redline | e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc

Analysis

max time kernel
125s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe
Size

774KB
MD5

6ac72d69c0050628067fb5ee48815f75
SHA1

aba8f1713144178b1593f4b5d3f7c4a0ecd02a7e
SHA256

e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc
SHA512

56fcdb0cd728bc702e96801d6d2fcd336bd9fac86d9dbf775e7510cf3588614da198b0ade80444ac2d97485a182cc4d24540d4e3962184cbc6ec469ecc911c3b
SSDEEP

24576:FyEYAxmFvPkOTMBYD8X1ivwzJVSroGO/H:gvCmbOYy1i4zJVSrod

Score

10^/10

redline dante gena infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dante

185.161.248.73:4164

Attributes

auth_value
f4066af6b8a6f23125c8ee48288a3f90

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2040	x70244653.exe
1296	m90797830.exe
564	1.exe
1708	n13962664.exe

Loads dropped DLL 9 IoCs

pid	Process
1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe
2040	x70244653.exe
2040	x70244653.exe
2040	x70244653.exe
1296	m90797830.exe
1296	m90797830.exe
564	1.exe
2040	x70244653.exe
1708	n13962664.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x70244653.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x70244653.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	m90797830.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2040	1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe	28
PID 1188 wrote to memory of 2040	1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe	28
PID 1188 wrote to memory of 2040	1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe	28
PID 1188 wrote to memory of 2040	1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe	28
PID 1188 wrote to memory of 2040	1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe	28
PID 1188 wrote to memory of 2040	1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe	28
PID 1188 wrote to memory of 2040	1188	e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe	28
PID 2040 wrote to memory of 1296	2040	x70244653.exe	29
PID 2040 wrote to memory of 1296	2040	x70244653.exe	29
PID 2040 wrote to memory of 1296	2040	x70244653.exe	29
PID 2040 wrote to memory of 1296	2040	x70244653.exe	29
PID 2040 wrote to memory of 1296	2040	x70244653.exe	29
PID 2040 wrote to memory of 1296	2040	x70244653.exe	29
PID 2040 wrote to memory of 1296	2040	x70244653.exe	29
PID 1296 wrote to memory of 564	1296	m90797830.exe	30
PID 1296 wrote to memory of 564	1296	m90797830.exe	30
PID 1296 wrote to memory of 564	1296	m90797830.exe	30
PID 1296 wrote to memory of 564	1296	m90797830.exe	30
PID 1296 wrote to memory of 564	1296	m90797830.exe	30
PID 1296 wrote to memory of 564	1296	m90797830.exe	30
PID 1296 wrote to memory of 564	1296	m90797830.exe	30
PID 2040 wrote to memory of 1708	2040	x70244653.exe	31
PID 2040 wrote to memory of 1708	2040	x70244653.exe	31
PID 2040 wrote to memory of 1708	2040	x70244653.exe	31
PID 2040 wrote to memory of 1708	2040	x70244653.exe	31
PID 2040 wrote to memory of 1708	2040	x70244653.exe	31
PID 2040 wrote to memory of 1708	2040	x70244653.exe	31
PID 2040 wrote to memory of 1708	2040	x70244653.exe	31

C:\Users\Admin\AppData\Local\Temp\e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe
"C:\Users\Admin\AppData\Local\Temp\e334bb349157e5788493a601581ef3bfb32e75cd6d21c1947df37240a174b4bc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x70244653.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x70244653.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n13962664.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n13962664.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x70244653.exe

Filesize
569KB

MD5
94e8fe2d0601c6dfb62b29b730823f56

SHA1
14d84564516ddad3bb8a2938fd33868119c0e419

SHA256
8e5692b6a3aa8664c50ea3034be1a496394b7796bb134bf81449c0cdd5ad329e

SHA512
a2b969b0319704d0dfd7a4589b31caf4610898ad0e33c3aeffb33078660e6a0e0177980e26edd786ef2a256a1248367a735fcb7ffc8ba539acfc0291b164a2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x70244653.exe

Filesize
569KB

MD5
94e8fe2d0601c6dfb62b29b730823f56

SHA1
14d84564516ddad3bb8a2938fd33868119c0e419

SHA256
8e5692b6a3aa8664c50ea3034be1a496394b7796bb134bf81449c0cdd5ad329e

SHA512
a2b969b0319704d0dfd7a4589b31caf4610898ad0e33c3aeffb33078660e6a0e0177980e26edd786ef2a256a1248367a735fcb7ffc8ba539acfc0291b164a2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe

Filesize
479KB

MD5
e24e29640ad4305420665f82fb338d6b

SHA1
b0f6d6b1ced119841ff5ffcc8583c5bef3352300

SHA256
92f15aa73a579af8410a0044649766e56e4647dcb0b939ebb973465ce1280a91

SHA512
c72d8529949ffaaa3c8c508beada1c0b97e47cd77559de04e39dc44a0b4476f1b8bd27af9415cb8495c71203fa3d743e0bdbdb4ade86682bd26bcae8ca2c75e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe

Filesize
479KB

MD5
e24e29640ad4305420665f82fb338d6b

SHA1
b0f6d6b1ced119841ff5ffcc8583c5bef3352300

SHA256
92f15aa73a579af8410a0044649766e56e4647dcb0b939ebb973465ce1280a91

SHA512
c72d8529949ffaaa3c8c508beada1c0b97e47cd77559de04e39dc44a0b4476f1b8bd27af9415cb8495c71203fa3d743e0bdbdb4ade86682bd26bcae8ca2c75e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe

Filesize
479KB

MD5
e24e29640ad4305420665f82fb338d6b

SHA1
b0f6d6b1ced119841ff5ffcc8583c5bef3352300

SHA256
92f15aa73a579af8410a0044649766e56e4647dcb0b939ebb973465ce1280a91

SHA512
c72d8529949ffaaa3c8c508beada1c0b97e47cd77559de04e39dc44a0b4476f1b8bd27af9415cb8495c71203fa3d743e0bdbdb4ade86682bd26bcae8ca2c75e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n13962664.exe

Filesize
169KB

MD5
5cc22a7965addd3817b65309597e98db

SHA1
0f2030dbd0e991637e044b249671969ef723ca9a

SHA256
71dbc3c3c9d085f59c017f9eac971f968641164102643acd369c2b55a1ce3088

SHA512
4ebecf7232d3ff8845c0791b56c677955eb4a44de0bfee67195ba47a8aad686e1b754c2c655c0d54798ce57e8e845325af3373875dbaa970f578e8f9718c0e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n13962664.exe

Filesize
169KB

MD5
5cc22a7965addd3817b65309597e98db

SHA1
0f2030dbd0e991637e044b249671969ef723ca9a

SHA256
71dbc3c3c9d085f59c017f9eac971f968641164102643acd369c2b55a1ce3088

SHA512
4ebecf7232d3ff8845c0791b56c677955eb4a44de0bfee67195ba47a8aad686e1b754c2c655c0d54798ce57e8e845325af3373875dbaa970f578e8f9718c0e42

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x70244653.exe

Filesize
569KB

MD5
94e8fe2d0601c6dfb62b29b730823f56

SHA1
14d84564516ddad3bb8a2938fd33868119c0e419

SHA256
8e5692b6a3aa8664c50ea3034be1a496394b7796bb134bf81449c0cdd5ad329e

SHA512
a2b969b0319704d0dfd7a4589b31caf4610898ad0e33c3aeffb33078660e6a0e0177980e26edd786ef2a256a1248367a735fcb7ffc8ba539acfc0291b164a2ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x70244653.exe

Filesize
569KB

MD5
94e8fe2d0601c6dfb62b29b730823f56

SHA1
14d84564516ddad3bb8a2938fd33868119c0e419

SHA256
8e5692b6a3aa8664c50ea3034be1a496394b7796bb134bf81449c0cdd5ad329e

SHA512
a2b969b0319704d0dfd7a4589b31caf4610898ad0e33c3aeffb33078660e6a0e0177980e26edd786ef2a256a1248367a735fcb7ffc8ba539acfc0291b164a2ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe

Filesize
479KB

MD5
e24e29640ad4305420665f82fb338d6b

SHA1
b0f6d6b1ced119841ff5ffcc8583c5bef3352300

SHA256
92f15aa73a579af8410a0044649766e56e4647dcb0b939ebb973465ce1280a91

SHA512
c72d8529949ffaaa3c8c508beada1c0b97e47cd77559de04e39dc44a0b4476f1b8bd27af9415cb8495c71203fa3d743e0bdbdb4ade86682bd26bcae8ca2c75e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe

Filesize
479KB

MD5
e24e29640ad4305420665f82fb338d6b

SHA1
b0f6d6b1ced119841ff5ffcc8583c5bef3352300

SHA256
92f15aa73a579af8410a0044649766e56e4647dcb0b939ebb973465ce1280a91

SHA512
c72d8529949ffaaa3c8c508beada1c0b97e47cd77559de04e39dc44a0b4476f1b8bd27af9415cb8495c71203fa3d743e0bdbdb4ade86682bd26bcae8ca2c75e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m90797830.exe

Filesize
479KB

MD5
e24e29640ad4305420665f82fb338d6b

SHA1
b0f6d6b1ced119841ff5ffcc8583c5bef3352300

SHA256
92f15aa73a579af8410a0044649766e56e4647dcb0b939ebb973465ce1280a91

SHA512
c72d8529949ffaaa3c8c508beada1c0b97e47cd77559de04e39dc44a0b4476f1b8bd27af9415cb8495c71203fa3d743e0bdbdb4ade86682bd26bcae8ca2c75e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n13962664.exe

Filesize
169KB

MD5
5cc22a7965addd3817b65309597e98db

SHA1
0f2030dbd0e991637e044b249671969ef723ca9a

SHA256
71dbc3c3c9d085f59c017f9eac971f968641164102643acd369c2b55a1ce3088

SHA512
4ebecf7232d3ff8845c0791b56c677955eb4a44de0bfee67195ba47a8aad686e1b754c2c655c0d54798ce57e8e845325af3373875dbaa970f578e8f9718c0e42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n13962664.exe

Filesize
169KB

MD5
5cc22a7965addd3817b65309597e98db

SHA1
0f2030dbd0e991637e044b249671969ef723ca9a

SHA256
71dbc3c3c9d085f59c017f9eac971f968641164102643acd369c2b55a1ce3088

SHA512
4ebecf7232d3ff8845c0791b56c677955eb4a44de0bfee67195ba47a8aad686e1b754c2c655c0d54798ce57e8e845325af3373875dbaa970f578e8f9718c0e42

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/564-2250-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/564-2239-0x0000000000A10000-0x0000000000A3E000-memory.dmp

Filesize
184KB

Download
memory/564-2244-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/564-2249-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/1296-116-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-138-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-102-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-104-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-100-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-106-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-108-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-110-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-112-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-114-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-96-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-118-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-120-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-122-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-124-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-126-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-128-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-130-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-132-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-134-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-136-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-98-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-142-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-140-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-144-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-146-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-2229-0x0000000002560000-0x0000000002592000-memory.dmp

Filesize
200KB

Download
memory/1296-94-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-92-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-90-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-88-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-84-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-86-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-83-0x00000000024C0000-0x0000000002520000-memory.dmp

Filesize
384KB

Download
memory/1296-82-0x00000000024C0000-0x0000000002526000-memory.dmp

Filesize
408KB

Download
memory/1296-78-0x0000000004DB0000-0x0000000004E18000-memory.dmp

Filesize
416KB

Download
memory/1296-81-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download
memory/1296-80-0x0000000002480000-0x00000000024C0000-memory.dmp

Filesize
256KB

Download
memory/1296-79-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/1708-2248-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1708-2247-0x0000000001290000-0x00000000012C0000-memory.dmp

Filesize
192KB

Download
memory/1708-2251-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads