redline | ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d

Analysis

max time kernel
133s
max time network
200s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe
Size

1.5MB
MD5

4d67bc14a614e6d466212a226b6175a9
SHA1

eafc58afb278b077b5d6568ef1633be4cb276604
SHA256

ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d
SHA512

b531462a343278e475f2560cb63527bf73624938a2d65cf2afe212cb294ef80ea7cea7a814ee5a38303105ac14846932fe781b59c92537166ff1ee644e230086
SSDEEP

24576:Zyx/F7P3AzW1S8+gcXikQLd1qrpvXWSN/e7wN91I75hPWu1RJzJdu3nhQTb0:MnjAzW1nNGpf7Wsh26uhi3hQT

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1324	i61832551.exe
1336	i88274541.exe
1112	i05212862.exe
1780	i24238341.exe
972	a15217641.exe

Loads dropped DLL 10 IoCs

pid	Process
1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe
1324	i61832551.exe
1324	i61832551.exe
1336	i88274541.exe
1336	i88274541.exe
1112	i05212862.exe
1112	i05212862.exe
1780	i24238341.exe
1780	i24238341.exe
972	a15217641.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i61832551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i61832551.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i88274541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i24238341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i88274541.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i05212862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i05212862.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i24238341.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1324	1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe	28
PID 1724 wrote to memory of 1324	1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe	28
PID 1724 wrote to memory of 1324	1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe	28
PID 1724 wrote to memory of 1324	1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe	28
PID 1724 wrote to memory of 1324	1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe	28
PID 1724 wrote to memory of 1324	1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe	28
PID 1724 wrote to memory of 1324	1724	ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe	28
PID 1324 wrote to memory of 1336	1324	i61832551.exe	29
PID 1324 wrote to memory of 1336	1324	i61832551.exe	29
PID 1324 wrote to memory of 1336	1324	i61832551.exe	29
PID 1324 wrote to memory of 1336	1324	i61832551.exe	29
PID 1324 wrote to memory of 1336	1324	i61832551.exe	29
PID 1324 wrote to memory of 1336	1324	i61832551.exe	29
PID 1324 wrote to memory of 1336	1324	i61832551.exe	29
PID 1336 wrote to memory of 1112	1336	i88274541.exe	30
PID 1336 wrote to memory of 1112	1336	i88274541.exe	30
PID 1336 wrote to memory of 1112	1336	i88274541.exe	30
PID 1336 wrote to memory of 1112	1336	i88274541.exe	30
PID 1336 wrote to memory of 1112	1336	i88274541.exe	30
PID 1336 wrote to memory of 1112	1336	i88274541.exe	30
PID 1336 wrote to memory of 1112	1336	i88274541.exe	30
PID 1112 wrote to memory of 1780	1112	i05212862.exe	31
PID 1112 wrote to memory of 1780	1112	i05212862.exe	31
PID 1112 wrote to memory of 1780	1112	i05212862.exe	31
PID 1112 wrote to memory of 1780	1112	i05212862.exe	31
PID 1112 wrote to memory of 1780	1112	i05212862.exe	31
PID 1112 wrote to memory of 1780	1112	i05212862.exe	31
PID 1112 wrote to memory of 1780	1112	i05212862.exe	31
PID 1780 wrote to memory of 972	1780	i24238341.exe	32
PID 1780 wrote to memory of 972	1780	i24238341.exe	32
PID 1780 wrote to memory of 972	1780	i24238341.exe	32
PID 1780 wrote to memory of 972	1780	i24238341.exe	32
PID 1780 wrote to memory of 972	1780	i24238341.exe	32
PID 1780 wrote to memory of 972	1780	i24238341.exe	32
PID 1780 wrote to memory of 972	1780	i24238341.exe	32

C:\Users\Admin\AppData\Local\Temp\ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe
"C:\Users\Admin\AppData\Local\Temp\ac06e74e4d7f7032fb576fed58f7151f31c03ffefc5acdec0f114f5f9059f68d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61832551.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61832551.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88274541.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88274541.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05212862.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05212862.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24238341.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24238341.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a15217641.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a15217641.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61832551.exe

Filesize
1.3MB

MD5
89ed35a70303e2263ebd55753cf7d6e1

SHA1
3bc521a58d05398597ba75e31d8b4b18b6456cce

SHA256
0c01537e075b262e85e0da5026611622f660c28f42f5ea0bf31ce096987e5140

SHA512
cfbaeee743431e4c9c0a03611a10f5a8ec4d2ed423022631c5aad1d7cbdf6bb8bef4954012b1e0ae95e1ea95d2c664b8ef7e6c2f61aea4e724e74735e892bb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61832551.exe

Filesize
1.3MB

MD5
89ed35a70303e2263ebd55753cf7d6e1

SHA1
3bc521a58d05398597ba75e31d8b4b18b6456cce

SHA256
0c01537e075b262e85e0da5026611622f660c28f42f5ea0bf31ce096987e5140

SHA512
cfbaeee743431e4c9c0a03611a10f5a8ec4d2ed423022631c5aad1d7cbdf6bb8bef4954012b1e0ae95e1ea95d2c664b8ef7e6c2f61aea4e724e74735e892bb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88274541.exe

Filesize
1015KB

MD5
b31d6ddb558f29ec91ee145957d0c628

SHA1
4a30947f02c10484efd6aacab08be6355ec66cf6

SHA256
e5f8ea417cf4496abeb75445c3cc2b353f1bb8924d09810c03c85566b6c719ef

SHA512
5a06fedc7e46d9e0d343a8ab0e9696e5ba31dfd519372e19c3d3389018719f55a8416f2075c9d621a792b3dfcf03d54c151aefa1d0fcffa48bd970781b4167d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88274541.exe

Filesize
1015KB

MD5
b31d6ddb558f29ec91ee145957d0c628

SHA1
4a30947f02c10484efd6aacab08be6355ec66cf6

SHA256
e5f8ea417cf4496abeb75445c3cc2b353f1bb8924d09810c03c85566b6c719ef

SHA512
5a06fedc7e46d9e0d343a8ab0e9696e5ba31dfd519372e19c3d3389018719f55a8416f2075c9d621a792b3dfcf03d54c151aefa1d0fcffa48bd970781b4167d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05212862.exe

Filesize
843KB

MD5
110a04167e18a91a427c2c240114666f

SHA1
c763afb90fcff6a64143f6ba6e668e0dea51ac73

SHA256
48624c39cf2aefe4180a928e6a173f0b1e40776058ad84e607550ff349931a1f

SHA512
1dbd0d799c80fc2727ce65e12dec5db6026346bfa837f91f4e051f93d10e9737266218bf760e2e40924028dc533059ecabfa2d95d11cd306daecd712ba92088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05212862.exe

Filesize
843KB

MD5
110a04167e18a91a427c2c240114666f

SHA1
c763afb90fcff6a64143f6ba6e668e0dea51ac73

SHA256
48624c39cf2aefe4180a928e6a173f0b1e40776058ad84e607550ff349931a1f

SHA512
1dbd0d799c80fc2727ce65e12dec5db6026346bfa837f91f4e051f93d10e9737266218bf760e2e40924028dc533059ecabfa2d95d11cd306daecd712ba92088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24238341.exe

Filesize
371KB

MD5
ef1df4e0395bc59807d81da4c54712b5

SHA1
b95bc4db2fbaf3fd0ab61f20b6597d3629659f10

SHA256
5d6b0167a2e739187e7f6e1606468be06d97c065f601d7d9344cb5b9e37b4b99

SHA512
75463d17ffe36cd3d997808d3b23f3350543c412bcb009bb7dc4b3859db01c6eb278b22e825ef8eeae40b3aa83980f23fb5c491711f1d982754966396aef6e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24238341.exe

Filesize
371KB

MD5
ef1df4e0395bc59807d81da4c54712b5

SHA1
b95bc4db2fbaf3fd0ab61f20b6597d3629659f10

SHA256
5d6b0167a2e739187e7f6e1606468be06d97c065f601d7d9344cb5b9e37b4b99

SHA512
75463d17ffe36cd3d997808d3b23f3350543c412bcb009bb7dc4b3859db01c6eb278b22e825ef8eeae40b3aa83980f23fb5c491711f1d982754966396aef6e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a15217641.exe

Filesize
169KB

MD5
50bdeb517177874d83c3b6ccb07bb38f

SHA1
5dc6e26a638ab6496309d3f1bec88153f3831ab4

SHA256
6480bf29a6f810708636b8095a835707592f3e4501bda7fc2a965b48121ee08a

SHA512
b2d689b921b43116e95cc3c55bed51b8aa8379c058f3651554ecdd2a79ff923e44919df69ef99e187205a01a7156af364d38bc334d9d53dbd13d5029606e81cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a15217641.exe

Filesize
169KB

MD5
50bdeb517177874d83c3b6ccb07bb38f

SHA1
5dc6e26a638ab6496309d3f1bec88153f3831ab4

SHA256
6480bf29a6f810708636b8095a835707592f3e4501bda7fc2a965b48121ee08a

SHA512
b2d689b921b43116e95cc3c55bed51b8aa8379c058f3651554ecdd2a79ff923e44919df69ef99e187205a01a7156af364d38bc334d9d53dbd13d5029606e81cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61832551.exe

Filesize
1.3MB

MD5
89ed35a70303e2263ebd55753cf7d6e1

SHA1
3bc521a58d05398597ba75e31d8b4b18b6456cce

SHA256
0c01537e075b262e85e0da5026611622f660c28f42f5ea0bf31ce096987e5140

SHA512
cfbaeee743431e4c9c0a03611a10f5a8ec4d2ed423022631c5aad1d7cbdf6bb8bef4954012b1e0ae95e1ea95d2c664b8ef7e6c2f61aea4e724e74735e892bb25

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61832551.exe

Filesize
1.3MB

MD5
89ed35a70303e2263ebd55753cf7d6e1

SHA1
3bc521a58d05398597ba75e31d8b4b18b6456cce

SHA256
0c01537e075b262e85e0da5026611622f660c28f42f5ea0bf31ce096987e5140

SHA512
cfbaeee743431e4c9c0a03611a10f5a8ec4d2ed423022631c5aad1d7cbdf6bb8bef4954012b1e0ae95e1ea95d2c664b8ef7e6c2f61aea4e724e74735e892bb25

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88274541.exe

Filesize
1015KB

MD5
b31d6ddb558f29ec91ee145957d0c628

SHA1
4a30947f02c10484efd6aacab08be6355ec66cf6

SHA256
e5f8ea417cf4496abeb75445c3cc2b353f1bb8924d09810c03c85566b6c719ef

SHA512
5a06fedc7e46d9e0d343a8ab0e9696e5ba31dfd519372e19c3d3389018719f55a8416f2075c9d621a792b3dfcf03d54c151aefa1d0fcffa48bd970781b4167d4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i88274541.exe

Filesize
1015KB

MD5
b31d6ddb558f29ec91ee145957d0c628

SHA1
4a30947f02c10484efd6aacab08be6355ec66cf6

SHA256
e5f8ea417cf4496abeb75445c3cc2b353f1bb8924d09810c03c85566b6c719ef

SHA512
5a06fedc7e46d9e0d343a8ab0e9696e5ba31dfd519372e19c3d3389018719f55a8416f2075c9d621a792b3dfcf03d54c151aefa1d0fcffa48bd970781b4167d4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05212862.exe

Filesize
843KB

MD5
110a04167e18a91a427c2c240114666f

SHA1
c763afb90fcff6a64143f6ba6e668e0dea51ac73

SHA256
48624c39cf2aefe4180a928e6a173f0b1e40776058ad84e607550ff349931a1f

SHA512
1dbd0d799c80fc2727ce65e12dec5db6026346bfa837f91f4e051f93d10e9737266218bf760e2e40924028dc533059ecabfa2d95d11cd306daecd712ba92088c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05212862.exe

Filesize
843KB

MD5
110a04167e18a91a427c2c240114666f

SHA1
c763afb90fcff6a64143f6ba6e668e0dea51ac73

SHA256
48624c39cf2aefe4180a928e6a173f0b1e40776058ad84e607550ff349931a1f

SHA512
1dbd0d799c80fc2727ce65e12dec5db6026346bfa837f91f4e051f93d10e9737266218bf760e2e40924028dc533059ecabfa2d95d11cd306daecd712ba92088c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24238341.exe

Filesize
371KB

MD5
ef1df4e0395bc59807d81da4c54712b5

SHA1
b95bc4db2fbaf3fd0ab61f20b6597d3629659f10

SHA256
5d6b0167a2e739187e7f6e1606468be06d97c065f601d7d9344cb5b9e37b4b99

SHA512
75463d17ffe36cd3d997808d3b23f3350543c412bcb009bb7dc4b3859db01c6eb278b22e825ef8eeae40b3aa83980f23fb5c491711f1d982754966396aef6e7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24238341.exe

Filesize
371KB

MD5
ef1df4e0395bc59807d81da4c54712b5

SHA1
b95bc4db2fbaf3fd0ab61f20b6597d3629659f10

SHA256
5d6b0167a2e739187e7f6e1606468be06d97c065f601d7d9344cb5b9e37b4b99

SHA512
75463d17ffe36cd3d997808d3b23f3350543c412bcb009bb7dc4b3859db01c6eb278b22e825ef8eeae40b3aa83980f23fb5c491711f1d982754966396aef6e7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a15217641.exe

Filesize
169KB

MD5
50bdeb517177874d83c3b6ccb07bb38f

SHA1
5dc6e26a638ab6496309d3f1bec88153f3831ab4

SHA256
6480bf29a6f810708636b8095a835707592f3e4501bda7fc2a965b48121ee08a

SHA512
b2d689b921b43116e95cc3c55bed51b8aa8379c058f3651554ecdd2a79ff923e44919df69ef99e187205a01a7156af364d38bc334d9d53dbd13d5029606e81cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a15217641.exe

Filesize
169KB

MD5
50bdeb517177874d83c3b6ccb07bb38f

SHA1
5dc6e26a638ab6496309d3f1bec88153f3831ab4

SHA256
6480bf29a6f810708636b8095a835707592f3e4501bda7fc2a965b48121ee08a

SHA512
b2d689b921b43116e95cc3c55bed51b8aa8379c058f3651554ecdd2a79ff923e44919df69ef99e187205a01a7156af364d38bc334d9d53dbd13d5029606e81cb

Download Submit
memory/972-104-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/972-105-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/972-106-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/972-107-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download