redline | a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9

Analysis

max time kernel
215s
max time network
292s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe
Size

1.5MB
MD5

5be18b943786c0e30c09ef436c3961fc
SHA1

8b0792d700fee090c1a063b426599adbb9947597
SHA256

a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9
SHA512

4d072cdaccdfd18876eef923b775d946be0dc6e43b82e9c27ddd4bcbe897a2b7a872ee82d0f82c86e1a064e2e5d26a11ee19107bb4b480176eb250b4440d98e2
SSDEEP

24576:ey0Z0qiaFAYjQmF6XkI6vAm4cRVxcw6/8OEShWO7/re6C2LeIE01J4+OlNyUAfqf:t1PaX0BXkIclxuuWzzxhSIHJDOKjvId

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1196	i27748743.exe
588	i93134864.exe
992	i92833265.exe
568	i21015123.exe
1532	a87792524.exe

Loads dropped DLL 10 IoCs

pid	Process
1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe
1196	i27748743.exe
1196	i27748743.exe
588	i93134864.exe
588	i93134864.exe
992	i92833265.exe
992	i92833265.exe
568	i21015123.exe
568	i21015123.exe
1532	a87792524.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i92833265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i92833265.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i21015123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i21015123.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93134864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i93134864.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i27748743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i27748743.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1196	1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe	28
PID 1404 wrote to memory of 1196	1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe	28
PID 1404 wrote to memory of 1196	1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe	28
PID 1404 wrote to memory of 1196	1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe	28
PID 1404 wrote to memory of 1196	1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe	28
PID 1404 wrote to memory of 1196	1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe	28
PID 1404 wrote to memory of 1196	1404	a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe	28
PID 1196 wrote to memory of 588	1196	i27748743.exe	29
PID 1196 wrote to memory of 588	1196	i27748743.exe	29
PID 1196 wrote to memory of 588	1196	i27748743.exe	29
PID 1196 wrote to memory of 588	1196	i27748743.exe	29
PID 1196 wrote to memory of 588	1196	i27748743.exe	29
PID 1196 wrote to memory of 588	1196	i27748743.exe	29
PID 1196 wrote to memory of 588	1196	i27748743.exe	29
PID 588 wrote to memory of 992	588	i93134864.exe	30
PID 588 wrote to memory of 992	588	i93134864.exe	30
PID 588 wrote to memory of 992	588	i93134864.exe	30
PID 588 wrote to memory of 992	588	i93134864.exe	30
PID 588 wrote to memory of 992	588	i93134864.exe	30
PID 588 wrote to memory of 992	588	i93134864.exe	30
PID 588 wrote to memory of 992	588	i93134864.exe	30
PID 992 wrote to memory of 568	992	i92833265.exe	31
PID 992 wrote to memory of 568	992	i92833265.exe	31
PID 992 wrote to memory of 568	992	i92833265.exe	31
PID 992 wrote to memory of 568	992	i92833265.exe	31
PID 992 wrote to memory of 568	992	i92833265.exe	31
PID 992 wrote to memory of 568	992	i92833265.exe	31
PID 992 wrote to memory of 568	992	i92833265.exe	31
PID 568 wrote to memory of 1532	568	i21015123.exe	32
PID 568 wrote to memory of 1532	568	i21015123.exe	32
PID 568 wrote to memory of 1532	568	i21015123.exe	32
PID 568 wrote to memory of 1532	568	i21015123.exe	32
PID 568 wrote to memory of 1532	568	i21015123.exe	32
PID 568 wrote to memory of 1532	568	i21015123.exe	32
PID 568 wrote to memory of 1532	568	i21015123.exe	32

C:\Users\Admin\AppData\Local\Temp\a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe
"C:\Users\Admin\AppData\Local\Temp\a5ad13a803f6b881c8a2c7fffbbebe85ac7f5aca90f9a9e1e4e2744295cf10a9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27748743.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27748743.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93134864.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93134864.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i92833265.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i92833265.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21015123.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21015123.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87792524.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87792524.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27748743.exe

Filesize
1.3MB

MD5
b0c5ba42f76b309c0c35ff8f2b53c561

SHA1
b7df58262f112f36fa938c10357d3c8fe99ee0aa

SHA256
4759afe31b17679c448287175e70c1cb90b24a840c2419408bfe8551b1c82cca

SHA512
c23e41d8c56471d150b61ffc7312e276c1ee906920f2f40dc333076bedc66eb6a3f279c5dac21f95fa407bc0aee956fb73fbff811d206491ee38562909b05097

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27748743.exe

Filesize
1.3MB

MD5
b0c5ba42f76b309c0c35ff8f2b53c561

SHA1
b7df58262f112f36fa938c10357d3c8fe99ee0aa

SHA256
4759afe31b17679c448287175e70c1cb90b24a840c2419408bfe8551b1c82cca

SHA512
c23e41d8c56471d150b61ffc7312e276c1ee906920f2f40dc333076bedc66eb6a3f279c5dac21f95fa407bc0aee956fb73fbff811d206491ee38562909b05097

