redline | c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8

Analysis

max time kernel
183s
max time network
197s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe
Size

1.5MB
MD5

e83e1f22263cfc5cc68020e8679ec350
SHA1

cda05c2a0e673559a04e57a87f76820104b59417
SHA256

c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8
SHA512

ed8581b16910432e465f937ddce7c7ca37f7fa77caa0e7bc49c4b2e6262357555b74d1685f8b7ba962657c1382375e2353afae93126c39aba471567b4392c78e
SSDEEP

24576:fyYjob4lkLuPtybLGdYVv3ZdqP3vkU+K5MMMIMD8hQZAyDkZSWUs7pxT+xw:qYfbP4zhZdqPsU+K+FrDJ/RpuP+x

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1932	i85375075.exe
588	i94055168.exe
1936	i57661276.exe
564	i72716165.exe
1800	a03266434.exe

Loads dropped DLL 10 IoCs

pid	Process
928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe
1932	i85375075.exe
1932	i85375075.exe
588	i94055168.exe
588	i94055168.exe
1936	i57661276.exe
1936	i57661276.exe
564	i72716165.exe
564	i72716165.exe
1800	a03266434.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i72716165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i85375075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i85375075.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i94055168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i57661276.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i94055168.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i57661276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i72716165.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 1932	928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe	28
PID 928 wrote to memory of 1932	928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe	28
PID 928 wrote to memory of 1932	928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe	28
PID 928 wrote to memory of 1932	928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe	28
PID 928 wrote to memory of 1932	928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe	28
PID 928 wrote to memory of 1932	928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe	28
PID 928 wrote to memory of 1932	928	c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe	28
PID 1932 wrote to memory of 588	1932	i85375075.exe	29
PID 1932 wrote to memory of 588	1932	i85375075.exe	29
PID 1932 wrote to memory of 588	1932	i85375075.exe	29
PID 1932 wrote to memory of 588	1932	i85375075.exe	29
PID 1932 wrote to memory of 588	1932	i85375075.exe	29
PID 1932 wrote to memory of 588	1932	i85375075.exe	29
PID 1932 wrote to memory of 588	1932	i85375075.exe	29
PID 588 wrote to memory of 1936	588	i94055168.exe	30
PID 588 wrote to memory of 1936	588	i94055168.exe	30
PID 588 wrote to memory of 1936	588	i94055168.exe	30
PID 588 wrote to memory of 1936	588	i94055168.exe	30
PID 588 wrote to memory of 1936	588	i94055168.exe	30
PID 588 wrote to memory of 1936	588	i94055168.exe	30
PID 588 wrote to memory of 1936	588	i94055168.exe	30
PID 1936 wrote to memory of 564	1936	i57661276.exe	31
PID 1936 wrote to memory of 564	1936	i57661276.exe	31
PID 1936 wrote to memory of 564	1936	i57661276.exe	31
PID 1936 wrote to memory of 564	1936	i57661276.exe	31
PID 1936 wrote to memory of 564	1936	i57661276.exe	31
PID 1936 wrote to memory of 564	1936	i57661276.exe	31
PID 1936 wrote to memory of 564	1936	i57661276.exe	31
PID 564 wrote to memory of 1800	564	i72716165.exe	32
PID 564 wrote to memory of 1800	564	i72716165.exe	32
PID 564 wrote to memory of 1800	564	i72716165.exe	32
PID 564 wrote to memory of 1800	564	i72716165.exe	32
PID 564 wrote to memory of 1800	564	i72716165.exe	32
PID 564 wrote to memory of 1800	564	i72716165.exe	32
PID 564 wrote to memory of 1800	564	i72716165.exe	32

C:\Users\Admin\AppData\Local\Temp\c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe
"C:\Users\Admin\AppData\Local\Temp\c4372a008ed59c20e52211d81cbbe713b578433e29b27f7ada73ede9977c86f8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i85375075.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i85375075.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i94055168.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i94055168.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57661276.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57661276.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i72716165.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i72716165.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03266434.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03266434.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i85375075.exe

Filesize
1.3MB

MD5
3a77e49606c561f2e32719b7e78609a9

SHA1
c670e86bf729d3a250e83bd1118209e225557a77

SHA256
e220b0b18707d3c0afbeabd6d66b6195889e10ddb38d605b729eb125d1cf5489

SHA512
1b929cc30012f188d2d869e9c32c92298c704eeddb33ecc867f4b09def361007de085bb189056f5d9ef3567f420f5a98e692a5b1a81ec3df63c928becf78a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i85375075.exe

Filesize
1.3MB

MD5
3a77e49606c561f2e32719b7e78609a9

SHA1
c670e86bf729d3a250e83bd1118209e225557a77

SHA256
e220b0b18707d3c0afbeabd6d66b6195889e10ddb38d605b729eb125d1cf5489

SHA512
1b929cc30012f188d2d869e9c32c92298c704eeddb33ecc867f4b09def361007de085bb189056f5d9ef3567f420f5a98e692a5b1a81ec3df63c928becf78a3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i94055168.exe

