redline | 01b6baf9abd25a3b8e4b4bbe803a52013c55dec97bb0a4d9ffd4ec29c80d57c0

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15/02/2023, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe
Size

721KB
MD5

868ffdfc1a8da8187418ed72676cbf8e
SHA1

47f02374991b47bc9c0b66df0694750cfd3c96f2
SHA256

8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842
SHA512

70064194c523822269fb741f1b585c5c89dfe141c9b16ee540c9ec8ad468b453762b18e8f1e4c1f3ce53df8d4ff70160a454ca8cc4f84fc985415a262e74239d
SSDEEP

12288:EMray90ZUJfRuHv9R7mS9FV97C8THVKeJ+xvYyGRg9AXeoVH5vwcKebku79CzMbF:OyHJfRIvnX91C8TxagjR/XT5vBOaoMbF

Score

10^/10

redline dunm infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dunm

193.233.20.12:4132

Attributes

auth_value
352959e3707029296ec94306d74e2334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
904	gRj57jM.exe
1952	gbL91Zg.exe
1928	aKC20vv.exe

Loads dropped DLL 6 IoCs

pid	Process
1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe
904	gRj57jM.exe
904	gRj57jM.exe
1952	gbL91Zg.exe
1952	gbL91Zg.exe
1928	aKC20vv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gRj57jM.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gbL91Zg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gbL91Zg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gRj57jM.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 904	1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe	27
PID 1788 wrote to memory of 904	1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe	27
PID 1788 wrote to memory of 904	1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe	27
PID 1788 wrote to memory of 904	1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe	27
PID 1788 wrote to memory of 904	1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe	27
PID 1788 wrote to memory of 904	1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe	27
PID 1788 wrote to memory of 904	1788	8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe	27
PID 904 wrote to memory of 1952	904	gRj57jM.exe	28
PID 904 wrote to memory of 1952	904	gRj57jM.exe	28
PID 904 wrote to memory of 1952	904	gRj57jM.exe	28
PID 904 wrote to memory of 1952	904	gRj57jM.exe	28
PID 904 wrote to memory of 1952	904	gRj57jM.exe	28
PID 904 wrote to memory of 1952	904	gRj57jM.exe	28
PID 904 wrote to memory of 1952	904	gRj57jM.exe	28
PID 1952 wrote to memory of 1928	1952	gbL91Zg.exe	29
PID 1952 wrote to memory of 1928	1952	gbL91Zg.exe	29
PID 1952 wrote to memory of 1928	1952	gbL91Zg.exe	29
PID 1952 wrote to memory of 1928	1952	gbL91Zg.exe	29
PID 1952 wrote to memory of 1928	1952	gbL91Zg.exe	29
PID 1952 wrote to memory of 1928	1952	gbL91Zg.exe	29
PID 1952 wrote to memory of 1928	1952	gbL91Zg.exe	29

C:\Users\Admin\AppData\Local\Temp\8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe
"C:\Users\Admin\AppData\Local\Temp\8ecabb42fe3cbdb6a89a113eb3d160817682d6546f7f629811a4621e2cbc8842.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gRj57jM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gRj57jM.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gbL91Zg.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gbL91Zg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aKC20vv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aKC20vv.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gRj57jM.exe

Filesize
617KB

MD5
4dacc0351b1b15fe6bc22b10d5dbbb0d

SHA1
7d6e162b485a3dd6c349945c49d9cb128334624f

SHA256
74d0925eb90cc0d5b330dec88fa9bca8ff36ae320823e6b069d8c8116cefacfa

SHA512
323fbbe4ac8ffd778e26a1f2ab476df027941b0755107a8f8d84d48441a48860ce6b8f41b5e0502fd59182eba3fa03078a5bee9a19b005d79fe30cbc7c3fab86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gRj57jM.exe

Filesize
617KB

MD5
4dacc0351b1b15fe6bc22b10d5dbbb0d

SHA1
7d6e162b485a3dd6c349945c49d9cb128334624f

SHA256
74d0925eb90cc0d5b330dec88fa9bca8ff36ae320823e6b069d8c8116cefacfa

SHA512
323fbbe4ac8ffd778e26a1f2ab476df027941b0755107a8f8d84d48441a48860ce6b8f41b5e0502fd59182eba3fa03078a5bee9a19b005d79fe30cbc7c3fab86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gbL91Zg.exe

