redline | d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

max time kernel
137s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe
Size

852KB
MD5

fe6f965517d6e9ee9fac7b6a2728b125
SHA1

61fa95d7d24b8667e5eb219f0772dba114ea19cc
SHA256

0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3
SHA512

f5827e2e061d96ea4183cf383dfaf5b2046ef32971a9a7472743e5a131102e6f7f2d7b559f5575e532c3b9083f7b2c3147dbe90293791bea2e187ee833dbcd62
SSDEEP

24576:HySCwgVIZTFq+zGYRkVfJQvqYb0WqU/0El:S/wgV+TFhzGYcgq+0WP/

Score

10^/10

redline jason infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

jason

83.97.73.129:19071

Attributes

auth_value
87d1dc01751f148e9bec02edc71c5d94

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral16/memory/4388-29-0x0000000000530000-0x0000000000560000-memory.dmp family_redline
Executes dropped EXE 4 IoCs

Processes:

z1585009.exez2580722.exez4184103.exeo9647399.exe

pid process

1976 z1585009.exe
3468 z2580722.exe
4180 z4184103.exe
4388 o9647399.exe

resource	yara_rule
behavioral16/memory/4388-29-0x0000000000530000-0x0000000000560000-memory.dmp	family_redline

pid	process
1976	z1585009.exe
3468	z2580722.exe
4180	z4184103.exe
4388	o9647399.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exez1585009.exez2580722.exez4184103.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1585009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2580722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4184103.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exez1585009.exez2580722.exez4184103.exe

description	pid	process	target process
PID 3484 wrote to memory of 1976	3484	0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe	z1585009.exe
PID 3484 wrote to memory of 1976	3484	0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe	z1585009.exe
PID 3484 wrote to memory of 1976	3484	0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe	z1585009.exe
PID 1976 wrote to memory of 3468	1976	z1585009.exe	z2580722.exe
PID 1976 wrote to memory of 3468	1976	z1585009.exe	z2580722.exe
PID 1976 wrote to memory of 3468	1976	z1585009.exe	z2580722.exe
PID 3468 wrote to memory of 4180	3468	z2580722.exe	z4184103.exe
PID 3468 wrote to memory of 4180	3468	z2580722.exe	z4184103.exe
PID 3468 wrote to memory of 4180	3468	z2580722.exe	z4184103.exe
PID 4180 wrote to memory of 4388	4180	z4184103.exe	o9647399.exe
PID 4180 wrote to memory of 4388	4180	z4184103.exe	o9647399.exe
PID 4180 wrote to memory of 4388	4180	z4184103.exe	o9647399.exe

C:\Users\Admin\AppData\Local\Temp\0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe
"C:\Users\Admin\AppData\Local\Temp\0c6a7849d41395e38b5f348c64219356456952602e96e3228379a31e3031a0d3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1585009.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1585009.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2580722.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2580722.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4184103.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4184103.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9647399.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9647399.exe
5⤵
- Executes dropped EXE
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1585009.exe
Filesize
683KB

MD5
ede6448cac78812fec8f58751d4c1b63

SHA1
f007c1dbbe1d3112ae3921d9a9f17c6db888b2ae

SHA256
f4360fcf122460a717a02add74b947c0864976423db3495b5735019e3b8b5868

SHA512
ed7c8b136dbc1f8c3289a7e8f5c59bc60f7e42d91bccbe7311021e0a09181e9b00b6105d30bcabe1ca4971c999369287bf3047eddee7ef012878246320bee497

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2580722.exe
Filesize
453KB

MD5
ab137f2735fdf05bfeae2fee61f27d20

SHA1
8bf6b41d5856ff6c03021d6b17e906e17b931019

SHA256
b30a7959b1d2be4c6016e8543879206f03dc0e113ff80ea29ef16203c9312be7

SHA512
8b4e14199b0411a3e7742166fee283a7e73504dc23ca12978ac6912eb567c6d3d4945a2a3c96cba7071635cd27ac1325f1c8c13dee362d1f6dd5fd6ad1d8c55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4184103.exe
Filesize
297KB

MD5
c891561a5ae64ebb50c78e4fd6683db9

SHA1
3f5df1d043811f681e53583b9fb8bfc4f30e1867

SHA256
823d872eb6dc76cc9e965bdfd72d3a057df9254e7fffe6bca0ea6f0db96ad2ed

SHA512
02db2aee9a094cf7ecc248a699c60a9183bcd79216d3b2f6b849c7b9ed9da77b356b0b41a2670a26b3c0aa605156c955d384400245d4217fdb4f6523199dfb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9647399.exe
Filesize
336KB

MD5
459fa3428a6512c10713fda5498b5ff5

SHA1
b2342d1587505cabe11480470fce055fc2179c72

SHA256
2c113290834376e3bdf002347ce0b3c24d17c069d92e50eb53b5a304a30e14c6

SHA512
110bf15cc5f6af80c0ce5a1f7ff37468e4b45c3dd21d2a50f1488bf947908e141aa721d349e02b3fb7a7e3bc4862208d432aad7c4527a148481e061783169009

Download Submit
memory/4388-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-29-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/4388-33-0x0000000004AD0000-0x0000000004AD6000-memory.dmp

Filesize
24KB

Download
memory/4388-34-0x0000000009FD0000-0x000000000A5E8000-memory.dmp

Filesize
6.1MB

Download
memory/4388-35-0x000000000A670000-0x000000000A77A000-memory.dmp

Filesize
1.0MB

Download
memory/4388-36-0x000000000A7B0000-0x000000000A7C2000-memory.dmp

Filesize
72KB

Download
memory/4388-37-0x000000000A7D0000-0x000000000A80C000-memory.dmp

Filesize
240KB

Download
memory/4388-38-0x0000000004590000-0x00000000045DC000-memory.dmp

Filesize
304KB

Download