redline | 7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-05-2022 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
Size

1.0MB
MD5

07fed12bfd9166a4f965f848c7172b04
SHA1

ebb25569a8ed53fc803ad6da6e25d06765340c38
SHA256

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c
SHA512

40da6d529abd89d380957635afadecf932c8bb12dd08ce83d53ff5f0b6bee52949f0aad7afc7eea5730b920d0fb55e4e57ab34db09aed36663eacd3684502327

Score

10^/10

redline 1010 infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

1010

135.181.123.52:21975

Attributes

auth_value
2cdeb4fb37fd392a4ee4bf30ab711e38

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-146-0x0000000000F00000-0x0000000000F22000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Avvelenate.exe.comAvvelenate.exe.comRegAsm.exe

pid process

3656 Avvelenate.exe.com
4264 Avvelenate.exe.com
1492 RegAsm.exe

pid	process
3656	Avvelenate.exe.com
4264	Avvelenate.exe.com
1492	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Avvelenate.exe.com

description pid process target process

PID 4264 set thread context of 1492 4264 Avvelenate.exe.com RegAsm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4260 PING.EXE

description	pid	process	target process
PID 4264 set thread context of 1492	4264	Avvelenate.exe.com	RegAsm.exe

pid	process
4260	PING.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.execmd.execmd.exeAvvelenate.exe.comAvvelenate.exe.com

description	pid	process	target process
PID 4048 wrote to memory of 828	4048	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	dllhost.exe
PID 4048 wrote to memory of 828	4048	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	dllhost.exe
PID 4048 wrote to memory of 828	4048	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	dllhost.exe
PID 4048 wrote to memory of 1608	4048	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	cmd.exe
PID 4048 wrote to memory of 1608	4048	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	cmd.exe
PID 4048 wrote to memory of 1608	4048	7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe	cmd.exe
PID 1608 wrote to memory of 3108	1608	cmd.exe	cmd.exe
PID 1608 wrote to memory of 3108	1608	cmd.exe	cmd.exe
PID 1608 wrote to memory of 3108	1608	cmd.exe	cmd.exe
PID 3108 wrote to memory of 3196	3108	cmd.exe	findstr.exe
PID 3108 wrote to memory of 3196	3108	cmd.exe	findstr.exe
PID 3108 wrote to memory of 3196	3108	cmd.exe	findstr.exe
PID 3108 wrote to memory of 3656	3108	cmd.exe	Avvelenate.exe.com
PID 3108 wrote to memory of 3656	3108	cmd.exe	Avvelenate.exe.com
PID 3108 wrote to memory of 3656	3108	cmd.exe	Avvelenate.exe.com
PID 3108 wrote to memory of 4260	3108	cmd.exe	PING.EXE
PID 3108 wrote to memory of 4260	3108	cmd.exe	PING.EXE
PID 3108 wrote to memory of 4260	3108	cmd.exe	PING.EXE
PID 3656 wrote to memory of 4264	3656	Avvelenate.exe.com	Avvelenate.exe.com
PID 3656 wrote to memory of 4264	3656	Avvelenate.exe.com	Avvelenate.exe.com
PID 3656 wrote to memory of 4264	3656	Avvelenate.exe.com	Avvelenate.exe.com
PID 4264 wrote to memory of 1492	4264	Avvelenate.exe.com	RegAsm.exe
PID 4264 wrote to memory of 1492	4264	Avvelenate.exe.com	RegAsm.exe
PID 4264 wrote to memory of 1492	4264	Avvelenate.exe.com	RegAsm.exe
PID 4264 wrote to memory of 1492	4264	Avvelenate.exe.com	RegAsm.exe
PID 4264 wrote to memory of 1492	4264	Avvelenate.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe
"C:\Users\Admin\AppData\Local\Temp\7231cf29f8c9926a6b276b19c6cae25e43330b4b914ba3abd9ebeabcfc7d605c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Duro.vsd
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^LvDSVhyXjXdxKsRHmQvASKarhdehXjwxbouoVnxzwwTxiJmlXpXSysjwrmEElSZZWWXBkJLqcenRQYVERSfNgp$" Davanzale.vsd
4⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Avvelenate.exe.com P
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com P
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
6⤵
- Executes dropped EXE
PID:1492

