redline | 37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9

Analysis

max time kernel
146s
max time network
189s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe
Size

773KB
MD5

29aaf4329eb63ad58213522d546be502
SHA1

7f5484fbe77a2b1ecdcc9d5d881c8a7fe4d0bbef
SHA256

37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9
SHA512

afa2717ffda628f6ef1cbaa65c505743d8ae4699e20c0a091c28d792289c7e5a94cd5c848622350a7d42ad74b60eddfc8bee69344efdb38ff9f54a1f7974a3e2
SSDEEP

24576:Ayy2GzxwCYvDnP1O1fBiNxX/dEOro0O6r:HyHMvE5iHFEOrJ

Score

10^/10

redline dante gena infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dante

185.161.248.73:4164

Attributes

auth_value
f4066af6b8a6f23125c8ee48288a3f90

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1916	x69063619.exe
268	m55074846.exe
876	1.exe
864	n71110944.exe

Loads dropped DLL 9 IoCs

pid	Process
924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe
1916	x69063619.exe
1916	x69063619.exe
1916	x69063619.exe
268	m55074846.exe
268	m55074846.exe
876	1.exe
1916	x69063619.exe
864	n71110944.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x69063619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x69063619.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	m55074846.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1916	924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe	27
PID 924 wrote to memory of 1916	924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe	27
PID 924 wrote to memory of 1916	924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe	27
PID 924 wrote to memory of 1916	924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe	27
PID 924 wrote to memory of 1916	924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe	27
PID 924 wrote to memory of 1916	924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe	27
PID 924 wrote to memory of 1916	924	37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe	27
PID 1916 wrote to memory of 268	1916	x69063619.exe	28
PID 1916 wrote to memory of 268	1916	x69063619.exe	28
PID 1916 wrote to memory of 268	1916	x69063619.exe	28
PID 1916 wrote to memory of 268	1916	x69063619.exe	28
PID 1916 wrote to memory of 268	1916	x69063619.exe	28
PID 1916 wrote to memory of 268	1916	x69063619.exe	28
PID 1916 wrote to memory of 268	1916	x69063619.exe	28
PID 268 wrote to memory of 876	268	m55074846.exe	29
PID 268 wrote to memory of 876	268	m55074846.exe	29
PID 268 wrote to memory of 876	268	m55074846.exe	29
PID 268 wrote to memory of 876	268	m55074846.exe	29
PID 268 wrote to memory of 876	268	m55074846.exe	29
PID 268 wrote to memory of 876	268	m55074846.exe	29
PID 268 wrote to memory of 876	268	m55074846.exe	29
PID 1916 wrote to memory of 864	1916	x69063619.exe	30
PID 1916 wrote to memory of 864	1916	x69063619.exe	30
PID 1916 wrote to memory of 864	1916	x69063619.exe	30
PID 1916 wrote to memory of 864	1916	x69063619.exe	30
PID 1916 wrote to memory of 864	1916	x69063619.exe	30
PID 1916 wrote to memory of 864	1916	x69063619.exe	30
PID 1916 wrote to memory of 864	1916	x69063619.exe	30

C:\Users\Admin\AppData\Local\Temp\37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe
"C:\Users\Admin\AppData\Local\Temp\37c24f801df5e35d4e62cdd0986ad9c9bdc6bf1b5942c8a3f900c5c80a9a09f9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exe

Filesize
569KB

MD5
4d36a4218bc1cc33e72ba037f0465930

SHA1
0e85d205c5cf934fca525559f13b329486139056

SHA256
e5eeb396cc6cb613caf25aa87e549eff2066c0b242d34c5338a8e0f7f94bb2e9

SHA512
3bcb4e9399e577b43f371f21ffed8296f041c19afa2c619a816f1db49ddea79613f3ba5388a42f6a2e6d0f771fb14afeb647cec5a15b9a615be869fd1138eed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exe

