redline | d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13

Analysis

max time kernel
199s
max time network
209s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
Size

1.5MB
MD5

5c620c62467a6304f5dd664638b8889f
SHA1

53d2ffa57a32c66a61486822f687c3ebd6ed059b
SHA256

d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13
SHA512

e70b87acf137a1dfbcdfaa4c8a8e939bbd6d876926fb353bac36bfe4515b8571aae3f618a30d545695d088f570cae65b6d21087dc298f18dd97795623f9be7e4
SSDEEP

24576:hyBmWNfcH32aTXhNSPoa8wWiWzcgTa5yNWfG+IgnH3A4XRphjTeFZ/0hSM4KRxi/:UcpHm+RNSAhIfH5yd01pjmZ/grWBJI

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1712	i96809559.exe
1112	i42105692.exe
1472	i05984276.exe
1860	i58353799.exe
1020	a48361062.exe

Loads dropped DLL 10 IoCs

pid	Process
2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
1712	i96809559.exe
1712	i96809559.exe
1112	i42105692.exe
1112	i42105692.exe
1472	i05984276.exe
1472	i05984276.exe
1860	i58353799.exe
1860	i58353799.exe
1020	a48361062.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i58353799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i58353799.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i96809559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i96809559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i05984276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i42105692.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i42105692.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i05984276.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1712	2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	28
PID 2044 wrote to memory of 1712	2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	28
PID 2044 wrote to memory of 1712	2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	28
PID 2044 wrote to memory of 1712	2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	28
PID 2044 wrote to memory of 1712	2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	28
PID 2044 wrote to memory of 1712	2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	28
PID 2044 wrote to memory of 1712	2044	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	28
PID 1712 wrote to memory of 1112	1712	i96809559.exe	29
PID 1712 wrote to memory of 1112	1712	i96809559.exe	29
PID 1712 wrote to memory of 1112	1712	i96809559.exe	29
PID 1712 wrote to memory of 1112	1712	i96809559.exe	29
PID 1712 wrote to memory of 1112	1712	i96809559.exe	29
PID 1712 wrote to memory of 1112	1712	i96809559.exe	29
PID 1712 wrote to memory of 1112	1712	i96809559.exe	29
PID 1112 wrote to memory of 1472	1112	i42105692.exe	30
PID 1112 wrote to memory of 1472	1112	i42105692.exe	30
PID 1112 wrote to memory of 1472	1112	i42105692.exe	30
PID 1112 wrote to memory of 1472	1112	i42105692.exe	30
PID 1112 wrote to memory of 1472	1112	i42105692.exe	30
PID 1112 wrote to memory of 1472	1112	i42105692.exe	30
PID 1112 wrote to memory of 1472	1112	i42105692.exe	30
PID 1472 wrote to memory of 1860	1472	i05984276.exe	31
PID 1472 wrote to memory of 1860	1472	i05984276.exe	31
PID 1472 wrote to memory of 1860	1472	i05984276.exe	31
PID 1472 wrote to memory of 1860	1472	i05984276.exe	31
PID 1472 wrote to memory of 1860	1472	i05984276.exe	31
PID 1472 wrote to memory of 1860	1472	i05984276.exe	31
PID 1472 wrote to memory of 1860	1472	i05984276.exe	31
PID 1860 wrote to memory of 1020	1860	i58353799.exe	32
PID 1860 wrote to memory of 1020	1860	i58353799.exe	32
PID 1860 wrote to memory of 1020	1860	i58353799.exe	32
PID 1860 wrote to memory of 1020	1860	i58353799.exe	32
PID 1860 wrote to memory of 1020	1860	i58353799.exe	32
PID 1860 wrote to memory of 1020	1860	i58353799.exe	32
PID 1860 wrote to memory of 1020	1860	i58353799.exe	32

C:\Users\Admin\AppData\Local\Temp\d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
"C:\Users\Admin\AppData\Local\Temp\d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe

Filesize
1.3MB

MD5
985fb5b69ff33598c2c2735bf5911275

SHA1
47090d679fef5a73a54aeefc15f13d33ec678303

SHA256
5939146376c798008175b8cefcf3cd5b5fd685737cb0be03204707df0864f552

SHA512
29d46491dc008d3000381f5bfb8c24896ff07339e9a39c7a8b07323fd09381d14210c940b2eba0e29dc5a55370baad3a5301f0b76116b3f1d0d5c4117b68c517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe

Filesize
1.3MB

MD5
985fb5b69ff33598c2c2735bf5911275

SHA1
47090d679fef5a73a54aeefc15f13d33ec678303

SHA256
5939146376c798008175b8cefcf3cd5b5fd685737cb0be03204707df0864f552

SHA512
29d46491dc008d3000381f5bfb8c24896ff07339e9a39c7a8b07323fd09381d14210c940b2eba0e29dc5a55370baad3a5301f0b76116b3f1d0d5c4117b68c517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe

Filesize
1016KB

MD5
d724ef134a9c1189802735921fdf45cb

SHA1
ab94cf6efc5787df7e182daa6c7c60bdd81f3fe0

SHA256
0e572a49d570c48d51d92e8f52e00180abae2abb6223b9c93e752dafa226465d

SHA512
849f86ff9d3aebf94e23555cdcae49fdca85d04c4b5ad719dff52be2db24b4027a19bb7f29bc9aae64c81d8532eacd7647e2a14aa69ed722c5d9e347d699fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe

Filesize
1016KB

MD5
d724ef134a9c1189802735921fdf45cb

SHA1
ab94cf6efc5787df7e182daa6c7c60bdd81f3fe0

SHA256
0e572a49d570c48d51d92e8f52e00180abae2abb6223b9c93e752dafa226465d

SHA512
849f86ff9d3aebf94e23555cdcae49fdca85d04c4b5ad719dff52be2db24b4027a19bb7f29bc9aae64c81d8532eacd7647e2a14aa69ed722c5d9e347d699fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe

Filesize
844KB

MD5
577de30e99be4ddb5748ca636aca515e

SHA1
d3a96dc92d4d7baaa05460e1f13c730891a877ca

SHA256
a0880e7934fc112b4cbb47cab668ad981b17ffc7eaa33d50df644ddd2845d788

SHA512
2c3eed52d998dd3de867be696150b2f14f19ba4f558387bef80158ff553d916eac5394944c35c67d3d56c38529ac3955da17ddecf4c06650942323b6c98d743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe

Filesize
844KB

MD5
577de30e99be4ddb5748ca636aca515e

SHA1
d3a96dc92d4d7baaa05460e1f13c730891a877ca

SHA256
a0880e7934fc112b4cbb47cab668ad981b17ffc7eaa33d50df644ddd2845d788

SHA512
2c3eed52d998dd3de867be696150b2f14f19ba4f558387bef80158ff553d916eac5394944c35c67d3d56c38529ac3955da17ddecf4c06650942323b6c98d743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe

Filesize
371KB

MD5
af778505fdf3f57b1e175cdd666a3407

SHA1
272cdab781b2e8314bb12616922fb91642676fc7

SHA256
b517a1974c7635fc86ed495369fae4f756ef3ff66b8c35abff7e7f2fb4ab4814

SHA512
7bfabfb2724ef66d1f0488fc86449fcb0f95da5d3a72f12e0adc3b83c19770d6bc1a5bdee0461e7dce840a37d33b0c3ffaf31718a2136dc761053bad04af82c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe

Filesize
371KB

MD5
af778505fdf3f57b1e175cdd666a3407

SHA1
272cdab781b2e8314bb12616922fb91642676fc7

SHA256
b517a1974c7635fc86ed495369fae4f756ef3ff66b8c35abff7e7f2fb4ab4814

SHA512
7bfabfb2724ef66d1f0488fc86449fcb0f95da5d3a72f12e0adc3b83c19770d6bc1a5bdee0461e7dce840a37d33b0c3ffaf31718a2136dc761053bad04af82c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe

Filesize
169KB

MD5
9bcf4e9bf47465f95d7d4d159a9b0930

SHA1
c30290d90c3f34fa64dad7d58c2f2e442bb159cf

SHA256
065016cf37d5c8135b796cbe33240f500dd4a47fbe2e2556dbad19c7a0cd05be

SHA512
c48c1d24c0f4bbaa848038303e0cd086241e1d42d685e0ddc2e9f389fd2962c6355177202ce9fea9af599dab132138f923331209bd44b75a1ebe6751157333da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe

Filesize
169KB

MD5
9bcf4e9bf47465f95d7d4d159a9b0930

SHA1
c30290d90c3f34fa64dad7d58c2f2e442bb159cf

SHA256
065016cf37d5c8135b796cbe33240f500dd4a47fbe2e2556dbad19c7a0cd05be

SHA512
c48c1d24c0f4bbaa848038303e0cd086241e1d42d685e0ddc2e9f389fd2962c6355177202ce9fea9af599dab132138f923331209bd44b75a1ebe6751157333da

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe

Filesize
1.3MB

MD5
985fb5b69ff33598c2c2735bf5911275

SHA1
47090d679fef5a73a54aeefc15f13d33ec678303

SHA256
5939146376c798008175b8cefcf3cd5b5fd685737cb0be03204707df0864f552

SHA512
29d46491dc008d3000381f5bfb8c24896ff07339e9a39c7a8b07323fd09381d14210c940b2eba0e29dc5a55370baad3a5301f0b76116b3f1d0d5c4117b68c517

