redline | efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198

Analysis

max time kernel
144s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe
Size

1.5MB
MD5

0076766c64bff210aa98e43af4073966
SHA1

38be8045aea63c88d892fea04917e7d83cbfd8ae
SHA256

efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198
SHA512

652b0028a8d54e24c846a96a7e7451771b6f91c2f9438815563f5e004cb624a138d4ef722d7a3974ca3a2df345959c2523eef33a43968fd4812bf5aa7ede8001
SSDEEP

24576:vyRl5KOW+iZDMUf6ur00y0VQgHFLO5RZqKj7QxIgpT2svF:6r570loCd4scQxH8

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1064	i24768498.exe
660	i68781705.exe
1124	i42287997.exe
612	i33535377.exe
1152	a40107888.exe

Loads dropped DLL 10 IoCs

pid	Process
840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe
1064	i24768498.exe
1064	i24768498.exe
660	i68781705.exe
660	i68781705.exe
1124	i42287997.exe
1124	i42287997.exe
612	i33535377.exe
612	i33535377.exe
1152	a40107888.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i68781705.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i42287997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i42287997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i33535377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i24768498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i24768498.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i68781705.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i33535377.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1064	840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe	26
PID 840 wrote to memory of 1064	840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe	26
PID 840 wrote to memory of 1064	840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe	26
PID 840 wrote to memory of 1064	840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe	26
PID 840 wrote to memory of 1064	840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe	26
PID 840 wrote to memory of 1064	840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe	26
PID 840 wrote to memory of 1064	840	efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe	26
PID 1064 wrote to memory of 660	1064	i24768498.exe	27
PID 1064 wrote to memory of 660	1064	i24768498.exe	27
PID 1064 wrote to memory of 660	1064	i24768498.exe	27
PID 1064 wrote to memory of 660	1064	i24768498.exe	27
PID 1064 wrote to memory of 660	1064	i24768498.exe	27
PID 1064 wrote to memory of 660	1064	i24768498.exe	27
PID 1064 wrote to memory of 660	1064	i24768498.exe	27
PID 660 wrote to memory of 1124	660	i68781705.exe	28
PID 660 wrote to memory of 1124	660	i68781705.exe	28
PID 660 wrote to memory of 1124	660	i68781705.exe	28
PID 660 wrote to memory of 1124	660	i68781705.exe	28
PID 660 wrote to memory of 1124	660	i68781705.exe	28
PID 660 wrote to memory of 1124	660	i68781705.exe	28
PID 660 wrote to memory of 1124	660	i68781705.exe	28
PID 1124 wrote to memory of 612	1124	i42287997.exe	29
PID 1124 wrote to memory of 612	1124	i42287997.exe	29
PID 1124 wrote to memory of 612	1124	i42287997.exe	29
PID 1124 wrote to memory of 612	1124	i42287997.exe	29
PID 1124 wrote to memory of 612	1124	i42287997.exe	29
PID 1124 wrote to memory of 612	1124	i42287997.exe	29
PID 1124 wrote to memory of 612	1124	i42287997.exe	29
PID 612 wrote to memory of 1152	612	i33535377.exe	30
PID 612 wrote to memory of 1152	612	i33535377.exe	30
PID 612 wrote to memory of 1152	612	i33535377.exe	30
PID 612 wrote to memory of 1152	612	i33535377.exe	30
PID 612 wrote to memory of 1152	612	i33535377.exe	30
PID 612 wrote to memory of 1152	612	i33535377.exe	30
PID 612 wrote to memory of 1152	612	i33535377.exe	30

C:\Users\Admin\AppData\Local\Temp\efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe
"C:\Users\Admin\AppData\Local\Temp\efb949fe8d661a9bb981b6946983d63bd5b0b58d8c284f3792a5bd9551eb7198.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24768498.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24768498.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i68781705.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i68781705.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42287997.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42287997.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33535377.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33535377.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:612
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40107888.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40107888.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24768498.exe

Filesize
1.3MB

MD5
b024d3e8d5efc6fb9360c06baaab0a23

SHA1
3bb1fdcbbf8e245fb4518b0a99f609d95dfac919

SHA256
24709d813be091b0615f6caa63bd1868b4e00aea11ab590ec191a5e967c0e228

SHA512
ca09ff913c46ad3c2626364ec60ddd9be7ff1085809a5905be2d6d545c77d875f173c00c263118ce1979e051ad9dedfff13c8dc56e660a11282383a1ed7b0c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24768498.exe

Filesize
1.3MB

MD5
b024d3e8d5efc6fb9360c06baaab0a23

SHA1
3bb1fdcbbf8e245fb4518b0a99f609d95dfac919

SHA256
24709d813be091b0615f6caa63bd1868b4e00aea11ab590ec191a5e967c0e228

SHA512
ca09ff913c46ad3c2626364ec60ddd9be7ff1085809a5905be2d6d545c77d875f173c00c263118ce1979e051ad9dedfff13c8dc56e660a11282383a1ed7b0c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i68781705.exe

