redline | c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe
Size

1.5MB
MD5

181826e9fb56d1468f454b9a2ac58f7e
SHA1

c562e699297d0148be0bd666f3b7a9b1ce7753b7
SHA256

c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76
SHA512

0969e742ea2b1856e115483b97d26536a6d404f6c280cc3d1bb6a85c557f7d5d4185b3fc54fcbf0018bfd9ff272087eb2371a46067608b4d0e4015226f844ffe
SSDEEP

24576:NyC1NQ63VXpZd2PLBl6gd2brWwoSDz2OPzlqSP0UGjGSx/C3W7vcpNwgzB4ToHIz:oC1vV5b2PLBl6zbrtVuOPzlq20Jf6G7t

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2032	i57944430.exe
1692	i21220217.exe
1340	i83116831.exe
1684	i55153703.exe
776	a02714934.exe

Loads dropped DLL 10 IoCs

pid	Process
1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe
2032	i57944430.exe
2032	i57944430.exe
1692	i21220217.exe
1692	i21220217.exe
1340	i83116831.exe
1340	i83116831.exe
1684	i55153703.exe
1684	i55153703.exe
776	a02714934.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i21220217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i21220217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i83116831.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i55153703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i55153703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i57944430.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i57944430.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i83116831.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2032	1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe	28
PID 1256 wrote to memory of 2032	1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe	28
PID 1256 wrote to memory of 2032	1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe	28
PID 1256 wrote to memory of 2032	1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe	28
PID 1256 wrote to memory of 2032	1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe	28
PID 1256 wrote to memory of 2032	1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe	28
PID 1256 wrote to memory of 2032	1256	c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe	28
PID 2032 wrote to memory of 1692	2032	i57944430.exe	29
PID 2032 wrote to memory of 1692	2032	i57944430.exe	29
PID 2032 wrote to memory of 1692	2032	i57944430.exe	29
PID 2032 wrote to memory of 1692	2032	i57944430.exe	29
PID 2032 wrote to memory of 1692	2032	i57944430.exe	29
PID 2032 wrote to memory of 1692	2032	i57944430.exe	29
PID 2032 wrote to memory of 1692	2032	i57944430.exe	29
PID 1692 wrote to memory of 1340	1692	i21220217.exe	30
PID 1692 wrote to memory of 1340	1692	i21220217.exe	30
PID 1692 wrote to memory of 1340	1692	i21220217.exe	30
PID 1692 wrote to memory of 1340	1692	i21220217.exe	30
PID 1692 wrote to memory of 1340	1692	i21220217.exe	30
PID 1692 wrote to memory of 1340	1692	i21220217.exe	30
PID 1692 wrote to memory of 1340	1692	i21220217.exe	30
PID 1340 wrote to memory of 1684	1340	i83116831.exe	31
PID 1340 wrote to memory of 1684	1340	i83116831.exe	31
PID 1340 wrote to memory of 1684	1340	i83116831.exe	31
PID 1340 wrote to memory of 1684	1340	i83116831.exe	31
PID 1340 wrote to memory of 1684	1340	i83116831.exe	31
PID 1340 wrote to memory of 1684	1340	i83116831.exe	31
PID 1340 wrote to memory of 1684	1340	i83116831.exe	31
PID 1684 wrote to memory of 776	1684	i55153703.exe	32
PID 1684 wrote to memory of 776	1684	i55153703.exe	32
PID 1684 wrote to memory of 776	1684	i55153703.exe	32
PID 1684 wrote to memory of 776	1684	i55153703.exe	32
PID 1684 wrote to memory of 776	1684	i55153703.exe	32
PID 1684 wrote to memory of 776	1684	i55153703.exe	32
PID 1684 wrote to memory of 776	1684	i55153703.exe	32

C:\Users\Admin\AppData\Local\Temp\c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe
"C:\Users\Admin\AppData\Local\Temp\c200bc513ec20affb4c135af8ec8d94bc6db688e00c2add59ad1903264546a76.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57944430.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57944430.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21220217.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21220217.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i83116831.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i83116831.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55153703.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55153703.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a02714934.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a02714934.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57944430.exe

Filesize
1.3MB

MD5
3945b95e9036e306fa28a2a23b86277a

SHA1
46e46221382c2380c41b2dc8a67852af6f6be64b

SHA256
5b791e25c5cd23a5309d27b360ac730d4a36f3420fc66acde87f8aecc361941c

SHA512
5f941499e9871f43073cc2516a98e5a2cb1a49029e7a1ad6c76fc8bc90a65a816546957b0d21528c866ee85d85dfbcfda00a7e03c5f09a29b9099049bdbb76fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57944430.exe

Filesize
1.3MB

MD5
3945b95e9036e306fa28a2a23b86277a

SHA1
46e46221382c2380c41b2dc8a67852af6f6be64b

SHA256
5b791e25c5cd23a5309d27b360ac730d4a36f3420fc66acde87f8aecc361941c

SHA512
5f941499e9871f43073cc2516a98e5a2cb1a49029e7a1ad6c76fc8bc90a65a816546957b0d21528c866ee85d85dfbcfda00a7e03c5f09a29b9099049bdbb76fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21220217.exe

Filesize
1015KB

MD5
b59ca9cda2f7e7379f292a799765a491

SHA1
7ac3c060b1fe98f883bd8a72f14b27443cee8c60

SHA256
eeba2235d7495c87156ed3467961e59e2f9873cb4ac0ce713fe5d1aecb305cd3

SHA512
0f096954bc0d7cfacd521cc31957fa0447623c42e6e12569478f133c347089f3de6db7de3ac890d614777e9d166f7fd69464805c736174fd4125ca702446b949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21220217.exe

Filesize
1015KB

MD5
b59ca9cda2f7e7379f292a799765a491

SHA1
7ac3c060b1fe98f883bd8a72f14b27443cee8c60

SHA256
eeba2235d7495c87156ed3467961e59e2f9873cb4ac0ce713fe5d1aecb305cd3

SHA512
0f096954bc0d7cfacd521cc31957fa0447623c42e6e12569478f133c347089f3de6db7de3ac890d614777e9d166f7fd69464805c736174fd4125ca702446b949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i83116831.exe

Filesize
844KB

MD5
2cd0e8930ea587cbebdedad6fb5bb4de

SHA1
1a7ef0b1d9263ffe6c0bfdc18c21e4fe4eaef2e8

SHA256
2c82ea598d83f5d40b6298d2c2d2276c08130b51a6a37efe29019e3316b0cea3

SHA512
eb3df082515361bc79a3a867320171c9259c6325ed0bd8ec136c53caa282e483f598ead319fbf411eb08b7e5d5d47bb9311b8a7dfe1b673556247d36eb554ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i83116831.exe

Filesize
844KB

MD5
2cd0e8930ea587cbebdedad6fb5bb4de

SHA1
1a7ef0b1d9263ffe6c0bfdc18c21e4fe4eaef2e8

SHA256
2c82ea598d83f5d40b6298d2c2d2276c08130b51a6a37efe29019e3316b0cea3

SHA512
eb3df082515361bc79a3a867320171c9259c6325ed0bd8ec136c53caa282e483f598ead319fbf411eb08b7e5d5d47bb9311b8a7dfe1b673556247d36eb554ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55153703.exe

Filesize
371KB

MD5
aa9094ca97eb29b24d02062c5bf5b33f

SHA1
fee171ab94f21dc5a7b5189266cf529f12cb655c

SHA256
2af8582a05bf0dd5850cad1dd6af2d7012490a3da5507311785bebf8e4e63545

SHA512
805b89938836ad2f1a30ff036375193de9281cffb435acc5dd0d900a8406cf54f7b521cc0b2236c84950a4d1d8e555502f8b13d62162f911454af30e3797b627

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55153703.exe

Filesize
371KB

MD5
aa9094ca97eb29b24d02062c5bf5b33f

SHA1
fee171ab94f21dc5a7b5189266cf529f12cb655c

SHA256
2af8582a05bf0dd5850cad1dd6af2d7012490a3da5507311785bebf8e4e63545

SHA512
805b89938836ad2f1a30ff036375193de9281cffb435acc5dd0d900a8406cf54f7b521cc0b2236c84950a4d1d8e555502f8b13d62162f911454af30e3797b627

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a02714934.exe

Filesize
169KB

MD5
7f2584b4bb84cfbe4faf5e97d0ef3cf0

SHA1
cb3df329707bb03e870e468115e5bc4a84a38c5e

SHA256
865b8cea97b2d3efb400772e056bec368270a5c2733224d3462e5a8fb9f3f4a1

SHA512
75dfc052fcd8c6d8418e24dae0bb22c9700b2db593453261e29f693c488718f654ca02c2ef181603fe3dd64f9ebd3e0cd07157b40a693265099db31177ee4ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a02714934.exe

Filesize
169KB

MD5
7f2584b4bb84cfbe4faf5e97d0ef3cf0

SHA1
cb3df329707bb03e870e468115e5bc4a84a38c5e

SHA256
865b8cea97b2d3efb400772e056bec368270a5c2733224d3462e5a8fb9f3f4a1

SHA512
75dfc052fcd8c6d8418e24dae0bb22c9700b2db593453261e29f693c488718f654ca02c2ef181603fe3dd64f9ebd3e0cd07157b40a693265099db31177ee4ec7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57944430.exe

Filesize
1.3MB

MD5
3945b95e9036e306fa28a2a23b86277a

SHA1
46e46221382c2380c41b2dc8a67852af6f6be64b

SHA256
5b791e25c5cd23a5309d27b360ac730d4a36f3420fc66acde87f8aecc361941c

SHA512
5f941499e9871f43073cc2516a98e5a2cb1a49029e7a1ad6c76fc8bc90a65a816546957b0d21528c866ee85d85dfbcfda00a7e03c5f09a29b9099049bdbb76fb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i57944430.exe