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93134864.exe

Filesize
1015KB

MD5
a59619d3324427976d02eebdc6696032

SHA1
c0ae4610819c5b91bddfc2dcf817ad393005277b

SHA256
9842de9a89a3291519bbf2e1f81321c1e0a4a3723f32e06a5010077871a31da2

SHA512
32d4483861ea223d48b3695f76a99cdf134f068c3c1e899e5ae614d905aae956f9d2c233b6d87fbc3fb9b649c3726643837fc404dac94a9ea7847f161e9085f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93134864.exe

Filesize
1015KB

MD5
a59619d3324427976d02eebdc6696032

SHA1
c0ae4610819c5b91bddfc2dcf817ad393005277b

SHA256
9842de9a89a3291519bbf2e1f81321c1e0a4a3723f32e06a5010077871a31da2

SHA512
32d4483861ea223d48b3695f76a99cdf134f068c3c1e899e5ae614d905aae956f9d2c233b6d87fbc3fb9b649c3726643837fc404dac94a9ea7847f161e9085f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i92833265.exe

Filesize
843KB

MD5
6190385a3f9ee7301072b9cc215c1258

SHA1
e50b73e954edd3d698797b04d3dff28f5335544f

SHA256
d91d7a0be6514b3f972971ed9bec02f7bd75075a1424b77c75e5a4f0778b6029

SHA512
2ef020f3f0beba24e7b11c712b2a8e117596e948c67db813433704894cad7fb90e94cfabed5958a08f21fa1810e5f35b8ad6aba847301be37a4938c162b6343c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i92833265.exe

Filesize
843KB

MD5
6190385a3f9ee7301072b9cc215c1258

SHA1
e50b73e954edd3d698797b04d3dff28f5335544f

SHA256
d91d7a0be6514b3f972971ed9bec02f7bd75075a1424b77c75e5a4f0778b6029

SHA512
2ef020f3f0beba24e7b11c712b2a8e117596e948c67db813433704894cad7fb90e94cfabed5958a08f21fa1810e5f35b8ad6aba847301be37a4938c162b6343c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21015123.exe

Filesize
371KB

MD5
0a6ab64dd172ce61c4b6c47e6e075868

SHA1
2a6140bffeba5df5cb725c0876d1db07efb11f9c

SHA256
1a1c46e732773eb3a972db081e0e9644a2039d11cfbd2df5ea4d95b21b2a17ed

SHA512
2bcb91f46f76703b8b914d440d153aa6656f91fbbfd20e04516660bfbebefc9e0e6c11384fa59654bd925ecabe027848b5c512ed88d7cdaecbd5252df74ae5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21015123.exe

Filesize
371KB

MD5
0a6ab64dd172ce61c4b6c47e6e075868

SHA1
2a6140bffeba5df5cb725c0876d1db07efb11f9c

SHA256
1a1c46e732773eb3a972db081e0e9644a2039d11cfbd2df5ea4d95b21b2a17ed

SHA512
2bcb91f46f76703b8b914d440d153aa6656f91fbbfd20e04516660bfbebefc9e0e6c11384fa59654bd925ecabe027848b5c512ed88d7cdaecbd5252df74ae5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87792524.exe

Filesize
169KB

MD5
64d0a6ba290afc276468d1ef2268213a

SHA1
734b55d7aecb5e7939fc7f787d4137a907e6870b

SHA256
8717fa269a3bc44c018ca6ba1554421ae0b69c2479b860872fc9934ea041694d

SHA512
28715091898f855df25e240bf885679ec9ed17e9cb90f9547c798df65f138425aadb1ca44b030c8813b87f17d5d284e45bf30e4e5faab9f38d3d01d11a633dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87792524.exe

Filesize
169KB

MD5
64d0a6ba290afc276468d1ef2268213a

SHA1
734b55d7aecb5e7939fc7f787d4137a907e6870b

SHA256
8717fa269a3bc44c018ca6ba1554421ae0b69c2479b860872fc9934ea041694d

SHA512
28715091898f855df25e240bf885679ec9ed17e9cb90f9547c798df65f138425aadb1ca44b030c8813b87f17d5d284e45bf30e4e5faab9f38d3d01d11a633dd1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27748743.exe

Filesize
1.3MB

MD5
b0c5ba42f76b309c0c35ff8f2b53c561

SHA1
b7df58262f112f36fa938c10357d3c8fe99ee0aa

SHA256
4759afe31b17679c448287175e70c1cb90b24a840c2419408bfe8551b1c82cca

SHA512
c23e41d8c56471d150b61ffc7312e276c1ee906920f2f40dc333076bedc66eb6a3f279c5dac21f95fa407bc0aee956fb73fbff811d206491ee38562909b05097