Filesize
1016KB

MD5
6f55fa007dac20d2225248b9a2e26a47

SHA1
72541ced5e88d7c6051608c08b8748143912d4d9

SHA256
7d905f9ba6a434e27d988641766722b48eb4180ed61ba521c83ea253987e4848

SHA512
824a4d891275fa34fde55588f1ca458e12ea858a986ba2cefc18a04c4c682a1288c55e35a3d42a60440e0029de96196e4a9f836c2f087ab250a9456d553dc1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i68781705.exe

Filesize
1016KB

MD5
6f55fa007dac20d2225248b9a2e26a47

SHA1
72541ced5e88d7c6051608c08b8748143912d4d9

SHA256
7d905f9ba6a434e27d988641766722b48eb4180ed61ba521c83ea253987e4848

SHA512
824a4d891275fa34fde55588f1ca458e12ea858a986ba2cefc18a04c4c682a1288c55e35a3d42a60440e0029de96196e4a9f836c2f087ab250a9456d553dc1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42287997.exe

Filesize
844KB

MD5
2f7e148a78dcaf7c2859ef9c96d7bb24

SHA1
6f51145b25004b0be19e39a69de216aa7bff0452

SHA256
3e4213801406e662525d58edcc2d6566a36c02f709eed35a22390444dea5e327

SHA512
ce3c0d4b8ce0ae7d8d408cab4c7ef362e4d96d110a94a08e59af3e8670ba78dbcf0efe0e99c74c31335ee7b8444cb8157dc3cdd7917fad1b21086351b693387f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42287997.exe

Filesize
844KB

MD5
2f7e148a78dcaf7c2859ef9c96d7bb24

SHA1
6f51145b25004b0be19e39a69de216aa7bff0452

SHA256
3e4213801406e662525d58edcc2d6566a36c02f709eed35a22390444dea5e327

SHA512
ce3c0d4b8ce0ae7d8d408cab4c7ef362e4d96d110a94a08e59af3e8670ba78dbcf0efe0e99c74c31335ee7b8444cb8157dc3cdd7917fad1b21086351b693387f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33535377.exe

Filesize
371KB

MD5
efacd0ea329a4cef031e9a0192a863b1

SHA1
4dcbc6f52c548ce09733462d2280ce5858b1edbf

SHA256
2b0771e6d4ef00358818f0e2c984ad3f3b383aa149ae6b14358c0bffe1b03cda

SHA512
9dd9d2ddd832ee68f4cb94cba5ef425afb9b1837a2b395f2bbc373a4439a111a09d20d668f1dc0b49de3f7ae901ab682c3f60f598f220f83093da3341ee5b220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33535377.exe

Filesize
371KB

MD5
efacd0ea329a4cef031e9a0192a863b1

SHA1
4dcbc6f52c548ce09733462d2280ce5858b1edbf

SHA256
2b0771e6d4ef00358818f0e2c984ad3f3b383aa149ae6b14358c0bffe1b03cda

SHA512
9dd9d2ddd832ee68f4cb94cba5ef425afb9b1837a2b395f2bbc373a4439a111a09d20d668f1dc0b49de3f7ae901ab682c3f60f598f220f83093da3341ee5b220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40107888.exe

Filesize
169KB

MD5
63e4473e028518c2b1f5d9465f6e2cbd

SHA1
65c859b672c6f2e4f1554514401aa0272fffd131

SHA256
ef6c438d2065641c5e39058ce283849fc1256c0a8d4cd1ffde5826d3a86a0275

SHA512
36cf0cd58c5b20296136ed4a601ff646758fbfa28bf8a55b6c2703acf51a76ee8b59f83b6ec5512a05c57495a15f0e419d1993f374b167cdfa57a54f96543499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40107888.exe

Filesize
169KB

MD5
63e4473e028518c2b1f5d9465f6e2cbd

SHA1
65c859b672c6f2e4f1554514401aa0272fffd131

SHA256
ef6c438d2065641c5e39058ce283849fc1256c0a8d4cd1ffde5826d3a86a0275

SHA512
36cf0cd58c5b20296136ed4a601ff646758fbfa28bf8a55b6c2703acf51a76ee8b59f83b6ec5512a05c57495a15f0e419d1993f374b167cdfa57a54f96543499

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24768498.exe

Filesize
1.3MB

MD5
b024d3e8d5efc6fb9360c06baaab0a23

SHA1
3bb1fdcbbf8e245fb4518b0a99f609d95dfac919

SHA256
24709d813be091b0615f6caa63bd1868b4e00aea11ab590ec191a5e967c0e228

SHA512
ca09ff913c46ad3c2626364ec60ddd9be7ff1085809a5905be2d6d545c77d875f173c00c263118ce1979e051ad9dedfff13c8dc56e660a11282383a1ed7b0c18

