redline | d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468

Analysis

max time kernel
179s
max time network
194s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe
Size

1.5MB
MD5

e4c512e9415e96b61a925603f20db3ff
SHA1

723567b3fe09c78e9fe75f4257d7c85449b49356
SHA256

d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468
SHA512

97647bffcf251bb5ab7a9b22a244249481e53f9872899e629db93dcc0a4ba033396ea9f257dbbe3edfe3638839f6f8c82f09aaf84b53d503e55378c80d4e914e
SSDEEP

24576:5yvzZzA7zRqAYEV89K2T46QgxDv67b1/BL2dDUUIKKjv46AgLigBgFh:svzmQrtT4fpgSUVI4II

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1972	i45024922.exe
1876	i99377424.exe
2024	i09317342.exe
1724	i34210955.exe
1656	a32127787.exe

Loads dropped DLL 10 IoCs

pid	Process
1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe
1972	i45024922.exe
1972	i45024922.exe
1876	i99377424.exe
1876	i99377424.exe
2024	i09317342.exe
2024	i09317342.exe
1724	i34210955.exe
1724	i34210955.exe
1656	a32127787.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i45024922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i45024922.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i99377424.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i09317342.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i34210955.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i99377424.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i09317342.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i34210955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1972	1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe	28
PID 1976 wrote to memory of 1972	1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe	28
PID 1976 wrote to memory of 1972	1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe	28
PID 1976 wrote to memory of 1972	1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe	28
PID 1976 wrote to memory of 1972	1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe	28
PID 1976 wrote to memory of 1972	1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe	28
PID 1976 wrote to memory of 1972	1976	d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe	28
PID 1972 wrote to memory of 1876	1972	i45024922.exe	29
PID 1972 wrote to memory of 1876	1972	i45024922.exe	29
PID 1972 wrote to memory of 1876	1972	i45024922.exe	29
PID 1972 wrote to memory of 1876	1972	i45024922.exe	29
PID 1972 wrote to memory of 1876	1972	i45024922.exe	29
PID 1972 wrote to memory of 1876	1972	i45024922.exe	29
PID 1972 wrote to memory of 1876	1972	i45024922.exe	29
PID 1876 wrote to memory of 2024	1876	i99377424.exe	30
PID 1876 wrote to memory of 2024	1876	i99377424.exe	30
PID 1876 wrote to memory of 2024	1876	i99377424.exe	30
PID 1876 wrote to memory of 2024	1876	i99377424.exe	30
PID 1876 wrote to memory of 2024	1876	i99377424.exe	30
PID 1876 wrote to memory of 2024	1876	i99377424.exe	30
PID 1876 wrote to memory of 2024	1876	i99377424.exe	30
PID 2024 wrote to memory of 1724	2024	i09317342.exe	31
PID 2024 wrote to memory of 1724	2024	i09317342.exe	31
PID 2024 wrote to memory of 1724	2024	i09317342.exe	31
PID 2024 wrote to memory of 1724	2024	i09317342.exe	31
PID 2024 wrote to memory of 1724	2024	i09317342.exe	31
PID 2024 wrote to memory of 1724	2024	i09317342.exe	31
PID 2024 wrote to memory of 1724	2024	i09317342.exe	31
PID 1724 wrote to memory of 1656	1724	i34210955.exe	32
PID 1724 wrote to memory of 1656	1724	i34210955.exe	32
PID 1724 wrote to memory of 1656	1724	i34210955.exe	32
PID 1724 wrote to memory of 1656	1724	i34210955.exe	32
PID 1724 wrote to memory of 1656	1724	i34210955.exe	32
PID 1724 wrote to memory of 1656	1724	i34210955.exe	32
PID 1724 wrote to memory of 1656	1724	i34210955.exe	32

C:\Users\Admin\AppData\Local\Temp\d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe
"C:\Users\Admin\AppData\Local\Temp\d7d12b7435166a11cd263c0656e552567a1c4288aed11268ee7827df9ba91468.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45024922.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45024922.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i99377424.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i99377424.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09317342.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09317342.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i34210955.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i34210955.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32127787.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32127787.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45024922.exe

Filesize
1.3MB

MD5
acf8c99ac278f00f2b7ac09cb624c34b

SHA1
51b2587bfab5f85247cdf8dec648da2fea120f62

SHA256
9137995c53dd921a7241c1484ed8ec62103aa430fcdab00341dd4b060f3dc40a

SHA512
db26c37819f683e369f0805c94102f9418c3490ddd1f31eecaf2b89eea7649f5962221c4893659753754eeef476e37b0078e800f00d2abec6cc8dd48f5dd5535

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45024922.exe

Filesize
1.3MB

MD5
acf8c99ac278f00f2b7ac09cb624c34b

SHA1
51b2587bfab5f85247cdf8dec648da2fea120f62

SHA256
9137995c53dd921a7241c1484ed8ec62103aa430fcdab00341dd4b060f3dc40a

SHA512
db26c37819f683e369f0805c94102f9418c3490ddd1f31eecaf2b89eea7649f5962221c4893659753754eeef476e37b0078e800f00d2abec6cc8dd48f5dd5535