Filesize
569KB

MD5
4d36a4218bc1cc33e72ba037f0465930

SHA1
0e85d205c5cf934fca525559f13b329486139056

SHA256
e5eeb396cc6cb613caf25aa87e549eff2066c0b242d34c5338a8e0f7f94bb2e9

SHA512
3bcb4e9399e577b43f371f21ffed8296f041c19afa2c619a816f1db49ddea79613f3ba5388a42f6a2e6d0f771fb14afeb647cec5a15b9a615be869fd1138eed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe

Filesize
479KB

MD5
00cb38d342a1c443f83de64ab3df0628

SHA1
52655d532a4497d809d68194b6b4f0b526c55170

SHA256
c24c25951db24d0dd3b109eaca70e32c621d8c5d6d115d5c605f12d721314f5e

SHA512
47a220f0d81884e20d44e03acc7674dc93483dc0f433a7df78910b607d55bc9b959c0d4ceba14b3b6fda80f3930c1a76abd2a5f0ae7545065d8d738d4271278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe

Filesize
479KB

MD5
00cb38d342a1c443f83de64ab3df0628

SHA1
52655d532a4497d809d68194b6b4f0b526c55170

SHA256
c24c25951db24d0dd3b109eaca70e32c621d8c5d6d115d5c605f12d721314f5e

SHA512
47a220f0d81884e20d44e03acc7674dc93483dc0f433a7df78910b607d55bc9b959c0d4ceba14b3b6fda80f3930c1a76abd2a5f0ae7545065d8d738d4271278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe

Filesize
479KB

MD5
00cb38d342a1c443f83de64ab3df0628

SHA1
52655d532a4497d809d68194b6b4f0b526c55170

SHA256
c24c25951db24d0dd3b109eaca70e32c621d8c5d6d115d5c605f12d721314f5e

SHA512
47a220f0d81884e20d44e03acc7674dc93483dc0f433a7df78910b607d55bc9b959c0d4ceba14b3b6fda80f3930c1a76abd2a5f0ae7545065d8d738d4271278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exe

Filesize
169KB

MD5
e62e4bb9734b2212a4c351307ef7c4e8

SHA1
93fb97a8d6332fcbd80e13289e2a3c8afe029997

SHA256
98c9c93155a3cff8a49d3045975a7f7fd9f5ee4702e1414eb049d799b60b2856

SHA512
486e3e145333e33259799d36da1f91b0fee8f9debe4ce81de8ab505b591f31b75f76d44dfa32c787689a0c7213a1b011018ecebe49c1397f98e8b9c455307e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exe

Filesize
169KB

MD5
e62e4bb9734b2212a4c351307ef7c4e8

SHA1
93fb97a8d6332fcbd80e13289e2a3c8afe029997

SHA256
98c9c93155a3cff8a49d3045975a7f7fd9f5ee4702e1414eb049d799b60b2856

SHA512
486e3e145333e33259799d36da1f91b0fee8f9debe4ce81de8ab505b591f31b75f76d44dfa32c787689a0c7213a1b011018ecebe49c1397f98e8b9c455307e76

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exe

Filesize
569KB

MD5
4d36a4218bc1cc33e72ba037f0465930

SHA1
0e85d205c5cf934fca525559f13b329486139056

SHA256
e5eeb396cc6cb613caf25aa87e549eff2066c0b242d34c5338a8e0f7f94bb2e9

SHA512
3bcb4e9399e577b43f371f21ffed8296f041c19afa2c619a816f1db49ddea79613f3ba5388a42f6a2e6d0f771fb14afeb647cec5a15b9a615be869fd1138eed6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69063619.exe

Filesize
569KB

MD5
4d36a4218bc1cc33e72ba037f0465930

SHA1
0e85d205c5cf934fca525559f13b329486139056

SHA256
e5eeb396cc6cb613caf25aa87e549eff2066c0b242d34c5338a8e0f7f94bb2e9

SHA512
3bcb4e9399e577b43f371f21ffed8296f041c19afa2c619a816f1db49ddea79613f3ba5388a42f6a2e6d0f771fb14afeb647cec5a15b9a615be869fd1138eed6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe

Filesize
479KB

MD5
00cb38d342a1c443f83de64ab3df0628

SHA1
52655d532a4497d809d68194b6b4f0b526c55170

SHA256
c24c25951db24d0dd3b109eaca70e32c621d8c5d6d115d5c605f12d721314f5e

SHA512
47a220f0d81884e20d44e03acc7674dc93483dc0f433a7df78910b607d55bc9b959c0d4ceba14b3b6fda80f3930c1a76abd2a5f0ae7545065d8d738d4271278a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe

Filesize
479KB

MD5
00cb38d342a1c443f83de64ab3df0628

SHA1
52655d532a4497d809d68194b6b4f0b526c55170

SHA256
c24c25951db24d0dd3b109eaca70e32c621d8c5d6d115d5c605f12d721314f5e

SHA512
47a220f0d81884e20d44e03acc7674dc93483dc0f433a7df78910b607d55bc9b959c0d4ceba14b3b6fda80f3930c1a76abd2a5f0ae7545065d8d738d4271278a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m55074846.exe

Filesize
479KB

MD5
00cb38d342a1c443f83de64ab3df0628

SHA1
52655d532a4497d809d68194b6b4f0b526c55170

SHA256
c24c25951db24d0dd3b109eaca70e32c621d8c5d6d115d5c605f12d721314f5e

SHA512
47a220f0d81884e20d44e03acc7674dc93483dc0f433a7df78910b607d55bc9b959c0d4ceba14b3b6fda80f3930c1a76abd2a5f0ae7545065d8d738d4271278a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exe

Filesize
169KB

MD5
e62e4bb9734b2212a4c351307ef7c4e8

SHA1
93fb97a8d6332fcbd80e13289e2a3c8afe029997

SHA256
98c9c93155a3cff8a49d3045975a7f7fd9f5ee4702e1414eb049d799b60b2856

SHA512
486e3e145333e33259799d36da1f91b0fee8f9debe4ce81de8ab505b591f31b75f76d44dfa32c787689a0c7213a1b011018ecebe49c1397f98e8b9c455307e76

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n71110944.exe

Filesize
169KB

MD5
e62e4bb9734b2212a4c351307ef7c4e8

SHA1
93fb97a8d6332fcbd80e13289e2a3c8afe029997

SHA256
98c9c93155a3cff8a49d3045975a7f7fd9f5ee4702e1414eb049d799b60b2856

SHA512
486e3e145333e33259799d36da1f91b0fee8f9debe4ce81de8ab505b591f31b75f76d44dfa32c787689a0c7213a1b011018ecebe49c1397f98e8b9c455307e76

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/268-120-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-136-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-92-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-94-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-96-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-98-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-100-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-102-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-104-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-106-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-110-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-112-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-114-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-118-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-88-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-122-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-124-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-116-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-126-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-128-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-132-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-134-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-130-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-90-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-138-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-140-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-142-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-146-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-144-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-108-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-2229-0x0000000002640000-0x0000000002672000-memory.dmp

Filesize
200KB

Download
memory/268-86-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-84-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-83-0x0000000002780000-0x00000000027E0000-memory.dmp

Filesize
384KB

Download
memory/268-82-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/268-78-0x00000000025B0000-0x0000000002618000-memory.dmp

Filesize
416KB

Download
memory/268-80-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download
memory/268-81-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/268-79-0x0000000002780000-0x00000000027E6000-memory.dmp

Filesize
408KB

Download
memory/864-2247-0x0000000001160000-0x0000000001190000-memory.dmp

Filesize
192KB

Download
memory/864-2248-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/864-2249-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/864-2251-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/876-2246-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/876-2239-0x0000000001320000-0x000000000134E000-memory.dmp

Filesize
184KB

Download
memory/876-2250-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/876-2252-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads