redline | c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a

General

Target

c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe
Size

432KB
MD5

291cd1c945bc670579cb5c5005afb42e
SHA1

3e4ba20eed4b88d9efcfeb6bcdb53d8b91365f3d
SHA256

c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a
SHA512

e34d895a06953a1fb2681884e045b5d4e2da3b41ea3f4ddbce63e0195f5d8ecf2d1c5606374b2172d7de7c19e4c55ffc3be4ca2dd71ac725e44d68b39d6596d2
SSDEEP

12288:AIVy90mtOPfwhZifxu2sb6HAAebxOEkjQf0dS:dydtocVbrkMcdS

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/232-14-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_redline
behavioral1/memory/232-19-0x0000000000400000-0x0000000000441000-memory.dmp	family_redline

Detects executables containing base64 encoded User Agent 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exe	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/232-14-0x00000000005C0000-0x00000000005F0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/232-19-0x0000000000400000-0x0000000000441000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 2 IoCs

Processes:

x1617216.exef7259437.exe

pid process

1172 x1617216.exe
232 f7259437.exe

pid	process
1172	x1617216.exe
232	f7259437.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exex1617216.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1617216.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exex1617216.exe

description	pid	process	target process
PID 3236 wrote to memory of 1172	3236	c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe	x1617216.exe
PID 3236 wrote to memory of 1172	3236	c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe	x1617216.exe
PID 3236 wrote to memory of 1172	3236	c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe	x1617216.exe
PID 1172 wrote to memory of 232	1172	x1617216.exe	f7259437.exe
PID 1172 wrote to memory of 232	1172	x1617216.exe	f7259437.exe
PID 1172 wrote to memory of 232	1172	x1617216.exe	f7259437.exe

C:\Users\Admin\AppData\Local\Temp\c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe
"C:\Users\Admin\AppData\Local\Temp\c3d082dc82e11e3ca3047d9cf612e8d925cfcc40a17d0eb312833f861184ea3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1617216.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1617216.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exe
3⤵
- Executes dropped EXE
PID:232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1617216.exe
Filesize
331KB

MD5
aefe3f42678abad1fa1256e19a01caff

SHA1
ff8f27b0ed77feee297c76aa3eb062f54d7e9019

SHA256
7d6756d4ac517d35a7af2e6ee93f8f8bd58c6852d9990f0370e0c69f779b987e

SHA512
a108e07cd94bb3b8bea15134c2c45067af7c052b43888e5154600df2a2ac6e732ad5a1bab7924547578689912b7e9e7651e2857611d4a2637276cd03fc971da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f7259437.exe
Filesize
257KB

MD5
fc27b8de9c73a2246b023fb7dd7d16e4

SHA1
1bcdd4f64662a3b6670590909c3b23579278a83b

SHA256
3814c9dc0ad38975d27fd606f908ee5be25a5a577c0aa4f3779b4688d41f8f01

SHA512
c1a6bf04e6117b4694336f965b82286b57f14943d01ecedacca7b89be0ae5e3626c07cf4bd529f79e50556716e66a442e1a3d19850e85b098c518c0b2e4dd713

Download Submit
memory/232-14-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/232-18-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/232-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-20-0x0000000004AB0000-0x0000000004AB6000-memory.dmp

Filesize
24KB

Download
memory/232-21-0x000000000A720000-0x000000000AD38000-memory.dmp

Filesize
6.1MB

Download
memory/232-22-0x000000000A170000-0x000000000A27A000-memory.dmp

Filesize
1.0MB

Download
memory/232-23-0x000000000A2B0000-0x000000000A2C2000-memory.dmp

Filesize
72KB

Download
memory/232-24-0x000000000A2D0000-0x000000000A30C000-memory.dmp

Filesize
240KB

Download
memory/232-25-0x0000000004550000-0x000000000459C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads