redline | 9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe
Size

1.5MB
MD5

3db91fe92a84431d50f05a683476924e
SHA1

2422d232d17ae36c372eade0cd8c2eb7660db6bd
SHA256

9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479
SHA512

817e40559190a1dbeb27d723593c345cfb798cb6e2cb5d16eb03c6dfbf3ed77840e29314d8687a7dfe1b8a675fec0ea87974e518291002aa681997c8ae80b3b9
SSDEEP

24576:/ywwKtM+h9o9iZwbkQN7MdFHBULets2t5686TEY11aiQ+BoK9o/8n4yJDPYFp:KwwV+hug2kQCdFHBgeChQG19BJ9o64yK

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2024	i51586027.exe
1296	i93222704.exe
320	i36802728.exe
1728	i83708562.exe
1276	a09079283.exe

Loads dropped DLL 10 IoCs

pid	Process
1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe
2024	i51586027.exe
2024	i51586027.exe
1296	i93222704.exe
1296	i93222704.exe
320	i36802728.exe
320	i36802728.exe
1728	i83708562.exe
1728	i83708562.exe
1276	a09079283.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i83708562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i83708562.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i51586027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i36802728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i51586027.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93222704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i93222704.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i36802728.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2024	1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	26
PID 1084 wrote to memory of 2024	1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	26
PID 1084 wrote to memory of 2024	1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	26
PID 1084 wrote to memory of 2024	1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	26
PID 1084 wrote to memory of 2024	1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	26
PID 1084 wrote to memory of 2024	1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	26
PID 1084 wrote to memory of 2024	1084	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	26
PID 2024 wrote to memory of 1296	2024	i51586027.exe	27
PID 2024 wrote to memory of 1296	2024	i51586027.exe	27
PID 2024 wrote to memory of 1296	2024	i51586027.exe	27
PID 2024 wrote to memory of 1296	2024	i51586027.exe	27
PID 2024 wrote to memory of 1296	2024	i51586027.exe	27
PID 2024 wrote to memory of 1296	2024	i51586027.exe	27
PID 2024 wrote to memory of 1296	2024	i51586027.exe	27
PID 1296 wrote to memory of 320	1296	i93222704.exe	28
PID 1296 wrote to memory of 320	1296	i93222704.exe	28
PID 1296 wrote to memory of 320	1296	i93222704.exe	28
PID 1296 wrote to memory of 320	1296	i93222704.exe	28
PID 1296 wrote to memory of 320	1296	i93222704.exe	28
PID 1296 wrote to memory of 320	1296	i93222704.exe	28
PID 1296 wrote to memory of 320	1296	i93222704.exe	28
PID 320 wrote to memory of 1728	320	i36802728.exe	29
PID 320 wrote to memory of 1728	320	i36802728.exe	29
PID 320 wrote to memory of 1728	320	i36802728.exe	29
PID 320 wrote to memory of 1728	320	i36802728.exe	29
PID 320 wrote to memory of 1728	320	i36802728.exe	29
PID 320 wrote to memory of 1728	320	i36802728.exe	29
PID 320 wrote to memory of 1728	320	i36802728.exe	29
PID 1728 wrote to memory of 1276	1728	i83708562.exe	30
PID 1728 wrote to memory of 1276	1728	i83708562.exe	30
PID 1728 wrote to memory of 1276	1728	i83708562.exe	30
PID 1728 wrote to memory of 1276	1728	i83708562.exe	30
PID 1728 wrote to memory of 1276	1728	i83708562.exe	30
PID 1728 wrote to memory of 1276	1728	i83708562.exe	30
PID 1728 wrote to memory of 1276	1728	i83708562.exe	30

C:\Users\Admin\AppData\Local\Temp\9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe
"C:\Users\Admin\AppData\Local\Temp\9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe

Filesize
1.3MB

MD5
92ff1faca59d0c2c5b7047c4bd9a6149

SHA1
0f9647c842c8d55857ddc629c838a808dd7943ae

SHA256
b6d046cce3920274be2274468d092b926536175a1b9605900f7535004951093f

SHA512
15620178bdac9d7ba4564772e2a93b8495c8ed54d951983fd3b65471c87f1fdfb041f7bb0477298812e5bcad7bb4f9cdb31615b414f66748223c2bbafd4ec472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe

Filesize
1.3MB

MD5
92ff1faca59d0c2c5b7047c4bd9a6149

SHA1
0f9647c842c8d55857ddc629c838a808dd7943ae

SHA256
b6d046cce3920274be2274468d092b926536175a1b9605900f7535004951093f

SHA512
15620178bdac9d7ba4564772e2a93b8495c8ed54d951983fd3b65471c87f1fdfb041f7bb0477298812e5bcad7bb4f9cdb31615b414f66748223c2bbafd4ec472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe

Filesize
1015KB

MD5
6898c2c23a64f1df58669b0d82b489a4

SHA1
0546eeeb56584a009146f6bba5212647f398ee7d

SHA256
85d6d197a0783739124b48ce9657059ebb9bda5a4955f2eb4ea081a8d02de66d

SHA512
ea5881f1c6e664b60df241a8f9223cfdf213b030f705bf843916db07396692cb5de1758d748a2db1f70771b679c7c36906bf1db0615cd9bf19c9d4fea1751b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe

Filesize
1015KB

MD5
6898c2c23a64f1df58669b0d82b489a4

SHA1
0546eeeb56584a009146f6bba5212647f398ee7d

SHA256
85d6d197a0783739124b48ce9657059ebb9bda5a4955f2eb4ea081a8d02de66d

SHA512
ea5881f1c6e664b60df241a8f9223cfdf213b030f705bf843916db07396692cb5de1758d748a2db1f70771b679c7c36906bf1db0615cd9bf19c9d4fea1751b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe

Filesize
843KB

MD5
74e1865e51b7489b783dfe27a934ec86

SHA1
4f7d83de413453c4b10fa28dc46a941b3aa1a253

SHA256
b2cebed7e13489f590d5157a5c9e0ccd297b2f2737828a157a928415bff18ebb

SHA512
a8110077a3bb9e03e9a15bd9dc141a259569432c38918ea8eeab7b3516d75eb96927cfd39ad1fbfe01df65cb9dec01fa232fc403e08a8a8f426e5938343e1364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe

Filesize
843KB

MD5
74e1865e51b7489b783dfe27a934ec86

SHA1
4f7d83de413453c4b10fa28dc46a941b3aa1a253

SHA256
b2cebed7e13489f590d5157a5c9e0ccd297b2f2737828a157a928415bff18ebb

SHA512
a8110077a3bb9e03e9a15bd9dc141a259569432c38918ea8eeab7b3516d75eb96927cfd39ad1fbfe01df65cb9dec01fa232fc403e08a8a8f426e5938343e1364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe

Filesize
371KB

MD5
d404ab9472cf2c42dfae5d00cd35c51d

SHA1
9d1eafd7fb04288a2626d847f39c4376b4e9e4cc

SHA256
ecf2f2baaec3b7e542bdc0b59f713378c3d0a5b256b5f2e0ab121bd141fa0814

SHA512
064a01671880f2607b5da4ffe7a105b16b7d183b99f0273213a87eb550c9f94dc69266b85e634e278a320cd6b6a6790f483d3b2a027a9ba3434ba0451a8dbfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe

Filesize
371KB

MD5
d404ab9472cf2c42dfae5d00cd35c51d

SHA1
9d1eafd7fb04288a2626d847f39c4376b4e9e4cc

SHA256
ecf2f2baaec3b7e542bdc0b59f713378c3d0a5b256b5f2e0ab121bd141fa0814

SHA512
064a01671880f2607b5da4ffe7a105b16b7d183b99f0273213a87eb550c9f94dc69266b85e634e278a320cd6b6a6790f483d3b2a027a9ba3434ba0451a8dbfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe

Filesize
169KB

MD5
38dcb8b35fb471a9c3e6922ba0cd2508

SHA1
64b987bae828dbae078382687613f93444c936fc

SHA256
c40ba34c44a29d88b5362200495d1bbd5fa4a520c0676ea11b06388c950f9488

SHA512
e26968136f83ae8a922e676e4fe6f0741174843bff4a796a4fa5c5b26cb3a1d1abc385ac0f8ebb8129e33b28cb2fad1e31bb234af32db0367d8bfb4f4c868dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe

Filesize
169KB

MD5
38dcb8b35fb471a9c3e6922ba0cd2508

SHA1
64b987bae828dbae078382687613f93444c936fc

SHA256
c40ba34c44a29d88b5362200495d1bbd5fa4a520c0676ea11b06388c950f9488

SHA512
e26968136f83ae8a922e676e4fe6f0741174843bff4a796a4fa5c5b26cb3a1d1abc385ac0f8ebb8129e33b28cb2fad1e31bb234af32db0367d8bfb4f4c868dcd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe

Filesize
1.3MB

MD5
92ff1faca59d0c2c5b7047c4bd9a6149

SHA1
0f9647c842c8d55857ddc629c838a808dd7943ae

SHA256
b6d046cce3920274be2274468d092b926536175a1b9605900f7535004951093f

SHA512
15620178bdac9d7ba4564772e2a93b8495c8ed54d951983fd3b65471c87f1fdfb041f7bb0477298812e5bcad7bb4f9cdb31615b414f66748223c2bbafd4ec472

