redline | d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

max time kernel
136s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe
Size

573KB
MD5

57c977c9e7ae3d27e53f187c66fff172
SHA1

54e977c69884649abc91dee85dca134c7ff146d6
SHA256

143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c
SHA512

bb2ee725215a410d780e3cd3f6070f90ad96c399c2450c1a8a4ebd516ef8eb680f5288a3729800d7d72b6af7ee2764d073906b615644a9365bfeafcd837d590e
SSDEEP

12288:LMrAy90RVCbfkFW+uv9JtYoqleDx12HZXwheCdI:/yqE8puztYou5Zoq

Score

10^/10

redline duza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

duza

83.97.73.129:19071

Attributes

auth_value
787a4e3bbc78fd525526de1098cb0621

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2217116.exe family_redline
behavioral29/memory/3688-21-0x0000000000960000-0x0000000000990000-memory.dmp family_redline
Executes dropped EXE 3 IoCs

Processes:

x3059096.exex9496412.exef2217116.exe

pid process

560 x3059096.exe
3380 x9496412.exe
3688 f2217116.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2217116.exe	family_redline
behavioral29/memory/3688-21-0x0000000000960000-0x0000000000990000-memory.dmp	family_redline

pid	process
560	x3059096.exe
3380	x9496412.exe
3688	f2217116.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exex3059096.exex9496412.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3059096.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9496412.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exex3059096.exex9496412.exe

description	pid	process	target process
PID 2928 wrote to memory of 560	2928	143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe	x3059096.exe
PID 2928 wrote to memory of 560	2928	143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe	x3059096.exe
PID 2928 wrote to memory of 560	2928	143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe	x3059096.exe
PID 560 wrote to memory of 3380	560	x3059096.exe	x9496412.exe
PID 560 wrote to memory of 3380	560	x3059096.exe	x9496412.exe
PID 560 wrote to memory of 3380	560	x3059096.exe	x9496412.exe
PID 3380 wrote to memory of 3688	3380	x9496412.exe	f2217116.exe
PID 3380 wrote to memory of 3688	3380	x9496412.exe	f2217116.exe
PID 3380 wrote to memory of 3688	3380	x9496412.exe	f2217116.exe

C:\Users\Admin\AppData\Local\Temp\143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe
"C:\Users\Admin\AppData\Local\Temp\143dea0e6ec39e956087e8ed61f409995090455ba38a1e73225a6d87b9d1a55c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3059096.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3059096.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9496412.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9496412.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2217116.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2217116.exe
4⤵
- Executes dropped EXE
PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3059096.exe
Filesize
472KB

MD5
c51628af3f0a2c8278020f91dfa43db1

SHA1
873053fecd876f45336b708be695161d6a7e4509

SHA256
35153fcd5a6b33cdf4973c5d954f83474350fab21e11f48f4013f2c10611c5cf

SHA512
e7334e592900d1378e898c121fe06ec2a56186f999bb96db76dcaa134c5cea3c7088766f0368ec4101ecb86495802b9ba1d7cd2a60b0909d43745c22271c3849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9496412.exe
Filesize
277KB

MD5
5fbe7bca75c6c45d6fb7610288589c40

SHA1
53df912fce3964c526820780d003a0cf38c2fec2

SHA256
f26212c2117d500a5fede2cf401e0f82c64d0be4c552f09be3d96cc55b904755

SHA512
698e004f31dfda852d4bc47be538004fb1c4c99f649135f1d0a55f65b70e1257e1f849bdb48952a2d66ad4e2af2ed596af1ccd1310dd46bc779fbc9c3947f16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2217116.exe
Filesize
173KB

MD5
55ec380a3c65703224aa2981f8921c5b

SHA1
95daba3eacd6b9096d43feb70c6b1cd5a1c5c0dd

SHA256
4505e0c42bd2e534952f5292e0e980bd3641d6d2737ffcde97c148de4c16cafe

SHA512
793098cd6851b6aa1038ea8da75fad0529ae72c090fdd505f6d9b69111f12da3a64f1397bf3c6e949aab9c03339ac7133afa8053634172ef288b49fd00ddf695

Download Submit
memory/3688-21-0x0000000000960000-0x0000000000990000-memory.dmp

Filesize
192KB

Download
memory/3688-22-0x0000000002E30000-0x0000000002E36000-memory.dmp

Filesize
24KB

Download
memory/3688-23-0x000000000AE70000-0x000000000B488000-memory.dmp

Filesize
6.1MB

Download
memory/3688-25-0x000000000A850000-0x000000000A862000-memory.dmp

Filesize
72KB

Download
memory/3688-26-0x000000000A8B0000-0x000000000A8EC000-memory.dmp

Filesize
240KB

Download
memory/3688-24-0x000000000A960000-0x000000000AA6A000-memory.dmp

Filesize
1.0MB

Download
memory/3688-27-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download