redline | 0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df.exe
Size

518KB
MD5

22e12c6584a91ededf0c2b23e681a47f
SHA1

743b67f04991dfd00684c4c7bb0e160091345375
SHA256

0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df
SHA512

115acff92308fbc377e719c2896c198e66ffa6bd9384e9ae2444bcfd32037c41c3a580d50c2e03bfda925d2d7fb50816f764c400f0af8e8ade47a07a3c261e36
SSDEEP

12288:Ck76RTey5sJg5/8D+v+va1eF+cRDdtpwQJQmZ:Ck7+Tey5s65kD21xoDN

Score

10^/10

redline drake infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

drake

83.97.73.131:19071

Attributes

auth_value
74ce6ffe4025a2e4027fb727915e7d7c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/4276-21-0x0000000000450000-0x0000000000480000-memory.dmp	family_redline
behavioral2/memory/4276-25-0x0000000000400000-0x0000000000441000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
3348	x6186277.exe
4276	f6491078.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6186277.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3348	1524	0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df.exe	84
PID 1524 wrote to memory of 3348	1524	0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df.exe	84
PID 1524 wrote to memory of 3348	1524	0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df.exe	84
PID 3348 wrote to memory of 4276	3348	x6186277.exe	85
PID 3348 wrote to memory of 4276	3348	x6186277.exe	85
PID 3348 wrote to memory of 4276	3348	x6186277.exe	85

C:\Users\Admin\AppData\Local\Temp\0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df.exe
"C:\Users\Admin\AppData\Local\Temp\0876c8cfa6fce7ba925879cf54cfc3e5e8dbd4ab75b8d272ec811181bca1d4df.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6186277.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6186277.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6491078.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6491078.exe
    3⤵
    - Executes dropped EXE
    PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6186277.exe

Filesize
321KB

MD5
c7c5a6f94414a5e83180bf41d3f0b5db

SHA1
80fdf2bda3260cb10ed6f3df292fb931c0f4cc98

SHA256
bc1dcc53d9deb207db4c49e84bac40e2d815b68b22841e63bcfcec7b80947b94

SHA512
561d6a999a85539193b3d55bc195b047d76100fed434fd816ecd41fc439e675810aca41affde67028ff46d0224b4b55127c7a907b56953256a3dde9a4f315088

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6491078.exe

Filesize
269KB

MD5
ba3cf7ff2d77ce0b186a0250adf1d127

SHA1
e725906d15106c8b129d4cf5570c715785fd5c6d

SHA256
335841d26c05ef17a7aa4088858ed45650f881860c99e7f41ffbabbd79145fbf

SHA512
c307081cdb317acb62dfa37753f9d8a7d15288f57a8dc3ec44dd849c7dcda587026d5c015fddbd9956dfd7e89585659141bbb17af084316e10c6e7ff6f44f0ab

Download Submit
memory/1524-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1524-1-0x0000000000680000-0x00000000006EF000-memory.dmp

Filesize
444KB

Download
memory/4276-21-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/4276-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-26-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/4276-27-0x00000000052C0000-0x00000000058D8000-memory.dmp

Filesize
6.1MB

Download
memory/4276-28-0x0000000004CA0000-0x0000000004DAA000-memory.dmp

Filesize
1.0MB

Download
memory/4276-29-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/4276-30-0x0000000004B50000-0x0000000004B8C000-memory.dmp

Filesize
240KB

Download
memory/4276-31-0x0000000004E10000-0x0000000004E5C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads