redline | d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

max time kernel
142s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe
Size

572KB
MD5

420622306beffd3306e285ea654ad117
SHA1

49a77a1af0d9a93454b0dedb0429024c504f786d
SHA256

012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85
SHA512

7097900867b7c6c471cb24f880163ffb1b553c8ef31c36241272805508291d4a35604b1e94c396c87fa7ca1da534503638253ab8bc9f828fc31ccea9439f8e2c
SSDEEP

12288:OMrvy90sthwYfZRMudCLVgXbOWVowB0d5uJk:Ny/nZKNqZTMuJk

Score

10^/10

redline duza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

duza

83.97.73.129:19071

Attributes

auth_value
787a4e3bbc78fd525526de1098cb0621

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8099591.exe family_redline
behavioral1/memory/2092-21-0x0000000000A70000-0x0000000000AA0000-memory.dmp family_redline
Executes dropped EXE 3 IoCs

Processes:

x8597088.exex7948424.exef8099591.exe

pid process

4984 x8597088.exe
4332 x7948424.exe
2092 f8099591.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8099591.exe	family_redline
behavioral1/memory/2092-21-0x0000000000A70000-0x0000000000AA0000-memory.dmp	family_redline

pid	process
4984	x8597088.exe
4332	x7948424.exe
2092	f8099591.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exex8597088.exex7948424.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8597088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7948424.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exex8597088.exex7948424.exe

description	pid	process	target process
PID 2764 wrote to memory of 4984	2764	012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe	x8597088.exe
PID 2764 wrote to memory of 4984	2764	012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe	x8597088.exe
PID 2764 wrote to memory of 4984	2764	012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe	x8597088.exe
PID 4984 wrote to memory of 4332	4984	x8597088.exe	x7948424.exe
PID 4984 wrote to memory of 4332	4984	x8597088.exe	x7948424.exe
PID 4984 wrote to memory of 4332	4984	x8597088.exe	x7948424.exe
PID 4332 wrote to memory of 2092	4332	x7948424.exe	f8099591.exe
PID 4332 wrote to memory of 2092	4332	x7948424.exe	f8099591.exe
PID 4332 wrote to memory of 2092	4332	x7948424.exe	f8099591.exe

C:\Users\Admin\AppData\Local\Temp\012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe
"C:\Users\Admin\AppData\Local\Temp\012700a41078e9d01c70955c50073da3b9b9a163c6fa5776195c278a70bf8c85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8597088.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8597088.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7948424.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7948424.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8099591.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8099591.exe
4⤵
- Executes dropped EXE
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8597088.exe
Filesize
471KB

MD5
d891ec9efd849a9fbf547f45fb4ddf54

SHA1
977d6de0a0d6be50d5960d5cb2b909824b939519

SHA256
2709556a9f0d2fc9163212cbe9aea844a0b5dd40230134bfa00b22d087d2a632

SHA512
53507d87c85ea2a7b3edcf7c46a515355dfb90b8a9a074f3e440631a62585756a5629237a843b24fca057251eb51ce6aad806068c64fd541d416bc2791259526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7948424.exe
Filesize
277KB

MD5
726008875886321d4176dfb70c9eb984

SHA1
2f12caac4cc6ee70832713661d24e30a91eae77c

SHA256
ccd0803aa6ef7a022b570a1bcab7358e2e4eab75d1e25a3f662c2b05eeaecb97

SHA512
38def2409d40be5a7f2ab833bcbc051d221bc0b80a7af7cd869de2629399abfd44dab9240607c028a550a0f015f00a1f6133bf92aee1db2236e863d86fd6a506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8099591.exe
Filesize
173KB

MD5
4ef751acb837690b6cf7e2a2beb977d9

SHA1
116169a3691e077725ed073a93d293be07ad5d65

SHA256
a9c74937900fc82a00b914ce467a52be727ed5c6f18fff9e0e5a17964b69ae96

SHA512
61c960498f179451f912b4f125640f133152248a80be1ee2ad6014bbb439c3784abdf6a71b0979468ceb69aa7c68787e537db4dd3644d61fa28ca72c4be6bab4

Download Submit
memory/2092-21-0x0000000000A70000-0x0000000000AA0000-memory.dmp

Filesize
192KB

Download
memory/2092-22-0x0000000001290000-0x0000000001296000-memory.dmp

Filesize
24KB

Download
memory/2092-23-0x0000000005B50000-0x0000000006168000-memory.dmp

Filesize
6.1MB

Download
memory/2092-24-0x0000000005640000-0x000000000574A000-memory.dmp

Filesize
1.0MB

Download
memory/2092-25-0x0000000005550000-0x0000000005562000-memory.dmp

Filesize
72KB

Download
memory/2092-26-0x00000000055B0000-0x00000000055EC000-memory.dmp

Filesize
240KB

Download
memory/2092-27-0x00000000055F0000-0x000000000563C000-memory.dmp

Filesize
304KB

Download