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27748743.exe

Filesize
1.3MB

MD5
b0c5ba42f76b309c0c35ff8f2b53c561

SHA1
b7df58262f112f36fa938c10357d3c8fe99ee0aa

SHA256
4759afe31b17679c448287175e70c1cb90b24a840c2419408bfe8551b1c82cca

SHA512
c23e41d8c56471d150b61ffc7312e276c1ee906920f2f40dc333076bedc66eb6a3f279c5dac21f95fa407bc0aee956fb73fbff811d206491ee38562909b05097

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93134864.exe

Filesize
1015KB

MD5
a59619d3324427976d02eebdc6696032

SHA1
c0ae4610819c5b91bddfc2dcf817ad393005277b

SHA256
9842de9a89a3291519bbf2e1f81321c1e0a4a3723f32e06a5010077871a31da2

SHA512
32d4483861ea223d48b3695f76a99cdf134f068c3c1e899e5ae614d905aae956f9d2c233b6d87fbc3fb9b649c3726643837fc404dac94a9ea7847f161e9085f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93134864.exe

Filesize
1015KB

MD5
a59619d3324427976d02eebdc6696032

SHA1
c0ae4610819c5b91bddfc2dcf817ad393005277b

SHA256
9842de9a89a3291519bbf2e1f81321c1e0a4a3723f32e06a5010077871a31da2

SHA512
32d4483861ea223d48b3695f76a99cdf134f068c3c1e899e5ae614d905aae956f9d2c233b6d87fbc3fb9b649c3726643837fc404dac94a9ea7847f161e9085f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i92833265.exe

Filesize
843KB

MD5
6190385a3f9ee7301072b9cc215c1258

SHA1
e50b73e954edd3d698797b04d3dff28f5335544f

SHA256
d91d7a0be6514b3f972971ed9bec02f7bd75075a1424b77c75e5a4f0778b6029

SHA512
2ef020f3f0beba24e7b11c712b2a8e117596e948c67db813433704894cad7fb90e94cfabed5958a08f21fa1810e5f35b8ad6aba847301be37a4938c162b6343c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i92833265.exe

Filesize
843KB

MD5
6190385a3f9ee7301072b9cc215c1258

SHA1
e50b73e954edd3d698797b04d3dff28f5335544f

SHA256
d91d7a0be6514b3f972971ed9bec02f7bd75075a1424b77c75e5a4f0778b6029

SHA512
2ef020f3f0beba24e7b11c712b2a8e117596e948c67db813433704894cad7fb90e94cfabed5958a08f21fa1810e5f35b8ad6aba847301be37a4938c162b6343c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21015123.exe

Filesize
371KB

MD5
0a6ab64dd172ce61c4b6c47e6e075868

SHA1
2a6140bffeba5df5cb725c0876d1db07efb11f9c

SHA256
1a1c46e732773eb3a972db081e0e9644a2039d11cfbd2df5ea4d95b21b2a17ed

SHA512
2bcb91f46f76703b8b914d440d153aa6656f91fbbfd20e04516660bfbebefc9e0e6c11384fa59654bd925ecabe027848b5c512ed88d7cdaecbd5252df74ae5d0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21015123.exe

Filesize
371KB

MD5
0a6ab64dd172ce61c4b6c47e6e075868

SHA1
2a6140bffeba5df5cb725c0876d1db07efb11f9c

SHA256
1a1c46e732773eb3a972db081e0e9644a2039d11cfbd2df5ea4d95b21b2a17ed

SHA512
2bcb91f46f76703b8b914d440d153aa6656f91fbbfd20e04516660bfbebefc9e0e6c11384fa59654bd925ecabe027848b5c512ed88d7cdaecbd5252df74ae5d0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87792524.exe

Filesize
169KB

MD5
64d0a6ba290afc276468d1ef2268213a

SHA1
734b55d7aecb5e7939fc7f787d4137a907e6870b

SHA256
8717fa269a3bc44c018ca6ba1554421ae0b69c2479b860872fc9934ea041694d

SHA512
28715091898f855df25e240bf885679ec9ed17e9cb90f9547c798df65f138425aadb1ca44b030c8813b87f17d5d284e45bf30e4e5faab9f38d3d01d11a633dd1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87792524.exe

Filesize
169KB

MD5
64d0a6ba290afc276468d1ef2268213a

SHA1
734b55d7aecb5e7939fc7f787d4137a907e6870b

SHA256
8717fa269a3bc44c018ca6ba1554421ae0b69c2479b860872fc9934ea041694d

SHA512
28715091898f855df25e240bf885679ec9ed17e9cb90f9547c798df65f138425aadb1ca44b030c8813b87f17d5d284e45bf30e4e5faab9f38d3d01d11a633dd1

Download Submit
memory/1532-104-0x0000000000290000-0x00000000002C0000-memory.dmp

Filesize
192KB

Download
memory/1532-105-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/1532-106-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/1532-107-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download