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Camminato.vsd
Filesize
979KB

MD5
8874ddc6b24b0d3211ee079df83804ac

SHA1
22fb5ec6949dc1cdc3a3e12219020149d0de33ab

SHA256
50b29ff59bf772f8939344f0615a8a03085054e946dbf355d412fef6068322ed

SHA512
e613fdb1b937394217ef2344e3102998a35cea7554799b649567ef4c5cd4f71214a6a15adfaf0ca25b6acab0d5480b3fd8354d684d2921de975384acd824050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Davanzale.vsd
Filesize
872KB

MD5
bc96e3ac0ca0083a6dce5f2d3f282ccf

SHA1
c7e60f1e50184905bd3f6fd0680304f419be8262

SHA256
e76fef7267e9b6d9a63bf961c41a70d9e829e92a902316ebcabb277c0ecc0041

SHA512
1f4693d3b872dd42e1b3752701b80c71874292da23af121cab3c9e72e1afd981c7f2a718d7c368e2a030f0e3073eef4c15d7efac17a9184c5488ad6d6a0594c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Duro.vsd
Filesize
431B

MD5
6ce8586a7266d40430db0b133184c4d9

SHA1
2149fb62da20eb38e460a720c59c42a6359c0111

SHA256
d3a07b281b31e04c33d6e2365ca244fc34b6d30230e9fc6d4bb8c98604944364

SHA512
4afc88e6c3a57cc6e93b1e8456b91c9114b51e1dc60cdfbc71e0b843437ec7e881f3d7977198178982c3166bfa49450a649e854d5269734e752f62f77aacf8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P
Filesize
979KB

MD5
8874ddc6b24b0d3211ee079df83804ac

SHA1
22fb5ec6949dc1cdc3a3e12219020149d0de33ab

SHA256
50b29ff59bf772f8939344f0615a8a03085054e946dbf355d412fef6068322ed

SHA512
e613fdb1b937394217ef2344e3102998a35cea7554799b649567ef4c5cd4f71214a6a15adfaf0ca25b6acab0d5480b3fd8354d684d2921de975384acd824050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Saluta.vsd
Filesize
113KB

MD5
0d982eb51849e466dbdc6867c83f9f71

SHA1
6bc7762faa8f1007d54723ac9e99afa2fa8d953e

SHA256
fdb58f71a713f7a9351278c8192d21faa9776c200dbddfeefcb0cee89bc441e9

SHA512
16afc9d59dfe39e7cf7c8a5b0d1888deb719c8bb9752793990887bb12f1533803adb1e03a009ef37d9620c82a833ed7f34a84b63a486879b64b972b820745a14

Download Submit
memory/828-130-0x0000000000000000-mapping.dmp

Download
memory/1492-153-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/1492-152-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/1492-154-0x00000000060C0000-0x00000000061CA000-memory.dmp

Filesize
1.0MB

Download
memory/1492-150-0x0000000005A00000-0x0000000005FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1492-151-0x00000000065D0000-0x0000000006BE8000-memory.dmp

Filesize
6.1MB

Download
memory/1492-145-0x0000000000000000-mapping.dmp

Download
memory/1492-146-0x0000000000F00000-0x0000000000F22000-memory.dmp

Filesize
136KB

Download
memory/1492-155-0x00000000063F0000-0x000000000642C000-memory.dmp

Filesize
240KB

Download
memory/1608-131-0x0000000000000000-mapping.dmp

Download
memory/3108-133-0x0000000000000000-mapping.dmp

Download
memory/3196-134-0x0000000000000000-mapping.dmp

Download
memory/3656-137-0x0000000000000000-mapping.dmp

Download
memory/4260-139-0x0000000000000000-mapping.dmp

Download
memory/4264-141-0x0000000000000000-mapping.dmp

Download