redline | 2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a

General

Target

2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe
Size

729KB
MD5

2cf2cb1c22aede8fd8a995f4f073ec71
SHA1

ce921866530f90bd63359b379292233cf202d733
SHA256

2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a
SHA512

d996fcab5b013c5cb9ffaba403d56c81bb2fdc57ae9ed43ccc2a7c95770b3eb173b014a8a693aa45e4e45c46e94c62b72c00b88f461a3e8a30422a1fc5ab8749
SSDEEP

12288:EzKy90JE0kP5xBRWOp4ATeD1uNaDMFrOszYl9tFbrYdCYBXA5XmvNt:FyG4mq6sFShrbr4bXGXe

Score

10^/10

redline furga infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furga

C2

83.97.73.128:19071

Attributes

auth_value
1b7af6db7a79a3475798fcf494818be7

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4756-21-0x0000000000670000-0x00000000006A0000-memory.dmp	family_redline

Detects executables packed with ConfuserEx Mod 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4756-21-0x0000000000670000-0x00000000006A0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 3 IoCs

Processes:

x7814841.exex1815410.exef2420036.exe

pid process

1368 x7814841.exe
3216 x1815410.exe
4756 f2420036.exe

pid	process
1368	x7814841.exe
3216	x1815410.exe
4756	f2420036.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exex7814841.exex1815410.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7814841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1815410.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exex7814841.exex1815410.exe

description	pid	process	target process
PID 3040 wrote to memory of 1368	3040	2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe	x7814841.exe
PID 3040 wrote to memory of 1368	3040	2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe	x7814841.exe
PID 3040 wrote to memory of 1368	3040	2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe	x7814841.exe
PID 1368 wrote to memory of 3216	1368	x7814841.exe	x1815410.exe
PID 1368 wrote to memory of 3216	1368	x7814841.exe	x1815410.exe
PID 1368 wrote to memory of 3216	1368	x7814841.exe	x1815410.exe
PID 3216 wrote to memory of 4756	3216	x1815410.exe	f2420036.exe
PID 3216 wrote to memory of 4756	3216	x1815410.exe	f2420036.exe
PID 3216 wrote to memory of 4756	3216	x1815410.exe	f2420036.exe

C:\Users\Admin\AppData\Local\Temp\2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe
"C:\Users\Admin\AppData\Local\Temp\2d8e62d81d0b497714a61e9fba8a297e969e9bb9cc29f95e20d9c7f2f64e472a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7814841.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7814841.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1815410.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1815410.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2420036.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2420036.exe
4⤵
- Executes dropped EXE
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7814841.exe
Filesize
465KB

MD5
f369ea6da02f48a71994c53b1909dc05

SHA1
5219c73a3ce57f8d2cc84281e461c1df3164da9c

SHA256
ba3f96313033ea7a6924a032d7eea1896f30ce31c55de72e80a3902cc40c87e4

SHA512
cf57e8338bcc4a89101b8779c43a39ffbd9141b7a861ff9f13e6015cc3d40b8d441a72ec50ab8e43414648b2d49ade936cbe79e61b1a6443adbc00ca2e1bcd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1815410.exe
Filesize
364KB

MD5
4e8679a98d26b0360b7f4ded4737d6cc

SHA1
0f3bd441a53e6e27e38ea7c09fad1e30e6615d1c

SHA256
3aa41a0b78da49282f1977e436f5884f3d079d250ab04837c0a25c0aa400d418

SHA512
584b742fcc528822f8eef15b626239c552ad9a28ce607476c02b0ade53cfe12b1548317a6fe1c7f38ae9744f3b292cb219538b2f3e9e53dee45ec0f8180776d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2420036.exe
Filesize
402KB

MD5
3a37f3253ff79ee63dfd80088f55b364

SHA1
17c1b58ca9d4ff4ff14c7e772d1983b97a8ca5f7

SHA256
8902a3af5c2df49f3163d1914f9e3b899aa835effa1860e01e2506ff622130b8

SHA512
e70acc985fd4c6b15984664f9a01fd35f2706ee1036b182087932e9d8745ecb052dbba0bfbb326a2c3a9eb9894b6ee7151aecd6030ffd80fe903fafd2151ee2a

Download Submit
memory/4756-21-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/4756-25-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4756-26-0x0000000002450000-0x0000000002456000-memory.dmp

Filesize
24KB

Download
memory/4756-27-0x0000000009E80000-0x000000000A498000-memory.dmp

Filesize
6.1MB

Download
memory/4756-28-0x000000000A520000-0x000000000A62A000-memory.dmp

Filesize
1.0MB

Download
memory/4756-29-0x000000000A660000-0x000000000A672000-memory.dmp

Filesize
72KB

Download
memory/4756-30-0x000000000A680000-0x000000000A6BC000-memory.dmp

Filesize
240KB

Download
memory/4756-31-0x00000000044B0000-0x00000000044FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads