dmp

Filesize
24KB

Download
memory/4924-10-0x000000000A870000-0x000000000AE88000-memory.dmp

Filesize
6.1MB

Download
memory/4924-11-0x000000000A3E0000-0x000000000A4EA000-memory.dmp

Filesize
1.0MB

Download
memory/4924-12-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/4924-13-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/4924-14-0x000000000A380000-0x000000000A3BC000-memory.dmp

Filesize
240KB

Download
memory/4924-15-0x0000000004820000-0x000000000486C000-memory.dmp

Filesize
304KB

Download
memory/4924-16-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/4924-17-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download