redline | f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe
Size

1.5MB
MD5

c1573a5596f670b880b30188a659a291
SHA1

aff895f8fa6ac961c3a8189f54266911330e33ef
SHA256

f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c
SHA512

564e0d4d53b7c088b4153f3331240dde79d2cfddb52562ffb8f3d2469033d5abfc0f9b067d7f9b193fa386d6e77555073e3daf95ce8dfa47c5fa07bbda4a8d87
SSDEEP

24576:PyPwLyjVk7UcPjFkuT8yRba3e/CfDASov1LAdrauI5UH1BYlg:aPwujVk7U0jFkuT8yrQDABv1L4Wi1q

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1316	i12264334.exe
1440	i55269342.exe
1700	i30339835.exe
336	i81188486.exe
1052	a96405389.exe

Loads dropped DLL 10 IoCs

pid	Process
1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe
1316	i12264334.exe
1316	i12264334.exe
1440	i55269342.exe
1440	i55269342.exe
1700	i30339835.exe
1700	i30339835.exe
336	i81188486.exe
336	i81188486.exe
1052	a96405389.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i55269342.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i81188486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i12264334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i12264334.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i55269342.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i30339835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i30339835.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i81188486.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1316	1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe	27
PID 1416 wrote to memory of 1316	1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe	27
PID 1416 wrote to memory of 1316	1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe	27
PID 1416 wrote to memory of 1316	1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe	27
PID 1416 wrote to memory of 1316	1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe	27
PID 1416 wrote to memory of 1316	1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe	27
PID 1416 wrote to memory of 1316	1416	f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe	27
PID 1316 wrote to memory of 1440	1316	i12264334.exe	28
PID 1316 wrote to memory of 1440	1316	i12264334.exe	28
PID 1316 wrote to memory of 1440	1316	i12264334.exe	28
PID 1316 wrote to memory of 1440	1316	i12264334.exe	28
PID 1316 wrote to memory of 1440	1316	i12264334.exe	28
PID 1316 wrote to memory of 1440	1316	i12264334.exe	28
PID 1316 wrote to memory of 1440	1316	i12264334.exe	28
PID 1440 wrote to memory of 1700	1440	i55269342.exe	29
PID 1440 wrote to memory of 1700	1440	i55269342.exe	29
PID 1440 wrote to memory of 1700	1440	i55269342.exe	29
PID 1440 wrote to memory of 1700	1440	i55269342.exe	29
PID 1440 wrote to memory of 1700	1440	i55269342.exe	29
PID 1440 wrote to memory of 1700	1440	i55269342.exe	29
PID 1440 wrote to memory of 1700	1440	i55269342.exe	29
PID 1700 wrote to memory of 336	1700	i30339835.exe	30
PID 1700 wrote to memory of 336	1700	i30339835.exe	30
PID 1700 wrote to memory of 336	1700	i30339835.exe	30
PID 1700 wrote to memory of 336	1700	i30339835.exe	30
PID 1700 wrote to memory of 336	1700	i30339835.exe	30
PID 1700 wrote to memory of 336	1700	i30339835.exe	30
PID 1700 wrote to memory of 336	1700	i30339835.exe	30
PID 336 wrote to memory of 1052	336	i81188486.exe	31
PID 336 wrote to memory of 1052	336	i81188486.exe	31
PID 336 wrote to memory of 1052	336	i81188486.exe	31
PID 336 wrote to memory of 1052	336	i81188486.exe	31
PID 336 wrote to memory of 1052	336	i81188486.exe	31
PID 336 wrote to memory of 1052	336	i81188486.exe	31
PID 336 wrote to memory of 1052	336	i81188486.exe	31

C:\Users\Admin\AppData\Local\Temp\f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe
"C:\Users\Admin\AppData\Local\Temp\f540565e5f5354045f99e1560af41b9f2ac62772b40a21470d71e881b2e3343c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i12264334.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i12264334.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55269342.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55269342.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30339835.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30339835.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i81188486.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i81188486.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96405389.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96405389.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i12264334.exe

Filesize
1.2MB

MD5
2a9124eebabd3f2d6e2aee09851f238c

SHA1
6f667eb8080b40966ba120d2056c041d91dffe89

SHA256
77da3d20c62e0d4d639c95687dd1bf48fe51fd58f5c1f4aa1ddc69f8168be091

SHA512
0ec96b068ed423ca5cd5c9e71a16ed4f3a26caf0d3d93202b8fd9a15c3729a3cc87956db502dabb0dcc30ce276c235252dcb39d7f57f47b65bc3255353b4a5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i12264334.exe

Filesize
1.2MB

MD5
2a9124eebabd3f2d6e2aee09851f238c

SHA1
6f667eb8080b40966ba120d2056c041d91dffe89

SHA256
77da3d20c62e0d4d639c95687dd1bf48fe51fd58f5c1f4aa1ddc69f8168be091

SHA512
0ec96b068ed423ca5cd5c9e71a16ed4f3a26caf0d3d93202b8fd9a15c3729a3cc87956db502dabb0dcc30ce276c235252dcb39d7f57f47b65bc3255353b4a5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55269342.exe

Filesize
1001KB

MD5
adc179ec71e5213c57dec25464f54efd

SHA1
c742bdeca5b2920e6307c49040f1d8848f463d71

SHA256
d15af9c4a23798d825ed3a1816ca52b4cef760213c3af046a3286c31cd704e9f

SHA512
5096b02f2f661a827932f21f7c779539a2fbab1a2217bfc8f1ff7a9a08bd846547948a3157a55d7b84b8188a7b8872f0bbbbb8b41ca552c2db830c770ec6346c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55269342.exe

Filesize
1001KB

MD5
adc179ec71e5213c57dec25464f54efd

SHA1
c742bdeca5b2920e6307c49040f1d8848f463d71

SHA256
d15af9c4a23798d825ed3a1816ca52b4cef760213c3af046a3286c31cd704e9f

SHA512
5096b02f2f661a827932f21f7c779539a2fbab1a2217bfc8f1ff7a9a08bd846547948a3157a55d7b84b8188a7b8872f0bbbbb8b41ca552c2db830c770ec6346c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30339835.exe

Filesize
829KB

MD5
7f3b9222c4cfa5793ac06495bf21be08

SHA1
76a02b9d04ca3adbf80bf213f4ff5098825573d4

SHA256
b0290147fb7c7942c3c894d7c9d38c9e409580dff6376dc93bc3f52d198895b2

SHA512
89d7f46461acb2a5cf8320d1152033f2a16f8d12a4687ede678214490eafe1b0ea1ea57f536782190fd4033c13403f984f8ce917af5d35ee5f46231c4c141cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30339835.exe

Filesize
829KB

MD5
7f3b9222c4cfa5793ac06495bf21be08

SHA1
76a02b9d04ca3adbf80bf213f4ff5098825573d4

SHA256
b0290147fb7c7942c3c894d7c9d38c9e409580dff6376dc93bc3f52d198895b2

SHA512
89d7f46461acb2a5cf8320d1152033f2a16f8d12a4687ede678214490eafe1b0ea1ea57f536782190fd4033c13403f984f8ce917af5d35ee5f46231c4c141cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i81188486.exe

Filesize
363KB

MD5
d398a57ede088bca5f15ac9dd03d72bb

SHA1
a6f7503095567fdaf2f0fb97cdf65982e528417f

SHA256
bc9a6566d7ee264f850b592614dfe712bcd5facf4cc3a9df4bcdf25725628400

SHA512
6092724466ca059c9d4d30b991b7fe4b7bc5b336b1637418d40e00719edcd2f06c3ca226b686fe09c5f80534a05d898d89d9235db7a01a48551e8f008730b590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i81188486.exe

Filesize
363KB

MD5
d398a57ede088bca5f15ac9dd03d72bb

SHA1
a6f7503095567fdaf2f0fb97cdf65982e528417f

SHA256
bc9a6566d7ee264f850b592614dfe712bcd5facf4cc3a9df4bcdf25725628400

SHA512
6092724466ca059c9d4d30b991b7fe4b7bc5b336b1637418d40e00719edcd2f06c3ca226b686fe09c5f80534a05d898d89d9235db7a01a48551e8f008730b590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96405389.exe

Filesize
169KB

MD5
8a613e83317dd1dc5e9722b1272db8a2

SHA1
9b68901fb7d56e9e547b01d92b19d64df320b7a6

SHA256
c065a7322275d235be389bee9620d8818bf6680bec6f1854d0692cbf23fcd651

SHA512
71b77b7d5bb58a029b66763a6b0ceadf7ba5bde159dd0aedb958fbbc3d4e2fd5caed14964ade86f4af9f300d6a4075c06738c1c5c37e66c89fd24855feba97ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96405389.exe

Filesize
169KB

MD5
8a613e83317dd1dc5e9722b1272db8a2

SHA1
9b68901fb7d56e9e547b01d92b19d64df320b7a6

SHA256
c065a7322275d235be389bee9620d8818bf6680bec6f1854d0692cbf23fcd651

SHA512
71b77b7d5bb58a029b66763a6b0ceadf7ba5bde159dd0aedb958fbbc3d4e2fd5caed14964ade86f4af9f300d6a4075c06738c1c5c37e66c89fd24855feba97ce

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i12264334.exe

Filesize
1.2MB

MD5
2a9124eebabd3f2d6e2aee09851f238c

SHA1
6f667eb8080b40966ba120d2056c041d91dffe89

SHA256
77da3d20c62e0d4d639c95687dd1bf48fe51fd58f5c1f4aa1ddc69f8168be091

SHA512
0ec96b068ed423ca5cd5c9e71a16ed4f3a26caf0d3d93202b8fd9a15c3729a3cc87956db502dabb0dcc30ce276c235252dcb39d7f57f47b65bc3255353b4a5a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i12264334.exe

Filesize
1.2MB

MD5
2a9124eebabd3f2d6e2aee09851f238c

SHA1
6f667eb8080b40966ba120d2056c041d91dffe89

SHA256
77da3d20c62e0d4d639c95687dd1bf48fe51fd58f5c1f4aa1ddc69f8168be091

SHA512
0ec96b068ed423ca5cd5c9e71a16ed4f3a26caf0d3d93202b8fd9a15c3729a3cc87956db502dabb0dcc30ce276c235252dcb39d7f57f47b65bc3255353b4a5a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55269342.exe

Filesize
1001KB

MD5
adc179ec71e5213c57dec25464f54efd

SHA1
c742bdeca5b2920e6307c49040f1d8848f463d71

SHA256
d15af9c4a23798d825ed3a1816ca52b4cef760213c3af046a3286c31cd704e9f

SHA512
5096b02f2f661a827932f21f7c779539a2fbab1a2217bfc8f1ff7a9a08bd846547948a3157a55d7b84b8188a7b8872f0bbbbb8b41ca552c2db830c770ec6346c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55269342.exe

Filesize
1001KB

MD5
adc179ec71e5213c57dec25464f54efd

SHA1
c742bdeca5b2920e6307c49040f1d8848f463d71

SHA256
d15af9c4a23798d825ed3a1816ca52b4cef760213c3af046a3286c31cd704e9f

SHA512
5096b02f2f661a827932f21f7c779539a2fbab1a2217bfc8f1ff7a9a08bd846547948a3157a55d7b84b8188a7b8872f0bbbbb8b41ca552c2db830c770ec6346c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30339835.exe

Filesize
829KB

MD5
7f3b9222c4cfa5793ac06495bf21be08

SHA1
76a02b9d04ca3adbf80bf213f4ff5098825573d4

SHA256
b0290147fb7c7942c3c894d7c9d38c9e409580dff6376dc93bc3f52d198895b2

SHA512
89d7f46461acb2a5cf8320d1152033f2a16f8d12a4687ede678214490eafe1b0ea1ea57f536782190fd4033c13403f984f8ce917af5d35ee5f46231c4c141cc7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30339835.exe

Filesize
829KB

MD5
7f3b9222c4cfa5793ac06495bf21be08

SHA1
76a02b9d04ca3adbf80bf213f4ff5098825573d4

SHA256
b0290147fb7c7942c3c894d7c9d38c9e409580dff6376dc93bc3f52d198895b2

SHA512
89d7f46461acb2a5cf8320d1152033f2a16f8d12a4687ede678214490eafe1b0ea1ea57f536782190fd4033c13403f984f8ce917af5d35ee5f46231c4c141cc7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i81188486.exe

Filesize
363KB

MD5
d398a57ede088bca5f15ac9dd03d72bb

SHA1
a6f7503095567fdaf2f0fb97cdf65982e528417f

SHA256
bc9a6566d7ee264f850b592614dfe712bcd5facf4cc3a9df4bcdf25725628400

SHA512
6092724466ca059c9d4d30b991b7fe4b7bc5b336b1637418d40e00719edcd2f06c3ca226b686fe09c5f80534a05d898d89d9235db7a01a48551e8f008730b590

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i81188486.exe

Filesize
363KB

MD5
d398a57ede088bca5f15ac9dd03d72bb

SHA1
a6f7503095567fdaf2f0fb97cdf65982e528417f

SHA256
bc9a6566d7ee264f850b592614dfe712bcd5facf4cc3a9df4bcdf25725628400

SHA512
6092724466ca059c9d4d30b991b7fe4b7bc5b336b1637418d40e00719edcd2f06c3ca226b686fe09c5f80534a05d898d89d9235db7a01a48551e8f008730b590

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96405389.exe

Filesize
169KB

MD5
8a613e83317dd1dc5e9722b1272db8a2

SHA1
9b68901fb7d56e9e547b01d92b19d64df320b7a6

SHA256
c065a7322275d235be389bee9620d8818bf6680bec6f1854d0692cbf23fcd651

SHA512
71b77b7d5bb58a029b66763a6b0ceadf7ba5bde159dd0aedb958fbbc3d4e2fd5caed14964ade86f4af9f300d6a4075c06738c1c5c37e66c89fd24855feba97ce

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96405389.exe

Filesize
169KB

MD5
8a613e83317dd1dc5e9722b1272db8a2

SHA1
9b68901fb7d56e9e547b01d92b19d64df320b7a6

SHA256
c065a7322275d235be389bee9620d8818bf6680bec6f1854d0692cbf23fcd651

SHA512
71b77b7d5bb58a029b66763a6b0ceadf7ba5bde159dd0aedb958fbbc3d4e2fd5caed14964ade86f4af9f300d6a4075c06738c1c5c37e66c89fd24855feba97ce

Download Submit
memory/1052-104-0x0000000000D90000-0x0000000000DC0000-memory.dmp

Filesize
192KB

Download
memory/1052-105-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1052-106-0x00000000009B0000-0x00000000009F0000-memory.dmp

Filesize
256KB

Download
memory/1052-107-0x00000000009B0000-0x00000000009F0000-memory.dmp

Filesize
256KB

Download