Filesize
286KB

MD5
8b9981d3e9a24db031d020ff29288814

SHA1
f2ebaeabf58abb6e94a725fd6a403ed46fa9f0e2

SHA256
f2d7eec5ec2e3241b8db5bb9bdf271ceb99a6050b72c6b690cb9643f4fede6b9

SHA512
23d18c1c128960c4f5b21dc13eb878e6f597cecb512e2be855a2ab7d9b16d60dde52baee4f415c103225e09f32a1197890bb418f033256118a55069b438c8c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gbL91Zg.exe

Filesize
286KB

MD5
8b9981d3e9a24db031d020ff29288814

SHA1
f2ebaeabf58abb6e94a725fd6a403ed46fa9f0e2

SHA256
f2d7eec5ec2e3241b8db5bb9bdf271ceb99a6050b72c6b690cb9643f4fede6b9

SHA512
23d18c1c128960c4f5b21dc13eb878e6f597cecb512e2be855a2ab7d9b16d60dde52baee4f415c103225e09f32a1197890bb418f033256118a55069b438c8c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aKC20vv.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aKC20vv.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\gRj57jM.exe

Filesize
617KB

MD5
4dacc0351b1b15fe6bc22b10d5dbbb0d

SHA1
7d6e162b485a3dd6c349945c49d9cb128334624f

SHA256
74d0925eb90cc0d5b330dec88fa9bca8ff36ae320823e6b069d8c8116cefacfa

SHA512
323fbbe4ac8ffd778e26a1f2ab476df027941b0755107a8f8d84d48441a48860ce6b8f41b5e0502fd59182eba3fa03078a5bee9a19b005d79fe30cbc7c3fab86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\gRj57jM.exe

Filesize
617KB

MD5
4dacc0351b1b15fe6bc22b10d5dbbb0d

SHA1
7d6e162b485a3dd6c349945c49d9cb128334624f

SHA256
74d0925eb90cc0d5b330dec88fa9bca8ff36ae320823e6b069d8c8116cefacfa

SHA512
323fbbe4ac8ffd778e26a1f2ab476df027941b0755107a8f8d84d48441a48860ce6b8f41b5e0502fd59182eba3fa03078a5bee9a19b005d79fe30cbc7c3fab86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\gbL91Zg.exe

Filesize
286KB

MD5
8b9981d3e9a24db031d020ff29288814

SHA1
f2ebaeabf58abb6e94a725fd6a403ed46fa9f0e2

SHA256
f2d7eec5ec2e3241b8db5bb9bdf271ceb99a6050b72c6b690cb9643f4fede6b9

SHA512
23d18c1c128960c4f5b21dc13eb878e6f597cecb512e2be855a2ab7d9b16d60dde52baee4f415c103225e09f32a1197890bb418f033256118a55069b438c8c41

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\gbL91Zg.exe

Filesize
286KB

MD5
8b9981d3e9a24db031d020ff29288814

SHA1
f2ebaeabf58abb6e94a725fd6a403ed46fa9f0e2

SHA256
f2d7eec5ec2e3241b8db5bb9bdf271ceb99a6050b72c6b690cb9643f4fede6b9

SHA512
23d18c1c128960c4f5b21dc13eb878e6f597cecb512e2be855a2ab7d9b16d60dde52baee4f415c103225e09f32a1197890bb418f033256118a55069b438c8c41

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\aKC20vv.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\aKC20vv.exe

Filesize
175KB

MD5
69f79e05d0c83aee310d9adfe5aa7f2b

SHA1
485c490180380051a14316564fbda07723be11b1

SHA256
c41dc7f6cc752595337cd7f209f923b43b061b201c6ab4dc02151afb90cd66e2

SHA512
f1789a74aeb83867c37ddeadcd06cddfc1454a94fcc122b35d67b0309b46742b9a6611e4c3e583baa90a3fd456e45c75ae5f1a206f6e4500c1f3f8ddf5e47b42

Download Submit
memory/1788-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1928-73-0x0000000000DD0000-0x0000000000E02000-memory.dmp

Filesize
200KB

Download