redline | d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe
Size

608KB
MD5

d167146c83ff7591d7d10d1ede086a97
SHA1

83a9d22d4c0baa547f3bf8d0bf46f39299185cbf
SHA256

15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3
SHA512

0cfb3f6ee3b07c01c2fdc7127b9ac1a12f4ff5ece30fa9da3d0c3e2b87b23dfbf246ff56c1f62eba7de813aa9e40563e320f4eb084b9ed0150c765a09a25a487
SSDEEP

12288:QMr3y90iBqiXyHVwpzUxo4HRsdpQyfBFmNfj:3yl37p4xo4H6QIFmR

Score

10^/10

redline duza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

duza

83.97.73.129:19071

Attributes

auth_value
787a4e3bbc78fd525526de1098cb0621

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9360771.exe family_redline
behavioral31/memory/2932-21-0x00000000000A0000-0x00000000000D0000-memory.dmp family_redline
Executes dropped EXE 3 IoCs

Processes:

x8676473.exex8162848.exef9360771.exe

pid process

2776 x8676473.exe
376 x8162848.exe
2932 f9360771.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9360771.exe	family_redline
behavioral31/memory/2932-21-0x00000000000A0000-0x00000000000D0000-memory.dmp	family_redline

pid	process
2776	x8676473.exe
376	x8162848.exe
2932	f9360771.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exex8676473.exex8162848.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8676473.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8162848.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exex8676473.exex8162848.exe

description	pid	process	target process
PID 1112 wrote to memory of 2776	1112	15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe	x8676473.exe
PID 1112 wrote to memory of 2776	1112	15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe	x8676473.exe
PID 1112 wrote to memory of 2776	1112	15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe	x8676473.exe
PID 2776 wrote to memory of 376	2776	x8676473.exe	x8162848.exe
PID 2776 wrote to memory of 376	2776	x8676473.exe	x8162848.exe
PID 2776 wrote to memory of 376	2776	x8676473.exe	x8162848.exe
PID 376 wrote to memory of 2932	376	x8162848.exe	f9360771.exe
PID 376 wrote to memory of 2932	376	x8162848.exe	f9360771.exe
PID 376 wrote to memory of 2932	376	x8162848.exe	f9360771.exe

C:\Users\Admin\AppData\Local\Temp\15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe
"C:\Users\Admin\AppData\Local\Temp\15f6ddf672086fbd9e4f59fa670c201e101a75e13a71645c982db165fc6e66e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8676473.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8676473.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8162848.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8162848.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9360771.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9360771.exe
4⤵
- Executes dropped EXE
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8676473.exe
Filesize
506KB

MD5
f1924a183b98f5859e9f05700cd930a2

SHA1
69175c84f6162182dfac0ec9d24e8d8f16b868a0

SHA256
e17bf564e44cdb0753bcc2f6cdb1aff1fb93963fa8dac190107609ee782c2913

SHA512
19eba5a2c3af181cf8ac294f734b244e484ab674a9b6f301d3d658439b6b789ef64d11ae9aea77e942348d4f87a10ebb3aea49c83fba57b0ed7010aa99e96cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8162848.exe
Filesize
277KB

MD5
91ef23627101ff6f3aa6b6412984cd87

SHA1
6d3352b735263ae2b1dccba00fe2045a4c23252b

SHA256
16fdf1f501f4498e8a583734e57b685d5a39382b445563401869fdf23aada601

SHA512
29edacc4ce8863887c0542e54c726ef3f294e4fdd97d8a43258c897cc12073a2015a92da3fa351e0ac5d4f1687e7d36f4b1feb62576bbde86c565f4a0783ab61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9360771.exe
Filesize
173KB

MD5
a96c7829b144e9bee94700fdf0fe2ac9

SHA1
54cd161968f8a4beb3b35bf71f23b6d7d9802fb7

SHA256
4f43977588b439a9a2e611bf89c60cd3309fb8b4dfddc8b6e1240b43d75f6195

SHA512
4b3dbc706b77b64c0a9b9920f462c2d471b4e2a9cf2dd2fe530fc1ef29a6ee62caba13150361a646d1e7eb672406b44fcb7d1c5248be907103f028eb4623a002

Download Submit
memory/2932-21-0x00000000000A0000-0x00000000000D0000-memory.dmp

Filesize
192KB

Download
memory/2932-22-0x0000000004840000-0x0000000004846000-memory.dmp

Filesize
24KB

Download
memory/2932-23-0x00000000050E0000-0x00000000056F8000-memory.dmp

Filesize
6.1MB

Download
memory/2932-24-0x0000000004C30000-0x0000000004D3A000-memory.dmp

Filesize
1.0MB

Download
memory/2932-25-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/2932-26-0x0000000004BD0000-0x0000000004C0C000-memory.dmp

Filesize
240KB

Download
memory/2932-27-0x0000000004D40000-0x0000000004D8C000-memory.dmp

Filesize
304KB

Download