redline | a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe
Size

1.5MB
MD5

47576ab06eb7acf3aa0d229561e185b7
SHA1

53db8995585a5f294792ca002b2450cce81e05c5
SHA256

a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f
SHA512

bfefa8e28f872d4511353b12361bca7ef0bed32f6a7fef454f94bd9309d3385fabf447f78fff5de4b174ce77cf2ac990e1867f1ffabbff3160cf2f317092e4ea
SSDEEP

24576:UyqeiGWtcCRbgG2oLKJhJ/4Xvj2u3WFpAb7Tt7y8ygCRkxwEyjRRvu0P4zil:jqhy0bbfKp87KgPtxvdyDuxm

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
852	i04204026.exe
1984	i52498982.exe
1520	i79459453.exe
588	i42004427.exe
1188	a46208552.exe

Loads dropped DLL 10 IoCs

pid	Process
996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe
852	i04204026.exe
852	i04204026.exe
1984	i52498982.exe
1984	i52498982.exe
1520	i79459453.exe
1520	i79459453.exe
588	i42004427.exe
588	i42004427.exe
1188	a46208552.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i79459453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i42004427.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i04204026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i04204026.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52498982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i52498982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i79459453.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i42004427.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 852	996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe	28
PID 996 wrote to memory of 852	996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe	28
PID 996 wrote to memory of 852	996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe	28
PID 996 wrote to memory of 852	996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe	28
PID 996 wrote to memory of 852	996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe	28
PID 996 wrote to memory of 852	996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe	28
PID 996 wrote to memory of 852	996	a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe	28
PID 852 wrote to memory of 1984	852	i04204026.exe	29
PID 852 wrote to memory of 1984	852	i04204026.exe	29
PID 852 wrote to memory of 1984	852	i04204026.exe	29
PID 852 wrote to memory of 1984	852	i04204026.exe	29
PID 852 wrote to memory of 1984	852	i04204026.exe	29
PID 852 wrote to memory of 1984	852	i04204026.exe	29
PID 852 wrote to memory of 1984	852	i04204026.exe	29
PID 1984 wrote to memory of 1520	1984	i52498982.exe	30
PID 1984 wrote to memory of 1520	1984	i52498982.exe	30
PID 1984 wrote to memory of 1520	1984	i52498982.exe	30
PID 1984 wrote to memory of 1520	1984	i52498982.exe	30
PID 1984 wrote to memory of 1520	1984	i52498982.exe	30
PID 1984 wrote to memory of 1520	1984	i52498982.exe	30
PID 1984 wrote to memory of 1520	1984	i52498982.exe	30
PID 1520 wrote to memory of 588	1520	i79459453.exe	31
PID 1520 wrote to memory of 588	1520	i79459453.exe	31
PID 1520 wrote to memory of 588	1520	i79459453.exe	31
PID 1520 wrote to memory of 588	1520	i79459453.exe	31
PID 1520 wrote to memory of 588	1520	i79459453.exe	31
PID 1520 wrote to memory of 588	1520	i79459453.exe	31
PID 1520 wrote to memory of 588	1520	i79459453.exe	31
PID 588 wrote to memory of 1188	588	i42004427.exe	32
PID 588 wrote to memory of 1188	588	i42004427.exe	32
PID 588 wrote to memory of 1188	588	i42004427.exe	32
PID 588 wrote to memory of 1188	588	i42004427.exe	32
PID 588 wrote to memory of 1188	588	i42004427.exe	32
PID 588 wrote to memory of 1188	588	i42004427.exe	32
PID 588 wrote to memory of 1188	588	i42004427.exe	32

C:\Users\Admin\AppData\Local\Temp\a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe
"C:\Users\Admin\AppData\Local\Temp\a906ad5a35ca48f1fdeb0a139c8213d3db90ebbad552e87f8c1f5c2b4ca7e84f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04204026.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04204026.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52498982.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52498982.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79459453.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79459453.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42004427.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42004427.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:588
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46208552.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46208552.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04204026.exe

Filesize
1.3MB

MD5
fe8fe1c983ef1100ca69242232e0aac5

SHA1
f1960b441014f8db114417c0b5878bb4d6517307

SHA256
524a5f953744d4c9fa86e3a445e4a5b626d67821f0f3e7cbb34205eaf436aa14

SHA512
59a158efe565d8536305ba806e93daae672d1394667ae04a41ffc4cc008e6ddd63234125c23acd8707ce9a532b0d545c0e6dfc46fe7714c9bb4e2588762059ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04204026.exe

Filesize
1.3MB

MD5
fe8fe1c983ef1100ca69242232e0aac5

SHA1
f1960b441014f8db114417c0b5878bb4d6517307

SHA256
524a5f953744d4c9fa86e3a445e4a5b626d67821f0f3e7cbb34205eaf436aa14

SHA512
59a158efe565d8536305ba806e93daae672d1394667ae04a41ffc4cc008e6ddd63234125c23acd8707ce9a532b0d545c0e6dfc46fe7714c9bb4e2588762059ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52498982.exe