Filesize
1023KB

MD5
883a09985eb5af646992337148d6fe7a

SHA1
9ccb379e966988f92e4c005b011f94e0f3c50378

SHA256
8fed3ba6345f378bcc69688dd5f0e58c5310a031fac061233b4e06c2156e800f

SHA512
33df08466f75aa57d45836ab07bd84e857c529c1f85a66fbce66bd642250f19a51b14e868b86cdd97cbebf0a42648bff874c801dc72043ebbeb35d3b51f77518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i94055168.exe

Filesize
1023KB

MD5
883a09985eb5af646992337148d6fe7a

SHA1
9ccb379e966988f92e4c005b011f94e0f3c50378

SHA256
8fed3ba6345f378bcc69688dd5f0e58c5310a031fac061233b4e06c2156e800f

SHA512
33df08466f75aa57d45836ab07bd84e857c529c1f85a66fbce66bd642250f19a51b14e868b86cdd97cbebf0a42648bff874c801dc72043ebbeb35d3b51f77518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57661276.exe

Filesize
852KB

MD5
db2306ada1ac79944d60c4c0f6116daa

SHA1
ef7c4862a32fbbacbcedca3aff3e5a5d3038ed80

SHA256
5cb5438e58ab838649d85c16703362314250570d27992ffdf1231ff4326a4a82

SHA512
60896b4f1c7a9a72868ab79b2e71932d1d9949d42bd957b7b707943a0e6ca715f9977ad37f416309d374b053b41b32b27b4834eb44dbcd9c9435cad1c967139d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57661276.exe

Filesize
852KB

MD5
db2306ada1ac79944d60c4c0f6116daa

SHA1
ef7c4862a32fbbacbcedca3aff3e5a5d3038ed80

SHA256
5cb5438e58ab838649d85c16703362314250570d27992ffdf1231ff4326a4a82

SHA512
60896b4f1c7a9a72868ab79b2e71932d1d9949d42bd957b7b707943a0e6ca715f9977ad37f416309d374b053b41b32b27b4834eb44dbcd9c9435cad1c967139d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i72716165.exe

Filesize
375KB

MD5
e858ae6c269fcf03e5bddb2cd2e2ea1d

SHA1
8ddfc158634cc8fd2a04a835e95d1592b10fb0ea

SHA256
f9fce693b1a4602f7644859bf3e22feaa8d1652b7e25775eca04f223832a160d

SHA512
9db1144a79e89876a1879526a3b6209ca83850e79ce0e6ba67637daa0cfba0a743bc82ed69c44781e05aabd9541c1f2cb87d746a18af71b881b7766a68f5d457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i72716165.exe

Filesize
375KB

MD5
e858ae6c269fcf03e5bddb2cd2e2ea1d

SHA1
8ddfc158634cc8fd2a04a835e95d1592b10fb0ea

SHA256
f9fce693b1a4602f7644859bf3e22feaa8d1652b7e25775eca04f223832a160d

SHA512
9db1144a79e89876a1879526a3b6209ca83850e79ce0e6ba67637daa0cfba0a743bc82ed69c44781e05aabd9541c1f2cb87d746a18af71b881b7766a68f5d457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03266434.exe

Filesize
169KB

MD5
75d2e8af96b32d0b12a337e2011dc9bb

SHA1
fd147e771ab0b339087256efeb832b4769f2906a

SHA256
16a536a9ef512ab417387fc158944d5a9acc8e1905845063b85838deaddd55e1

SHA512
e56492879d6fe04134df8ca00a59e315359f4d26e58781810a41447c4a36c187f56a36c3ab91ff7ee47573a451fca201a1b5b6d6dde2cd630d0fb54b3d64e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03266434.exe

Filesize
169KB

MD5
75d2e8af96b32d0b12a337e2011dc9bb

SHA1
fd147e771ab0b339087256efeb832b4769f2906a

SHA256
16a536a9ef512ab417387fc158944d5a9acc8e1905845063b85838deaddd55e1

SHA512
e56492879d6fe04134df8ca00a59e315359f4d26e58781810a41447c4a36c187f56a36c3ab91ff7ee47573a451fca201a1b5b6d6dde2cd630d0fb54b3d64e2dc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i85375075.exe

Filesize
1.3MB

MD5
3a77e49606c561f2e32719b7e78609a9

SHA1
c670e86bf729d3a250e83bd1118209e225557a77

SHA256
e220b0b18707d3c0afbeabd6d66b6195889e10ddb38d605b729eb125d1cf5489

SHA512
1b929cc30012f188d2d869e9c32c92298c704eeddb33ecc867f4b09def361007de085bb189056f5d9ef3567f420f5a98e692a5b1a81ec3df63c928becf78a3c5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i85375075.exe