Filesize
1.3MB

MD5
3945b95e9036e306fa28a2a23b86277a

SHA1
46e46221382c2380c41b2dc8a67852af6f6be64b

SHA256
5b791e25c5cd23a5309d27b360ac730d4a36f3420fc66acde87f8aecc361941c

SHA512
5f941499e9871f43073cc2516a98e5a2cb1a49029e7a1ad6c76fc8bc90a65a816546957b0d21528c866ee85d85dfbcfda00a7e03c5f09a29b9099049bdbb76fb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21220217.exe

Filesize
1015KB

MD5
b59ca9cda2f7e7379f292a799765a491

SHA1
7ac3c060b1fe98f883bd8a72f14b27443cee8c60

SHA256
eeba2235d7495c87156ed3467961e59e2f9873cb4ac0ce713fe5d1aecb305cd3

SHA512
0f096954bc0d7cfacd521cc31957fa0447623c42e6e12569478f133c347089f3de6db7de3ac890d614777e9d166f7fd69464805c736174fd4125ca702446b949

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21220217.exe

Filesize
1015KB

MD5
b59ca9cda2f7e7379f292a799765a491

SHA1
7ac3c060b1fe98f883bd8a72f14b27443cee8c60

SHA256
eeba2235d7495c87156ed3467961e59e2f9873cb4ac0ce713fe5d1aecb305cd3

SHA512
0f096954bc0d7cfacd521cc31957fa0447623c42e6e12569478f133c347089f3de6db7de3ac890d614777e9d166f7fd69464805c736174fd4125ca702446b949

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i83116831.exe

Filesize
844KB

MD5
2cd0e8930ea587cbebdedad6fb5bb4de

SHA1
1a7ef0b1d9263ffe6c0bfdc18c21e4fe4eaef2e8

SHA256
2c82ea598d83f5d40b6298d2c2d2276c08130b51a6a37efe29019e3316b0cea3

SHA512
eb3df082515361bc79a3a867320171c9259c6325ed0bd8ec136c53caa282e483f598ead319fbf411eb08b7e5d5d47bb9311b8a7dfe1b673556247d36eb554ab6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i83116831.exe

Filesize
844KB

MD5
2cd0e8930ea587cbebdedad6fb5bb4de

SHA1
1a7ef0b1d9263ffe6c0bfdc18c21e4fe4eaef2e8

SHA256
2c82ea598d83f5d40b6298d2c2d2276c08130b51a6a37efe29019e3316b0cea3

SHA512
eb3df082515361bc79a3a867320171c9259c6325ed0bd8ec136c53caa282e483f598ead319fbf411eb08b7e5d5d47bb9311b8a7dfe1b673556247d36eb554ab6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55153703.exe

Filesize
371KB

MD5
aa9094ca97eb29b24d02062c5bf5b33f

SHA1
fee171ab94f21dc5a7b5189266cf529f12cb655c

SHA256
2af8582a05bf0dd5850cad1dd6af2d7012490a3da5507311785bebf8e4e63545

SHA512
805b89938836ad2f1a30ff036375193de9281cffb435acc5dd0d900a8406cf54f7b521cc0b2236c84950a4d1d8e555502f8b13d62162f911454af30e3797b627

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55153703.exe

Filesize
371KB

MD5
aa9094ca97eb29b24d02062c5bf5b33f

SHA1
fee171ab94f21dc5a7b5189266cf529f12cb655c

SHA256
2af8582a05bf0dd5850cad1dd6af2d7012490a3da5507311785bebf8e4e63545

SHA512
805b89938836ad2f1a30ff036375193de9281cffb435acc5dd0d900a8406cf54f7b521cc0b2236c84950a4d1d8e555502f8b13d62162f911454af30e3797b627

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a02714934.exe

Filesize
169KB

MD5
7f2584b4bb84cfbe4faf5e97d0ef3cf0

SHA1
cb3df329707bb03e870e468115e5bc4a84a38c5e

SHA256
865b8cea97b2d3efb400772e056bec368270a5c2733224d3462e5a8fb9f3f4a1

SHA512
75dfc052fcd8c6d8418e24dae0bb22c9700b2db593453261e29f693c488718f654ca02c2ef181603fe3dd64f9ebd3e0cd07157b40a693265099db31177ee4ec7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a02714934.exe

Filesize
169KB

MD5
7f2584b4bb84cfbe4faf5e97d0ef3cf0

SHA1
cb3df329707bb03e870e468115e5bc4a84a38c5e

SHA256
865b8cea97b2d3efb400772e056bec368270a5c2733224d3462e5a8fb9f3f4a1

SHA512
75dfc052fcd8c6d8418e24dae0bb22c9700b2db593453261e29f693c488718f654ca02c2ef181603fe3dd64f9ebd3e0cd07157b40a693265099db31177ee4ec7

Download Submit
memory/776-104-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/776-105-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/776-106-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/776-107-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download