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24768498.exe

Filesize
1.3MB

MD5
b024d3e8d5efc6fb9360c06baaab0a23

SHA1
3bb1fdcbbf8e245fb4518b0a99f609d95dfac919

SHA256
24709d813be091b0615f6caa63bd1868b4e00aea11ab590ec191a5e967c0e228

SHA512
ca09ff913c46ad3c2626364ec60ddd9be7ff1085809a5905be2d6d545c77d875f173c00c263118ce1979e051ad9dedfff13c8dc56e660a11282383a1ed7b0c18

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i68781705.exe

Filesize
1016KB

MD5
6f55fa007dac20d2225248b9a2e26a47

SHA1
72541ced5e88d7c6051608c08b8748143912d4d9

SHA256
7d905f9ba6a434e27d988641766722b48eb4180ed61ba521c83ea253987e4848

SHA512
824a4d891275fa34fde55588f1ca458e12ea858a986ba2cefc18a04c4c682a1288c55e35a3d42a60440e0029de96196e4a9f836c2f087ab250a9456d553dc1b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i68781705.exe

Filesize
1016KB

MD5
6f55fa007dac20d2225248b9a2e26a47

SHA1
72541ced5e88d7c6051608c08b8748143912d4d9

SHA256
7d905f9ba6a434e27d988641766722b48eb4180ed61ba521c83ea253987e4848

SHA512
824a4d891275fa34fde55588f1ca458e12ea858a986ba2cefc18a04c4c682a1288c55e35a3d42a60440e0029de96196e4a9f836c2f087ab250a9456d553dc1b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42287997.exe

Filesize
844KB

MD5
2f7e148a78dcaf7c2859ef9c96d7bb24

SHA1
6f51145b25004b0be19e39a69de216aa7bff0452

SHA256
3e4213801406e662525d58edcc2d6566a36c02f709eed35a22390444dea5e327

SHA512
ce3c0d4b8ce0ae7d8d408cab4c7ef362e4d96d110a94a08e59af3e8670ba78dbcf0efe0e99c74c31335ee7b8444cb8157dc3cdd7917fad1b21086351b693387f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42287997.exe

Filesize
844KB

MD5
2f7e148a78dcaf7c2859ef9c96d7bb24

SHA1
6f51145b25004b0be19e39a69de216aa7bff0452

SHA256
3e4213801406e662525d58edcc2d6566a36c02f709eed35a22390444dea5e327

SHA512
ce3c0d4b8ce0ae7d8d408cab4c7ef362e4d96d110a94a08e59af3e8670ba78dbcf0efe0e99c74c31335ee7b8444cb8157dc3cdd7917fad1b21086351b693387f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33535377.exe

Filesize
371KB

MD5
efacd0ea329a4cef031e9a0192a863b1

SHA1
4dcbc6f52c548ce09733462d2280ce5858b1edbf

SHA256
2b0771e6d4ef00358818f0e2c984ad3f3b383aa149ae6b14358c0bffe1b03cda

SHA512
9dd9d2ddd832ee68f4cb94cba5ef425afb9b1837a2b395f2bbc373a4439a111a09d20d668f1dc0b49de3f7ae901ab682c3f60f598f220f83093da3341ee5b220

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33535377.exe

Filesize
371KB

MD5
efacd0ea329a4cef031e9a0192a863b1

SHA1
4dcbc6f52c548ce09733462d2280ce5858b1edbf

SHA256
2b0771e6d4ef00358818f0e2c984ad3f3b383aa149ae6b14358c0bffe1b03cda

SHA512
9dd9d2ddd832ee68f4cb94cba5ef425afb9b1837a2b395f2bbc373a4439a111a09d20d668f1dc0b49de3f7ae901ab682c3f60f598f220f83093da3341ee5b220

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40107888.exe

Filesize
169KB

MD5
63e4473e028518c2b1f5d9465f6e2cbd

SHA1
65c859b672c6f2e4f1554514401aa0272fffd131

SHA256
ef6c438d2065641c5e39058ce283849fc1256c0a8d4cd1ffde5826d3a86a0275

SHA512
36cf0cd58c5b20296136ed4a601ff646758fbfa28bf8a55b6c2703acf51a76ee8b59f83b6ec5512a05c57495a15f0e419d1993f374b167cdfa57a54f96543499

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40107888.exe

Filesize
169KB

MD5
63e4473e028518c2b1f5d9465f6e2cbd

SHA1
65c859b672c6f2e4f1554514401aa0272fffd131

SHA256
ef6c438d2065641c5e39058ce283849fc1256c0a8d4cd1ffde5826d3a86a0275

SHA512
36cf0cd58c5b20296136ed4a601ff646758fbfa28bf8a55b6c2703acf51a76ee8b59f83b6ec5512a05c57495a15f0e419d1993f374b167cdfa57a54f96543499

Download Submit
memory/1152-104-0x0000000001250000-0x0000000001280000-memory.dmp

Filesize
192KB

Download
memory/1152-105-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1152-106-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download