Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-05-2022 23:47
Static task
static1
Behavioral task
behavioral1
Sample
7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
Resource
win10v2004-20220414-en
General
-
Target
7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
-
Size
1.0MB
-
MD5
07fed12bfd9166a4f965f848c7172b04
-
SHA1
ebb25569a8ed53fc803ad6da6e25d06765340c38
-
SHA256
7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c
-
SHA512
40da6d529abd89d380957635afadecf932c8bb12dd08ce83d53ff5f0b6bee52949f0aad7afc7eea5730b920d0fb55e4e57ab34db09aed36663eacd3684502327
Malware Config
Extracted
redline
1010
135.181.123.52:21975
-
auth_value
2cdeb4fb37fd392a4ee4bf30ab711e38
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-146-0x0000000000F00000-0x0000000000F22000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
Processes:
Avvelenate.exe.comAvvelenate.exe.comRegAsm.exepid process 3656 Avvelenate.exe.com 4264 Avvelenate.exe.com 1492 RegAsm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Avvelenate.exe.comdescription pid process target process PID 4264 set thread context of 1492 4264 Avvelenate.exe.com RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.execmd.execmd.exeAvvelenate.exe.comAvvelenate.exe.comdescription pid process target process PID 4048 wrote to memory of 828 4048 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe dllhost.exe PID 4048 wrote to memory of 828 4048 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe dllhost.exe PID 4048 wrote to memory of 828 4048 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe dllhost.exe PID 4048 wrote to memory of 1608 4048 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe cmd.exe PID 4048 wrote to memory of 1608 4048 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe cmd.exe PID 4048 wrote to memory of 1608 4048 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe cmd.exe PID 1608 wrote to memory of 3108 1608 cmd.exe cmd.exe PID 1608 wrote to memory of 3108 1608 cmd.exe cmd.exe PID 1608 wrote to memory of 3108 1608 cmd.exe cmd.exe PID 3108 wrote to memory of 3196 3108 cmd.exe findstr.exe PID 3108 wrote to memory of 3196 3108 cmd.exe findstr.exe PID 3108 wrote to memory of 3196 3108 cmd.exe findstr.exe PID 3108 wrote to memory of 3656 3108 cmd.exe Avvelenate.exe.com PID 3108 wrote to memory of 3656 3108 cmd.exe Avvelenate.exe.com PID 3108 wrote to memory of 3656 3108 cmd.exe Avvelenate.exe.com PID 3108 wrote to memory of 4260 3108 cmd.exe PING.EXE PID 3108 wrote to memory of 4260 3108 cmd.exe PING.EXE PID 3108 wrote to memory of 4260 3108 cmd.exe PING.EXE PID 3656 wrote to memory of 4264 3656 Avvelenate.exe.com Avvelenate.exe.com PID 3656 wrote to memory of 4264 3656 Avvelenate.exe.com Avvelenate.exe.com PID 3656 wrote to memory of 4264 3656 Avvelenate.exe.com Avvelenate.exe.com PID 4264 wrote to memory of 1492 4264 Avvelenate.exe.com RegAsm.exe PID 4264 wrote to memory of 1492 4264 Avvelenate.exe.com RegAsm.exe PID 4264 wrote to memory of 1492 4264 Avvelenate.exe.com RegAsm.exe PID 4264 wrote to memory of 1492 4264 Avvelenate.exe.com RegAsm.exe PID 4264 wrote to memory of 1492 4264 Avvelenate.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe"C:\Users\Admin\AppData\Local\Temp\7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Duro.vsd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^LvDSVhyXjXdxKsRHmQvASKarhdehXjwxbouoVnxzwwTxiJmlXpXSysjwrmEElSZZWWXBkJLqcenRQYVERSfNgp$" Davanzale.vsd4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.comAvvelenate.exe.com P4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com P5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Camminato.vsdFilesize
979KB
MD58874ddc6b24b0d3211ee079df83804ac
SHA122fb5ec6949dc1cdc3a3e12219020149d0de33ab
SHA25650b29ff59bf772f8939344f0615a8a03085054e946dbf355d412fef6068322ed
SHA512e613fdb1b937394217ef2344e3102998a35cea7554799b649567ef4c5cd4f71214a6a15adfaf0ca25b6acab0d5480b3fd8354d684d2921de975384acd824050c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Davanzale.vsdFilesize
872KB
MD5bc96e3ac0ca0083a6dce5f2d3f282ccf
SHA1c7e60f1e50184905bd3f6fd0680304f419be8262
SHA256e76fef7267e9b6d9a63bf961c41a70d9e829e92a902316ebcabb277c0ecc0041
SHA5121f4693d3b872dd42e1b3752701b80c71874292da23af121cab3c9e72e1afd981c7f2a718d7c368e2a030f0e3073eef4c15d7efac17a9184c5488ad6d6a0594c9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Duro.vsdFilesize
431B
MD56ce8586a7266d40430db0b133184c4d9
SHA12149fb62da20eb38e460a720c59c42a6359c0111
SHA256d3a07b281b31e04c33d6e2365ca244fc34b6d30230e9fc6d4bb8c98604944364
SHA5124afc88e6c3a57cc6e93b1e8456b91c9114b51e1dc60cdfbc71e0b843437ec7e881f3d7977198178982c3166bfa49450a649e854d5269734e752f62f77aacf8b8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PFilesize
979KB
MD58874ddc6b24b0d3211ee079df83804ac
SHA122fb5ec6949dc1cdc3a3e12219020149d0de33ab
SHA25650b29ff59bf772f8939344f0615a8a03085054e946dbf355d412fef6068322ed
SHA512e613fdb1b937394217ef2344e3102998a35cea7554799b649567ef4c5cd4f71214a6a15adfaf0ca25b6acab0d5480b3fd8354d684d2921de975384acd824050c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Saluta.vsdFilesize
113KB
MD50d982eb51849e466dbdc6867c83f9f71
SHA16bc7762faa8f1007d54723ac9e99afa2fa8d953e
SHA256fdb58f71a713f7a9351278c8192d21faa9776c200dbddfeefcb0cee89bc441e9
SHA51216afc9d59dfe39e7cf7c8a5b0d1888deb719c8bb9752793990887bb12f1533803adb1e03a009ef37d9620c82a833ed7f34a84b63a486879b64b972b820745a14
-
memory/828-130-0x0000000000000000-mapping.dmp
-
memory/1492-153-0x0000000005540000-0x0000000005552000-memory.dmpFilesize
72KB
-
memory/1492-152-0x0000000005580000-0x0000000005612000-memory.dmpFilesize
584KB
-
memory/1492-154-0x00000000060C0000-0x00000000061CA000-memory.dmpFilesize
1.0MB
-
memory/1492-150-0x0000000005A00000-0x0000000005FA4000-memory.dmpFilesize
5.6MB
-
memory/1492-151-0x00000000065D0000-0x0000000006BE8000-memory.dmpFilesize
6.1MB
-
memory/1492-145-0x0000000000000000-mapping.dmp
-
memory/1492-146-0x0000000000F00000-0x0000000000F22000-memory.dmpFilesize
136KB
-
memory/1492-155-0x00000000063F0000-0x000000000642C000-memory.dmpFilesize
240KB
-
memory/1608-131-0x0000000000000000-mapping.dmp
-
memory/3108-133-0x0000000000000000-mapping.dmp
-
memory/3196-134-0x0000000000000000-mapping.dmp
-
memory/3656-137-0x0000000000000000-mapping.dmp
-
memory/4260-139-0x0000000000000000-mapping.dmp
-
memory/4264-141-0x0000000000000000-mapping.dmp