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe

Filesize
1.3MB

MD5
985fb5b69ff33598c2c2735bf5911275

SHA1
47090d679fef5a73a54aeefc15f13d33ec678303

SHA256
5939146376c798008175b8cefcf3cd5b5fd685737cb0be03204707df0864f552

SHA512
29d46491dc008d3000381f5bfb8c24896ff07339e9a39c7a8b07323fd09381d14210c940b2eba0e29dc5a55370baad3a5301f0b76116b3f1d0d5c4117b68c517

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe

Filesize
1016KB

MD5
d724ef134a9c1189802735921fdf45cb

SHA1
ab94cf6efc5787df7e182daa6c7c60bdd81f3fe0

SHA256
0e572a49d570c48d51d92e8f52e00180abae2abb6223b9c93e752dafa226465d

SHA512
849f86ff9d3aebf94e23555cdcae49fdca85d04c4b5ad719dff52be2db24b4027a19bb7f29bc9aae64c81d8532eacd7647e2a14aa69ed722c5d9e347d699fa6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe

Filesize
1016KB

MD5
d724ef134a9c1189802735921fdf45cb

SHA1
ab94cf6efc5787df7e182daa6c7c60bdd81f3fe0

SHA256
0e572a49d570c48d51d92e8f52e00180abae2abb6223b9c93e752dafa226465d

SHA512
849f86ff9d3aebf94e23555cdcae49fdca85d04c4b5ad719dff52be2db24b4027a19bb7f29bc9aae64c81d8532eacd7647e2a14aa69ed722c5d9e347d699fa6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe

Filesize
844KB

MD5
577de30e99be4ddb5748ca636aca515e

SHA1
d3a96dc92d4d7baaa05460e1f13c730891a877ca

SHA256
a0880e7934fc112b4cbb47cab668ad981b17ffc7eaa33d50df644ddd2845d788

SHA512
2c3eed52d998dd3de867be696150b2f14f19ba4f558387bef80158ff553d916eac5394944c35c67d3d56c38529ac3955da17ddecf4c06650942323b6c98d743c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe

Filesize
844KB

MD5
577de30e99be4ddb5748ca636aca515e

SHA1
d3a96dc92d4d7baaa05460e1f13c730891a877ca

SHA256
a0880e7934fc112b4cbb47cab668ad981b17ffc7eaa33d50df644ddd2845d788

SHA512
2c3eed52d998dd3de867be696150b2f14f19ba4f558387bef80158ff553d916eac5394944c35c67d3d56c38529ac3955da17ddecf4c06650942323b6c98d743c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe

Filesize
371KB

MD5
af778505fdf3f57b1e175cdd666a3407

SHA1
272cdab781b2e8314bb12616922fb91642676fc7

SHA256
b517a1974c7635fc86ed495369fae4f756ef3ff66b8c35abff7e7f2fb4ab4814

SHA512
7bfabfb2724ef66d1f0488fc86449fcb0f95da5d3a72f12e0adc3b83c19770d6bc1a5bdee0461e7dce840a37d33b0c3ffaf31718a2136dc761053bad04af82c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe

Filesize
371KB

MD5
af778505fdf3f57b1e175cdd666a3407

SHA1
272cdab781b2e8314bb12616922fb91642676fc7

SHA256
b517a1974c7635fc86ed495369fae4f756ef3ff66b8c35abff7e7f2fb4ab4814

SHA512
7bfabfb2724ef66d1f0488fc86449fcb0f95da5d3a72f12e0adc3b83c19770d6bc1a5bdee0461e7dce840a37d33b0c3ffaf31718a2136dc761053bad04af82c9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe

Filesize
169KB

MD5
9bcf4e9bf47465f95d7d4d159a9b0930

SHA1
c30290d90c3f34fa64dad7d58c2f2e442bb159cf

SHA256
065016cf37d5c8135b796cbe33240f500dd4a47fbe2e2556dbad19c7a0cd05be

SHA512
c48c1d24c0f4bbaa848038303e0cd086241e1d42d685e0ddc2e9f389fd2962c6355177202ce9fea9af599dab132138f923331209bd44b75a1ebe6751157333da

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe

Filesize
169KB

MD5
9bcf4e9bf47465f95d7d4d159a9b0930

SHA1
c30290d90c3f34fa64dad7d58c2f2e442bb159cf

SHA256
065016cf37d5c8135b796cbe33240f500dd4a47fbe2e2556dbad19c7a0cd05be

SHA512
c48c1d24c0f4bbaa848038303e0cd086241e1d42d685e0ddc2e9f389fd2962c6355177202ce9fea9af599dab132138f923331209bd44b75a1ebe6751157333da

Download Submit
memory/1020-104-0x0000000001030000-0x0000000001060000-memory.dmp

Filesize
192KB

Download
memory/1020-105-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/1020-106-0x00000000009A0000-0x00000000009E0000-memory.dmp

Filesize
256KB

Download
memory/1020-107-0x00000000009A0000-0x00000000009E0000-memory.dmp

Filesize
256KB

Download