Filesize
1016KB

MD5
7509768c5f8729512984aa56a29bb507

SHA1
70431f89f1056454aafe2cfed9435ce22a122d23

SHA256
c44b089ce6bc0ba50a22ae8f899dc06a9a4e55d4e959bcee2244bb28d16715ef

SHA512
a9c220b1ee5f2dc34e89524ddf00f5bda049801928859f51c2dd97713238ff2b3321388caa682dbbee3b1ffb7b3d504372c5196ceb0b33be3e40fb256b97fd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52498982.exe

Filesize
1016KB

MD5
7509768c5f8729512984aa56a29bb507

SHA1
70431f89f1056454aafe2cfed9435ce22a122d23

SHA256
c44b089ce6bc0ba50a22ae8f899dc06a9a4e55d4e959bcee2244bb28d16715ef

SHA512
a9c220b1ee5f2dc34e89524ddf00f5bda049801928859f51c2dd97713238ff2b3321388caa682dbbee3b1ffb7b3d504372c5196ceb0b33be3e40fb256b97fd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79459453.exe

Filesize
844KB

MD5
d2c27ae64d16c56d6cbe510399d8ea4e

SHA1
0d684ad56c1f427731ec33403eb48bcca3343e2f

SHA256
2b4d23031cef78ce9aa5c4097a37651df0420e3568b30029249e9c4b5f9cb9a4

SHA512
1db1d8fcb864cf181285a31d2ab1198c985549e55304153f2600f22ffc95781df65b5c698e99cd749282a6ded1d1e2e927b420c837898b31ff1c2b9b53d65c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79459453.exe

Filesize
844KB

MD5
d2c27ae64d16c56d6cbe510399d8ea4e

SHA1
0d684ad56c1f427731ec33403eb48bcca3343e2f

SHA256
2b4d23031cef78ce9aa5c4097a37651df0420e3568b30029249e9c4b5f9cb9a4

SHA512
1db1d8fcb864cf181285a31d2ab1198c985549e55304153f2600f22ffc95781df65b5c698e99cd749282a6ded1d1e2e927b420c837898b31ff1c2b9b53d65c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42004427.exe

Filesize
371KB

MD5
34610e8ef24cb04c258d519d8d76460b

SHA1
0afc71e45ad1e6886fadfbbda971d7c77117814d

SHA256
4a2b88a4b49989d67f79b853a0869232d717e21dfda09861ece9ab636f2bc14a

SHA512
7d46f63724e71e916b9775425ba28e55e66173b51ba2b7cb2d9a1a8df948a827df1e38053e3c2da6155be7761e4673023c3ad832939eae1fbf3657a0fcdcb9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42004427.exe

Filesize
371KB

MD5
34610e8ef24cb04c258d519d8d76460b

SHA1
0afc71e45ad1e6886fadfbbda971d7c77117814d

SHA256
4a2b88a4b49989d67f79b853a0869232d717e21dfda09861ece9ab636f2bc14a

SHA512
7d46f63724e71e916b9775425ba28e55e66173b51ba2b7cb2d9a1a8df948a827df1e38053e3c2da6155be7761e4673023c3ad832939eae1fbf3657a0fcdcb9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46208552.exe

Filesize
169KB

MD5
40461652b4942a7077fec25d07e212ad

SHA1
a0de3834182f44290395ba6d0ac01b17b9e622c5

SHA256
84446cb7dddb4525d213bc5d326a27ec00c7a2248dac63f04f132b4316fb3f88

SHA512
de8a67b0f048b5ffdc201302ad6b8de85788a6a9c0c282ef087ba32499223abc8f7ac2baf03b1c8f3b2bc9f07aff0d60c782e0187b21e2cb4779184af26acab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46208552.exe

Filesize
169KB

MD5
40461652b4942a7077fec25d07e212ad

SHA1
a0de3834182f44290395ba6d0ac01b17b9e622c5

SHA256
84446cb7dddb4525d213bc5d326a27ec00c7a2248dac63f04f132b4316fb3f88

SHA512
de8a67b0f048b5ffdc201302ad6b8de85788a6a9c0c282ef087ba32499223abc8f7ac2baf03b1c8f3b2bc9f07aff0d60c782e0187b21e2cb4779184af26acab8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04204026.exe

Filesize
1.3MB

MD5
fe8fe1c983ef1100ca69242232e0aac5

SHA1
f1960b441014f8db114417c0b5878bb4d6517307

SHA256
524a5f953744d4c9fa86e3a445e4a5b626d67821f0f3e7cbb34205eaf436aa14

SHA512
59a158efe565d8536305ba806e93daae672d1394667ae04a41ffc4cc008e6ddd63234125c23acd8707ce9a532b0d545c0e6dfc46fe7714c9bb4e2588762059ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04204026.exe

