redline | d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe
Size

573KB
MD5

e97cb42ee797cb71a2b355d5cf08bed0
SHA1

0737c2b520c023ecca79c98e48e6a6c5055d77cd
SHA256

13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462
SHA512

2783b96c1d7ae82ef3be08a5b16472c00ed6ddc9b8a411d5e31d988a38c81570dd3f9306f7792d6d48dd52dbcb5ae83be96e6a10e6bdbb597679fc275e7b70e4
SSDEEP

6144:Kdy+bnr+Up0yN90QEx95o/WN5peWsZNKZLbKohtnrDBgxgoxjEFK4D0qm+R8xwJs:HMrsy90ZW/WHekpCxgXsom+gArXip1

Score

10^/10

redline duza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

duza

83.97.73.129:19071

Attributes

auth_value
787a4e3bbc78fd525526de1098cb0621

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6539843.exe family_redline
behavioral28/memory/2044-21-0x0000000000220000-0x0000000000250000-memory.dmp family_redline
Executes dropped EXE 3 IoCs

Processes:

x4166625.exex3109604.exef6539843.exe

pid process

2224 x4166625.exe
4016 x3109604.exe
2044 f6539843.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6539843.exe	family_redline
behavioral28/memory/2044-21-0x0000000000220000-0x0000000000250000-memory.dmp	family_redline

pid	process
2224	x4166625.exe
4016	x3109604.exe
2044	f6539843.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x3109604.exe13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exex4166625.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3109604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4166625.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exex4166625.exex3109604.exe

description	pid	process	target process
PID 4664 wrote to memory of 2224	4664	13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe	x4166625.exe
PID 4664 wrote to memory of 2224	4664	13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe	x4166625.exe
PID 4664 wrote to memory of 2224	4664	13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe	x4166625.exe
PID 2224 wrote to memory of 4016	2224	x4166625.exe	x3109604.exe
PID 2224 wrote to memory of 4016	2224	x4166625.exe	x3109604.exe
PID 2224 wrote to memory of 4016	2224	x4166625.exe	x3109604.exe
PID 4016 wrote to memory of 2044	4016	x3109604.exe	f6539843.exe
PID 4016 wrote to memory of 2044	4016	x3109604.exe	f6539843.exe
PID 4016 wrote to memory of 2044	4016	x3109604.exe	f6539843.exe

C:\Users\Admin\AppData\Local\Temp\13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe
"C:\Users\Admin\AppData\Local\Temp\13a63fbb669551bf49f493a5471f08d73b453f35ebeafae1384e9f34dff94462.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4166625.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4166625.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3109604.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3109604.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6539843.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6539843.exe
4⤵
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4166625.exe
Filesize
472KB

MD5
cfa5bf34d52b8b83af0c7658638314a4

SHA1
09d2b1d86755c040ecebc06c97e5aa2cc8bd4ec8

SHA256
0a6a9559e92a61e3b0e8b13a662d589c68a7722ccbf712c5a0d16f11f4b5da55

SHA512
71704ea749d91f674c86b1a1749954244cf25b9639e5708d693b65f6f508211615fdd1632ab67ddead70b7e3dd03e9072be452b771012a0911b62c128aa771c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3109604.exe
Filesize
277KB

MD5
7ed124d3f9b24c562c45ccddb5fb5004

SHA1
bd7edb4063c03623e3418520450ec0a999903915

SHA256
285bfea7460f97eaf9ec8f645cb92bcf24548ed9f6315e815fc81eaad6ed08dd

SHA512
b00fafbfb047aca62f57377aed80abeb35cbdc6d4cbce1cd790ce974b4a8523a054d17a64fcb0b7ce41895f1ead41d9b9a69a461ebb70d74b1dffd77ad99d950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6539843.exe
Filesize
173KB

MD5
cb6366a7cd42a4d2dd0862a9030201a6

SHA1
5bbe951275b647f9519304cc4d883eac5b81d1c3

SHA256
9441bead19b4ac6303c8b91259a556e4b12c42394d1fc7de30657630e5f312d2

SHA512
ebc220ef0db8f795364900a1d63bceaf15ad00820e2a46398f2ee672ba433185cabd3e370394327e2bd5a397cfc5d8905865c5fa3ca1cb3af18682bcc291e842

Download Submit
memory/2044-21-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2044-22-0x0000000004A00000-0x0000000004A06000-memory.dmp

Filesize
24KB

Download
memory/2044-23-0x00000000051A0000-0x00000000057B8000-memory.dmp

Filesize
6.1MB

Download
memory/2044-24-0x0000000004C90000-0x0000000004D9A000-memory.dmp

Filesize
1.0MB

Download
memory/2044-25-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/2044-26-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download
memory/2044-27-0x0000000004DA0000-0x0000000004DEC000-memory.dmp

Filesize
304KB

Download