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe

Filesize
1.3MB

MD5
92ff1faca59d0c2c5b7047c4bd9a6149

SHA1
0f9647c842c8d55857ddc629c838a808dd7943ae

SHA256
b6d046cce3920274be2274468d092b926536175a1b9605900f7535004951093f

SHA512
15620178bdac9d7ba4564772e2a93b8495c8ed54d951983fd3b65471c87f1fdfb041f7bb0477298812e5bcad7bb4f9cdb31615b414f66748223c2bbafd4ec472

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe

Filesize
1015KB

MD5
6898c2c23a64f1df58669b0d82b489a4

SHA1
0546eeeb56584a009146f6bba5212647f398ee7d

SHA256
85d6d197a0783739124b48ce9657059ebb9bda5a4955f2eb4ea081a8d02de66d

SHA512
ea5881f1c6e664b60df241a8f9223cfdf213b030f705bf843916db07396692cb5de1758d748a2db1f70771b679c7c36906bf1db0615cd9bf19c9d4fea1751b03

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe

Filesize
1015KB

MD5
6898c2c23a64f1df58669b0d82b489a4

SHA1
0546eeeb56584a009146f6bba5212647f398ee7d

SHA256
85d6d197a0783739124b48ce9657059ebb9bda5a4955f2eb4ea081a8d02de66d

SHA512
ea5881f1c6e664b60df241a8f9223cfdf213b030f705bf843916db07396692cb5de1758d748a2db1f70771b679c7c36906bf1db0615cd9bf19c9d4fea1751b03

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe

Filesize
843KB

MD5
74e1865e51b7489b783dfe27a934ec86

SHA1
4f7d83de413453c4b10fa28dc46a941b3aa1a253

SHA256
b2cebed7e13489f590d5157a5c9e0ccd297b2f2737828a157a928415bff18ebb

SHA512
a8110077a3bb9e03e9a15bd9dc141a259569432c38918ea8eeab7b3516d75eb96927cfd39ad1fbfe01df65cb9dec01fa232fc403e08a8a8f426e5938343e1364

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe

Filesize
843KB

MD5
74e1865e51b7489b783dfe27a934ec86

SHA1
4f7d83de413453c4b10fa28dc46a941b3aa1a253

SHA256
b2cebed7e13489f590d5157a5c9e0ccd297b2f2737828a157a928415bff18ebb

SHA512
a8110077a3bb9e03e9a15bd9dc141a259569432c38918ea8eeab7b3516d75eb96927cfd39ad1fbfe01df65cb9dec01fa232fc403e08a8a8f426e5938343e1364

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe

Filesize
371KB

MD5
d404ab9472cf2c42dfae5d00cd35c51d

SHA1
9d1eafd7fb04288a2626d847f39c4376b4e9e4cc

SHA256
ecf2f2baaec3b7e542bdc0b59f713378c3d0a5b256b5f2e0ab121bd141fa0814

SHA512
064a01671880f2607b5da4ffe7a105b16b7d183b99f0273213a87eb550c9f94dc69266b85e634e278a320cd6b6a6790f483d3b2a027a9ba3434ba0451a8dbfe1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe

Filesize
371KB

MD5
d404ab9472cf2c42dfae5d00cd35c51d

SHA1
9d1eafd7fb04288a2626d847f39c4376b4e9e4cc

SHA256
ecf2f2baaec3b7e542bdc0b59f713378c3d0a5b256b5f2e0ab121bd141fa0814

SHA512
064a01671880f2607b5da4ffe7a105b16b7d183b99f0273213a87eb550c9f94dc69266b85e634e278a320cd6b6a6790f483d3b2a027a9ba3434ba0451a8dbfe1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe

Filesize
169KB

MD5
38dcb8b35fb471a9c3e6922ba0cd2508

SHA1
64b987bae828dbae078382687613f93444c936fc

SHA256
c40ba34c44a29d88b5362200495d1bbd5fa4a520c0676ea11b06388c950f9488

SHA512
e26968136f83ae8a922e676e4fe6f0741174843bff4a796a4fa5c5b26cb3a1d1abc385ac0f8ebb8129e33b28cb2fad1e31bb234af32db0367d8bfb4f4c868dcd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe

Filesize
169KB

MD5
38dcb8b35fb471a9c3e6922ba0cd2508

SHA1
64b987bae828dbae078382687613f93444c936fc

SHA256
c40ba34c44a29d88b5362200495d1bbd5fa4a520c0676ea11b06388c950f9488

SHA512
e26968136f83ae8a922e676e4fe6f0741174843bff4a796a4fa5c5b26cb3a1d1abc385ac0f8ebb8129e33b28cb2fad1e31bb234af32db0367d8bfb4f4c868dcd

Download Submit
memory/1276-104-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/1276-105-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1276-106-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/1276-107-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download