Filesize
1.3MB

MD5
fe8fe1c983ef1100ca69242232e0aac5

SHA1
f1960b441014f8db114417c0b5878bb4d6517307

SHA256
524a5f953744d4c9fa86e3a445e4a5b626d67821f0f3e7cbb34205eaf436aa14

SHA512
59a158efe565d8536305ba806e93daae672d1394667ae04a41ffc4cc008e6ddd63234125c23acd8707ce9a532b0d545c0e6dfc46fe7714c9bb4e2588762059ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52498982.exe

Filesize
1016KB

MD5
7509768c5f8729512984aa56a29bb507

SHA1
70431f89f1056454aafe2cfed9435ce22a122d23

SHA256
c44b089ce6bc0ba50a22ae8f899dc06a9a4e55d4e959bcee2244bb28d16715ef

SHA512
a9c220b1ee5f2dc34e89524ddf00f5bda049801928859f51c2dd97713238ff2b3321388caa682dbbee3b1ffb7b3d504372c5196ceb0b33be3e40fb256b97fd74

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52498982.exe

Filesize
1016KB

MD5
7509768c5f8729512984aa56a29bb507

SHA1
70431f89f1056454aafe2cfed9435ce22a122d23

SHA256
c44b089ce6bc0ba50a22ae8f899dc06a9a4e55d4e959bcee2244bb28d16715ef

SHA512
a9c220b1ee5f2dc34e89524ddf00f5bda049801928859f51c2dd97713238ff2b3321388caa682dbbee3b1ffb7b3d504372c5196ceb0b33be3e40fb256b97fd74

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79459453.exe

Filesize
844KB

MD5
d2c27ae64d16c56d6cbe510399d8ea4e

SHA1
0d684ad56c1f427731ec33403eb48bcca3343e2f

SHA256
2b4d23031cef78ce9aa5c4097a37651df0420e3568b30029249e9c4b5f9cb9a4

SHA512
1db1d8fcb864cf181285a31d2ab1198c985549e55304153f2600f22ffc95781df65b5c698e99cd749282a6ded1d1e2e927b420c837898b31ff1c2b9b53d65c7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79459453.exe

Filesize
844KB

MD5
d2c27ae64d16c56d6cbe510399d8ea4e

SHA1
0d684ad56c1f427731ec33403eb48bcca3343e2f

SHA256
2b4d23031cef78ce9aa5c4097a37651df0420e3568b30029249e9c4b5f9cb9a4

SHA512
1db1d8fcb864cf181285a31d2ab1198c985549e55304153f2600f22ffc95781df65b5c698e99cd749282a6ded1d1e2e927b420c837898b31ff1c2b9b53d65c7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42004427.exe

Filesize
371KB

MD5
34610e8ef24cb04c258d519d8d76460b

SHA1
0afc71e45ad1e6886fadfbbda971d7c77117814d

SHA256
4a2b88a4b49989d67f79b853a0869232d717e21dfda09861ece9ab636f2bc14a

SHA512
7d46f63724e71e916b9775425ba28e55e66173b51ba2b7cb2d9a1a8df948a827df1e38053e3c2da6155be7761e4673023c3ad832939eae1fbf3657a0fcdcb9be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42004427.exe

Filesize
371KB

MD5
34610e8ef24cb04c258d519d8d76460b

SHA1
0afc71e45ad1e6886fadfbbda971d7c77117814d

SHA256
4a2b88a4b49989d67f79b853a0869232d717e21dfda09861ece9ab636f2bc14a

SHA512
7d46f63724e71e916b9775425ba28e55e66173b51ba2b7cb2d9a1a8df948a827df1e38053e3c2da6155be7761e4673023c3ad832939eae1fbf3657a0fcdcb9be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46208552.exe

Filesize
169KB

MD5
40461652b4942a7077fec25d07e212ad

SHA1
a0de3834182f44290395ba6d0ac01b17b9e622c5

SHA256
84446cb7dddb4525d213bc5d326a27ec00c7a2248dac63f04f132b4316fb3f88

SHA512
de8a67b0f048b5ffdc201302ad6b8de85788a6a9c0c282ef087ba32499223abc8f7ac2baf03b1c8f3b2bc9f07aff0d60c782e0187b21e2cb4779184af26acab8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46208552.exe

Filesize
169KB

MD5
40461652b4942a7077fec25d07e212ad

SHA1
a0de3834182f44290395ba6d0ac01b17b9e622c5

SHA256
84446cb7dddb4525d213bc5d326a27ec00c7a2248dac63f04f132b4316fb3f88

SHA512
de8a67b0f048b5ffdc201302ad6b8de85788a6a9c0c282ef087ba32499223abc8f7ac2baf03b1c8f3b2bc9f07aff0d60c782e0187b21e2cb4779184af26acab8

Download Submit
memory/1188-104-0x0000000000830000-0x0000000000860000-memory.dmp

Filesize
192KB

Download
memory/1188-105-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/1188-106-0x0000000000AE0000-0x0000000000B20000-memory.dmp

Filesize
256KB

Download
memory/1188-107-0x0000000000AE0000-0x0000000000B20000-memory.dmp

Filesize
256KB

Download