redline | d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe
Size

579KB
MD5

7346c9336d7498f6c1ca3e50bf86b790
SHA1

5ea0344751f5d870d553a86d45df278a4be086bf
SHA256

1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15
SHA512

d67e21c390ae47baae31ae061cae1a2b5114536d29fe7c31a022001a2a7cffe5478c9af3a900187c8119a90f8201ec8edab66d561f180e9a83dfb34ba62b13c3
SSDEEP

12288:AMrly90iNyVjcWXPhJulUcY3oBYGGZJcqIWy/mnmef8yMHu:1y1Nyc4Ut4oBYGGJeGnd8yMHu

Score

10^/10

redline duza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

duza

83.97.73.129:19071

Attributes

auth_value
787a4e3bbc78fd525526de1098cb0621

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5486847.exe family_redline
behavioral21/memory/372-21-0x0000000000CF0000-0x0000000000D20000-memory.dmp family_redline
Executes dropped EXE 3 IoCs

Processes:

x0159494.exex3895478.exef5486847.exe

pid process

4596 x0159494.exe
4692 x3895478.exe
372 f5486847.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5486847.exe	family_redline
behavioral21/memory/372-21-0x0000000000CF0000-0x0000000000D20000-memory.dmp	family_redline

pid	process
4596	x0159494.exe
4692	x3895478.exe
372	f5486847.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exex0159494.exex3895478.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0159494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3895478.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exex0159494.exex3895478.exe

description	pid	process	target process
PID 948 wrote to memory of 4596	948	1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe	x0159494.exe
PID 948 wrote to memory of 4596	948	1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe	x0159494.exe
PID 948 wrote to memory of 4596	948	1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe	x0159494.exe
PID 4596 wrote to memory of 4692	4596	x0159494.exe	x3895478.exe
PID 4596 wrote to memory of 4692	4596	x0159494.exe	x3895478.exe
PID 4596 wrote to memory of 4692	4596	x0159494.exe	x3895478.exe
PID 4692 wrote to memory of 372	4692	x3895478.exe	f5486847.exe
PID 4692 wrote to memory of 372	4692	x3895478.exe	f5486847.exe
PID 4692 wrote to memory of 372	4692	x3895478.exe	f5486847.exe

C:\Users\Admin\AppData\Local\Temp\1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe
"C:\Users\Admin\AppData\Local\Temp\1100f4a7535cf8075a78a8da90894ef23cade6fed0d169d44c1738a870630c15.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0159494.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0159494.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3895478.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3895478.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5486847.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5486847.exe
4⤵
- Executes dropped EXE
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0159494.exe
Filesize
377KB

MD5
a6f4d259b31d0c70ed6f9a69cb521833

SHA1
4ea8667522881464b01a0d144dc6a6ed5c99f6d8

SHA256
31a24b0eb0623604af72f64adadf0d33b5ad79737f233b90896138db2edb795d

SHA512
fd3556d149708a67d500c1a1fd1bbd988c2fe59730ce7ef46adc17247b643bccd1006264a1a4c254b92d9606eb5b82f7f5fd207234f996092d141ffef3180921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3895478.exe
Filesize
206KB

MD5
ed1d6b26c7e53b72045438c0619d4f89

SHA1
75ce225415284e41f6cc1df2c1792e428557067b

SHA256
fb47f510e2f2e8bf79e03466486aa9dfd98899ce4f9422db31d18de278c2c491

SHA512
acfbb2b70af918c5e29909aef06021a71a66a35093ed099a83839b380c02a9a777ba3af22edd84cb9e8a0ea76b944dbb3d6684a19f4e5ea864a70dcd7ce1e382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5486847.exe
Filesize
172KB

MD5
bf4fdf29fe2eef59ab9dedcbf6424775

SHA1
13de617659c6326a0aad59c4b84f82d54105506a

SHA256
0d8d564ab1e62c4273d1912a21d830a03556f810e88d0fde850ff4caaef5d362

SHA512
fdcb3d295c7261f47d50234608ce530a5d429649078517537990b8153abee0c42e85207388ee8d87038f48a61e88556e8412a6dde8936fc605d12478a1f15bfd

Download Submit
memory/372-21-0x0000000000CF0000-0x0000000000D20000-memory.dmp

Filesize
192KB

Download
memory/372-22-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

Filesize
24KB

Download
memory/372-23-0x0000000005D20000-0x0000000006338000-memory.dmp

Filesize
6.1MB

Download
memory/372-24-0x0000000005810000-0x000000000591A000-memory.dmp

Filesize
1.0MB

Download
memory/372-25-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/372-26-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/372-27-0x0000000005740000-0x000000000578C000-memory.dmp

Filesize
304KB

Download