Filesize
1.3MB

MD5
3a77e49606c561f2e32719b7e78609a9

SHA1
c670e86bf729d3a250e83bd1118209e225557a77

SHA256
e220b0b18707d3c0afbeabd6d66b6195889e10ddb38d605b729eb125d1cf5489

SHA512
1b929cc30012f188d2d869e9c32c92298c704eeddb33ecc867f4b09def361007de085bb189056f5d9ef3567f420f5a98e692a5b1a81ec3df63c928becf78a3c5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i94055168.exe

Filesize
1023KB

MD5
883a09985eb5af646992337148d6fe7a

SHA1
9ccb379e966988f92e4c005b011f94e0f3c50378

SHA256
8fed3ba6345f378bcc69688dd5f0e58c5310a031fac061233b4e06c2156e800f

SHA512
33df08466f75aa57d45836ab07bd84e857c529c1f85a66fbce66bd642250f19a51b14e868b86cdd97cbebf0a42648bff874c801dc72043ebbeb35d3b51f77518

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i94055168.exe

Filesize
1023KB

MD5
883a09985eb5af646992337148d6fe7a

SHA1
9ccb379e966988f92e4c005b011f94e0f3c50378

SHA256
8fed3ba6345f378bcc69688dd5f0e58c5310a031fac061233b4e06c2156e800f

SHA512
33df08466f75aa57d45836ab07bd84e857c529c1f85a66fbce66bd642250f19a51b14e868b86cdd97cbebf0a42648bff874c801dc72043ebbeb35d3b51f77518

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57661276.exe

Filesize
852KB

MD5
db2306ada1ac79944d60c4c0f6116daa

SHA1
ef7c4862a32fbbacbcedca3aff3e5a5d3038ed80

SHA256
5cb5438e58ab838649d85c16703362314250570d27992ffdf1231ff4326a4a82

SHA512
60896b4f1c7a9a72868ab79b2e71932d1d9949d42bd957b7b707943a0e6ca715f9977ad37f416309d374b053b41b32b27b4834eb44dbcd9c9435cad1c967139d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57661276.exe

Filesize
852KB

MD5
db2306ada1ac79944d60c4c0f6116daa

SHA1
ef7c4862a32fbbacbcedca3aff3e5a5d3038ed80

SHA256
5cb5438e58ab838649d85c16703362314250570d27992ffdf1231ff4326a4a82

SHA512
60896b4f1c7a9a72868ab79b2e71932d1d9949d42bd957b7b707943a0e6ca715f9977ad37f416309d374b053b41b32b27b4834eb44dbcd9c9435cad1c967139d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i72716165.exe

Filesize
375KB

MD5
e858ae6c269fcf03e5bddb2cd2e2ea1d

SHA1
8ddfc158634cc8fd2a04a835e95d1592b10fb0ea

SHA256
f9fce693b1a4602f7644859bf3e22feaa8d1652b7e25775eca04f223832a160d

SHA512
9db1144a79e89876a1879526a3b6209ca83850e79ce0e6ba67637daa0cfba0a743bc82ed69c44781e05aabd9541c1f2cb87d746a18af71b881b7766a68f5d457

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i72716165.exe

Filesize
375KB

MD5
e858ae6c269fcf03e5bddb2cd2e2ea1d

SHA1
8ddfc158634cc8fd2a04a835e95d1592b10fb0ea

SHA256
f9fce693b1a4602f7644859bf3e22feaa8d1652b7e25775eca04f223832a160d

SHA512
9db1144a79e89876a1879526a3b6209ca83850e79ce0e6ba67637daa0cfba0a743bc82ed69c44781e05aabd9541c1f2cb87d746a18af71b881b7766a68f5d457

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03266434.exe

Filesize
169KB

MD5
75d2e8af96b32d0b12a337e2011dc9bb

SHA1
fd147e771ab0b339087256efeb832b4769f2906a

SHA256
16a536a9ef512ab417387fc158944d5a9acc8e1905845063b85838deaddd55e1

SHA512
e56492879d6fe04134df8ca00a59e315359f4d26e58781810a41447c4a36c187f56a36c3ab91ff7ee47573a451fca201a1b5b6d6dde2cd630d0fb54b3d64e2dc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03266434.exe

Filesize
169KB

MD5
75d2e8af96b32d0b12a337e2011dc9bb

SHA1
fd147e771ab0b339087256efeb832b4769f2906a

SHA256
16a536a9ef512ab417387fc158944d5a9acc8e1905845063b85838deaddd55e1

SHA512
e56492879d6fe04134df8ca00a59e315359f4d26e58781810a41447c4a36c187f56a36c3ab91ff7ee47573a451fca201a1b5b6d6dde2cd630d0fb54b3d64e2dc

Download Submit
memory/1800-104-0x00000000011B0000-0x00000000011E0000-memory.dmp

Filesize
192KB

Download
memory/1800-105-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/1800-106-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1800-107-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download