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i99377424.exe

Filesize
1015KB

MD5
8a8b159bc52c92f87c6bb72855fad6cb

SHA1
390d4bc30cfcec7e85302fc8f74deb117780af11

SHA256
10911f629b03b7b21e6ce56b48ee0c490d43dc0d76dd9b1b1a146817067999e9

SHA512
c32d24fcb2045e7127215f337d98c03de76a23f325790dc4f1f2cb497f2e9c118a9ac8f85268a21f92f1d11e93d93d276d82d14f4c69089cedcdba7983e9a676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i99377424.exe

Filesize
1015KB

MD5
8a8b159bc52c92f87c6bb72855fad6cb

SHA1
390d4bc30cfcec7e85302fc8f74deb117780af11

SHA256
10911f629b03b7b21e6ce56b48ee0c490d43dc0d76dd9b1b1a146817067999e9

SHA512
c32d24fcb2045e7127215f337d98c03de76a23f325790dc4f1f2cb497f2e9c118a9ac8f85268a21f92f1d11e93d93d276d82d14f4c69089cedcdba7983e9a676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09317342.exe

Filesize
843KB

MD5
5326bd1e1d146943a335955fa89426ad

SHA1
301425252ec1a6c8f7f0a358179530a224618bf6

SHA256
5bd64208aad73b97d549be721dfa92a8d30515d6a6633688e1575ba0f2904bfd

SHA512
2a0f30a45c74dfb6031721f75573124d19b4b9c3f1ca37a1ddcde544dfeae899ef3a8223ebc3582aa0f5ae0f12836cfd58feddc5144addcde3ca1dd664b430d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09317342.exe

Filesize
843KB

MD5
5326bd1e1d146943a335955fa89426ad

SHA1
301425252ec1a6c8f7f0a358179530a224618bf6

SHA256
5bd64208aad73b97d549be721dfa92a8d30515d6a6633688e1575ba0f2904bfd

SHA512
2a0f30a45c74dfb6031721f75573124d19b4b9c3f1ca37a1ddcde544dfeae899ef3a8223ebc3582aa0f5ae0f12836cfd58feddc5144addcde3ca1dd664b430d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i34210955.exe

Filesize
371KB

MD5
1908378fa6f3026b8440ce765c8cf517

SHA1
e3df0af6aed1133caf087df00588915d73402946

SHA256
78b0a872b4d822579f8bc5ed23b9a628140c85adc92ddb4f0c596656c450d68b

SHA512
ea80292d934ae16d2a56296aba206800fe67744d3d4985607bb9d8314b094defd8109ca92c95ca13a71ced2168a993d71d4c73b12a1401006050990bb9a669c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i34210955.exe

Filesize
371KB

MD5
1908378fa6f3026b8440ce765c8cf517

SHA1
e3df0af6aed1133caf087df00588915d73402946

SHA256
78b0a872b4d822579f8bc5ed23b9a628140c85adc92ddb4f0c596656c450d68b

SHA512
ea80292d934ae16d2a56296aba206800fe67744d3d4985607bb9d8314b094defd8109ca92c95ca13a71ced2168a993d71d4c73b12a1401006050990bb9a669c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32127787.exe

Filesize
169KB

MD5
6e9168dac7c694bc9c4ba62c5eca4dbe

SHA1
45ba23a14555e1b206ce7edcd0cae9296ff49f4c

SHA256
76f626aeb640b691412bdf659d1e8ac2b2cfa39dae9c665e2e97b269fdc234b1

SHA512
9cd27d59f8c884d63d42af8dc867c3b58c95c4e468afa70c75295dd5418c67a0434c57c41d27002f69dbfb33a24f06c355b2369bdab4dd52787eb231ff71caff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32127787.exe

Filesize
169KB

MD5
6e9168dac7c694bc9c4ba62c5eca4dbe

SHA1
45ba23a14555e1b206ce7edcd0cae9296ff49f4c

SHA256
76f626aeb640b691412bdf659d1e8ac2b2cfa39dae9c665e2e97b269fdc234b1

SHA512
9cd27d59f8c884d63d42af8dc867c3b58c95c4e468afa70c75295dd5418c67a0434c57c41d27002f69dbfb33a24f06c355b2369bdab4dd52787eb231ff71caff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45024922.exe

Filesize
1.3MB

MD5
acf8c99ac278f00f2b7ac09cb624c34b

SHA1
51b2587bfab5f85247cdf8dec648da2fea120f62

SHA256
9137995c53dd921a7241c1484ed8ec62103aa430fcdab00341dd4b060f3dc40a

SHA512
db26c37819f683e369f0805c94102f9418c3490ddd1f31eecaf2b89eea7649f5962221c4893659753754eeef476e37b0078e800f00d2abec6cc8dd48f5dd5535

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45024922.exe

Filesize
1.3MB

MD5
acf8c99ac278f00f2b7ac09cb624c34b

SHA1
51b2587bfab5f85247cdf8dec648da2fea120f62

SHA256
9137995c53dd921a7241c1484ed8ec62103aa430fcdab00341dd4b060f3dc40a

SHA512
db26c37819f683e369f0805c94102f9418c3490ddd1f31eecaf2b89eea7649f5962221c4893659753754eeef476e37b0078e800f00d2abec6cc8dd48f5dd5535

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i99377424.exe

Filesize
1015KB

MD5
8a8b159bc52c92f87c6bb72855fad6cb

SHA1
390d4bc30cfcec7e85302fc8f74deb117780af11

SHA256
10911f629b03b7b21e6ce56b48ee0c490d43dc0d76dd9b1b1a146817067999e9

SHA512
c32d24fcb2045e7127215f337d98c03de76a23f325790dc4f1f2cb497f2e9c118a9ac8f85268a21f92f1d11e93d93d276d82d14f4c69089cedcdba7983e9a676

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i99377424.exe

Filesize
1015KB

MD5
8a8b159bc52c92f87c6bb72855fad6cb

SHA1
390d4bc30cfcec7e85302fc8f74deb117780af11

SHA256
10911f629b03b7b21e6ce56b48ee0c490d43dc0d76dd9b1b1a146817067999e9

SHA512
c32d24fcb2045e7127215f337d98c03de76a23f325790dc4f1f2cb497f2e9c118a9ac8f85268a21f92f1d11e93d93d276d82d14f4c69089cedcdba7983e9a676

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09317342.exe

Filesize
843KB

MD5
5326bd1e1d146943a335955fa89426ad

SHA1
301425252ec1a6c8f7f0a358179530a224618bf6

SHA256
5bd64208aad73b97d549be721dfa92a8d30515d6a6633688e1575ba0f2904bfd

SHA512
2a0f30a45c74dfb6031721f75573124d19b4b9c3f1ca37a1ddcde544dfeae899ef3a8223ebc3582aa0f5ae0f12836cfd58feddc5144addcde3ca1dd664b430d7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09317342.exe

Filesize
843KB

MD5
5326bd1e1d146943a335955fa89426ad

SHA1
301425252ec1a6c8f7f0a358179530a224618bf6

SHA256
5bd64208aad73b97d549be721dfa92a8d30515d6a6633688e1575ba0f2904bfd

SHA512
2a0f30a45c74dfb6031721f75573124d19b4b9c3f1ca37a1ddcde544dfeae899ef3a8223ebc3582aa0f5ae0f12836cfd58feddc5144addcde3ca1dd664b430d7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i34210955.exe

Filesize
371KB

MD5
1908378fa6f3026b8440ce765c8cf517

SHA1
e3df0af6aed1133caf087df00588915d73402946

SHA256
78b0a872b4d822579f8bc5ed23b9a628140c85adc92ddb4f0c596656c450d68b

SHA512
ea80292d934ae16d2a56296aba206800fe67744d3d4985607bb9d8314b094defd8109ca92c95ca13a71ced2168a993d71d4c73b12a1401006050990bb9a669c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i34210955.exe

Filesize
371KB

MD5
1908378fa6f3026b8440ce765c8cf517

SHA1
e3df0af6aed1133caf087df00588915d73402946

SHA256
78b0a872b4d822579f8bc5ed23b9a628140c85adc92ddb4f0c596656c450d68b

SHA512
ea80292d934ae16d2a56296aba206800fe67744d3d4985607bb9d8314b094defd8109ca92c95ca13a71ced2168a993d71d4c73b12a1401006050990bb9a669c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32127787.exe

Filesize
169KB

MD5
6e9168dac7c694bc9c4ba62c5eca4dbe

SHA1
45ba23a14555e1b206ce7edcd0cae9296ff49f4c

SHA256
76f626aeb640b691412bdf659d1e8ac2b2cfa39dae9c665e2e97b269fdc234b1

SHA512
9cd27d59f8c884d63d42af8dc867c3b58c95c4e468afa70c75295dd5418c67a0434c57c41d27002f69dbfb33a24f06c355b2369bdab4dd52787eb231ff71caff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32127787.exe

Filesize
169KB

MD5
6e9168dac7c694bc9c4ba62c5eca4dbe

SHA1
45ba23a14555e1b206ce7edcd0cae9296ff49f4c

SHA256
76f626aeb640b691412bdf659d1e8ac2b2cfa39dae9c665e2e97b269fdc234b1

SHA512
9cd27d59f8c884d63d42af8dc867c3b58c95c4e468afa70c75295dd5418c67a0434c57c41d27002f69dbfb33a24f06c355b2369bdab4dd52787eb231ff71caff

Download Submit
memory/1656-104-0x0000000001300000-0x0000000001330000-memory.dmp

Filesize
192KB

Download
memory/1656-105-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/1656-106-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/1656-107-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download