redline | fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c

Analysis

max time kernel
146s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe
Size

1.5MB
MD5

c4044ec43ecc27d8cca011fd950507b2
SHA1

fe5910eda95eb92adad8584835f4b73785369029
SHA256

fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c
SHA512

0ee73970954dd5381c22bdebb6cdb08e75d8f98dd2a032f77579c5c851d47386185d7ead15c1c1f6731b0e57e3ee240ae17d1e98d79800f6da5912baf171aa10
SSDEEP

24576:wyvQPWck3yAt8OJ28TgPR7qSyr/y+098qXinKl/UK+Sv/5KhvUX9AZ3kdqN9pp3E:3voT1At8OFT05Xyu+09nXiKlDVBQ8tgS

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1336	i13794881.exe
564	i01453522.exe
768	i67316351.exe
632	i20055235.exe
1492	a90137436.exe

Loads dropped DLL 10 IoCs

pid	Process
856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe
1336	i13794881.exe
1336	i13794881.exe
564	i01453522.exe
564	i01453522.exe
768	i67316351.exe
768	i67316351.exe
632	i20055235.exe
632	i20055235.exe
1492	a90137436.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i67316351.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i20055235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i20055235.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i13794881.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i01453522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i01453522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i13794881.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i67316351.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1336	856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe	28
PID 856 wrote to memory of 1336	856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe	28
PID 856 wrote to memory of 1336	856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe	28
PID 856 wrote to memory of 1336	856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe	28
PID 856 wrote to memory of 1336	856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe	28
PID 856 wrote to memory of 1336	856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe	28
PID 856 wrote to memory of 1336	856	fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe	28
PID 1336 wrote to memory of 564	1336	i13794881.exe	29
PID 1336 wrote to memory of 564	1336	i13794881.exe	29
PID 1336 wrote to memory of 564	1336	i13794881.exe	29
PID 1336 wrote to memory of 564	1336	i13794881.exe	29
PID 1336 wrote to memory of 564	1336	i13794881.exe	29
PID 1336 wrote to memory of 564	1336	i13794881.exe	29
PID 1336 wrote to memory of 564	1336	i13794881.exe	29
PID 564 wrote to memory of 768	564	i01453522.exe	30
PID 564 wrote to memory of 768	564	i01453522.exe	30
PID 564 wrote to memory of 768	564	i01453522.exe	30
PID 564 wrote to memory of 768	564	i01453522.exe	30
PID 564 wrote to memory of 768	564	i01453522.exe	30
PID 564 wrote to memory of 768	564	i01453522.exe	30
PID 564 wrote to memory of 768	564	i01453522.exe	30
PID 768 wrote to memory of 632	768	i67316351.exe	31
PID 768 wrote to memory of 632	768	i67316351.exe	31
PID 768 wrote to memory of 632	768	i67316351.exe	31
PID 768 wrote to memory of 632	768	i67316351.exe	31
PID 768 wrote to memory of 632	768	i67316351.exe	31
PID 768 wrote to memory of 632	768	i67316351.exe	31
PID 768 wrote to memory of 632	768	i67316351.exe	31
PID 632 wrote to memory of 1492	632	i20055235.exe	32
PID 632 wrote to memory of 1492	632	i20055235.exe	32
PID 632 wrote to memory of 1492	632	i20055235.exe	32
PID 632 wrote to memory of 1492	632	i20055235.exe	32
PID 632 wrote to memory of 1492	632	i20055235.exe	32
PID 632 wrote to memory of 1492	632	i20055235.exe	32
PID 632 wrote to memory of 1492	632	i20055235.exe	32

C:\Users\Admin\AppData\Local\Temp\fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe
"C:\Users\Admin\AppData\Local\Temp\fb113d347e21b140c68584acd6a91de687000a4ba8d8b316437fcd3a9ea6cf3c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13794881.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13794881.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01453522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01453522.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67316351.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67316351.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20055235.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20055235.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90137436.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90137436.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13794881.exe

Filesize
1.3MB

MD5
6749ea164310b3635991ac7abd44e87b

SHA1
f16d2e8cf30d26fb0a4c3402e12082b8647efe35

SHA256
e02efcae1773fb04dc5ba8bf28d4c52d12ab251ee5d00ce4e55f2eeb67668efa

SHA512
227c2f3f9b33a228d4cdb59bd7cd6a1e3c2a9c32cfb93437e980c4bf2cd9b2d8aadb3d249f31044b30d6638f932e22b83b233265e2a9634f411fbc604f237dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13794881.exe

Filesize
1.3MB

MD5
6749ea164310b3635991ac7abd44e87b

SHA1
f16d2e8cf30d26fb0a4c3402e12082b8647efe35

SHA256
e02efcae1773fb04dc5ba8bf28d4c52d12ab251ee5d00ce4e55f2eeb67668efa

SHA512
227c2f3f9b33a228d4cdb59bd7cd6a1e3c2a9c32cfb93437e980c4bf2cd9b2d8aadb3d249f31044b30d6638f932e22b83b233265e2a9634f411fbc604f237dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01453522.exe

Filesize
1015KB

MD5
a7399e5f232299b255ff4d9e1c0bd575

SHA1
504f8e2f456460ea892a52b3290f38738c54e960

SHA256
3fa2e6c61b2cfbd7112d0e4dee8402f3a7ac03135782a7caa3b92663a267671b

SHA512
d481b0a53088ed536b24789d75939bde23c6f09df1273a4751788aa21746d3545bb7611c15db1248d273343f03ef6b7faee59ecee3cda56d8d8faa36717935f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01453522.exe

Filesize
1015KB

MD5
a7399e5f232299b255ff4d9e1c0bd575

SHA1
504f8e2f456460ea892a52b3290f38738c54e960

SHA256
3fa2e6c61b2cfbd7112d0e4dee8402f3a7ac03135782a7caa3b92663a267671b

SHA512
d481b0a53088ed536b24789d75939bde23c6f09df1273a4751788aa21746d3545bb7611c15db1248d273343f03ef6b7faee59ecee3cda56d8d8faa36717935f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67316351.exe

Filesize
843KB

MD5
e947243acb7a967705b3f077fd75a264

SHA1
9b0d428502e97d9dde82a5ee99924c705d59b7cd

SHA256
ca6044cb32bd9664cc3e0cb4e10ee7634e805cc4be275998cf9c21665656cd56

SHA512
78754e9d7aa556215b85709d087bc9ae44fd9e8cd65fbb1c9994730d14c6f0b15e808c6522ca2c0ae99eb43dac0f6e08282888b76f421b18a8c662dc5054d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67316351.exe

Filesize
843KB

MD5
e947243acb7a967705b3f077fd75a264

SHA1
9b0d428502e97d9dde82a5ee99924c705d59b7cd

SHA256
ca6044cb32bd9664cc3e0cb4e10ee7634e805cc4be275998cf9c21665656cd56

SHA512
78754e9d7aa556215b85709d087bc9ae44fd9e8cd65fbb1c9994730d14c6f0b15e808c6522ca2c0ae99eb43dac0f6e08282888b76f421b18a8c662dc5054d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20055235.exe

Filesize
371KB

MD5
0f7d82326ceebdae0392beb775b0f1da

SHA1
7b414d09cadc30f7e5ec6220239051e2c9649290

SHA256
4bda0aa65c59200237be0165740aa29098bc920d50293fa2a97d39ba0345d00e

SHA512
1c8db1b28654938504641e4bc2f956194e87aad3238bcd9fe8b0a2211409723d61e3f9b26d0d295e5e494809eab96358b7fdd5d4b4c9651d9a68b70f7d2fcf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20055235.exe

Filesize
371KB

MD5
0f7d82326ceebdae0392beb775b0f1da

SHA1
7b414d09cadc30f7e5ec6220239051e2c9649290

SHA256
4bda0aa65c59200237be0165740aa29098bc920d50293fa2a97d39ba0345d00e

SHA512
1c8db1b28654938504641e4bc2f956194e87aad3238bcd9fe8b0a2211409723d61e3f9b26d0d295e5e494809eab96358b7fdd5d4b4c9651d9a68b70f7d2fcf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90137436.exe

Filesize
169KB

MD5
de331fea894743b772b9640a0c5b2dae

SHA1
4405415130edea372f0f1699c06817ea871e2b86

SHA256
83c158a78b71380f06804472a7035b3095e6806c50a5168cbd85c055d63ec81a

SHA512
21b154ad1c4e2daa8a452db14431c7fbf507dfe185575d98192f632081f772fa7eb421027e5cfca720ebcaa31e1c48b077ee8604de91c3d2de271dbf035c7f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90137436.exe

Filesize
169KB

MD5
de331fea894743b772b9640a0c5b2dae

SHA1
4405415130edea372f0f1699c06817ea871e2b86

SHA256
83c158a78b71380f06804472a7035b3095e6806c50a5168cbd85c055d63ec81a

SHA512
21b154ad1c4e2daa8a452db14431c7fbf507dfe185575d98192f632081f772fa7eb421027e5cfca720ebcaa31e1c48b077ee8604de91c3d2de271dbf035c7f35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13794881.exe

Filesize
1.3MB

MD5
6749ea164310b3635991ac7abd44e87b

SHA1
f16d2e8cf30d26fb0a4c3402e12082b8647efe35

SHA256
e02efcae1773fb04dc5ba8bf28d4c52d12ab251ee5d00ce4e55f2eeb67668efa

SHA512
227c2f3f9b33a228d4cdb59bd7cd6a1e3c2a9c32cfb93437e980c4bf2cd9b2d8aadb3d249f31044b30d6638f932e22b83b233265e2a9634f411fbc604f237dbe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i13794881.exe

Filesize
1.3MB

MD5
6749ea164310b3635991ac7abd44e87b

SHA1
f16d2e8cf30d26fb0a4c3402e12082b8647efe35

SHA256
e02efcae1773fb04dc5ba8bf28d4c52d12ab251ee5d00ce4e55f2eeb67668efa

SHA512
227c2f3f9b33a228d4cdb59bd7cd6a1e3c2a9c32cfb93437e980c4bf2cd9b2d8aadb3d249f31044b30d6638f932e22b83b233265e2a9634f411fbc604f237dbe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01453522.exe

Filesize
1015KB

MD5
a7399e5f232299b255ff4d9e1c0bd575

SHA1
504f8e2f456460ea892a52b3290f38738c54e960

SHA256
3fa2e6c61b2cfbd7112d0e4dee8402f3a7ac03135782a7caa3b92663a267671b

SHA512
d481b0a53088ed536b24789d75939bde23c6f09df1273a4751788aa21746d3545bb7611c15db1248d273343f03ef6b7faee59ecee3cda56d8d8faa36717935f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01453522.exe

Filesize
1015KB

MD5
a7399e5f232299b255ff4d9e1c0bd575

SHA1
504f8e2f456460ea892a52b3290f38738c54e960

SHA256
3fa2e6c61b2cfbd7112d0e4dee8402f3a7ac03135782a7caa3b92663a267671b

SHA512
d481b0a53088ed536b24789d75939bde23c6f09df1273a4751788aa21746d3545bb7611c15db1248d273343f03ef6b7faee59ecee3cda56d8d8faa36717935f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67316351.exe

Filesize
843KB

MD5
e947243acb7a967705b3f077fd75a264

SHA1
9b0d428502e97d9dde82a5ee99924c705d59b7cd

SHA256
ca6044cb32bd9664cc3e0cb4e10ee7634e805cc4be275998cf9c21665656cd56

SHA512
78754e9d7aa556215b85709d087bc9ae44fd9e8cd65fbb1c9994730d14c6f0b15e808c6522ca2c0ae99eb43dac0f6e08282888b76f421b18a8c662dc5054d71c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67316351.exe

Filesize
843KB

MD5
e947243acb7a967705b3f077fd75a264

SHA1
9b0d428502e97d9dde82a5ee99924c705d59b7cd

SHA256
ca6044cb32bd9664cc3e0cb4e10ee7634e805cc4be275998cf9c21665656cd56

SHA512
78754e9d7aa556215b85709d087bc9ae44fd9e8cd65fbb1c9994730d14c6f0b15e808c6522ca2c0ae99eb43dac0f6e08282888b76f421b18a8c662dc5054d71c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20055235.exe

Filesize
371KB

MD5
0f7d82326ceebdae0392beb775b0f1da

SHA1
7b414d09cadc30f7e5ec6220239051e2c9649290

SHA256
4bda0aa65c59200237be0165740aa29098bc920d50293fa2a97d39ba0345d00e

SHA512
1c8db1b28654938504641e4bc2f956194e87aad3238bcd9fe8b0a2211409723d61e3f9b26d0d295e5e494809eab96358b7fdd5d4b4c9651d9a68b70f7d2fcf2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i20055235.exe

Filesize
371KB

MD5
0f7d82326ceebdae0392beb775b0f1da

SHA1
7b414d09cadc30f7e5ec6220239051e2c9649290

SHA256
4bda0aa65c59200237be0165740aa29098bc920d50293fa2a97d39ba0345d00e

SHA512
1c8db1b28654938504641e4bc2f956194e87aad3238bcd9fe8b0a2211409723d61e3f9b26d0d295e5e494809eab96358b7fdd5d4b4c9651d9a68b70f7d2fcf2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90137436.exe

Filesize
169KB

MD5
de331fea894743b772b9640a0c5b2dae

SHA1
4405415130edea372f0f1699c06817ea871e2b86

SHA256
83c158a78b71380f06804472a7035b3095e6806c50a5168cbd85c055d63ec81a

SHA512
21b154ad1c4e2daa8a452db14431c7fbf507dfe185575d98192f632081f772fa7eb421027e5cfca720ebcaa31e1c48b077ee8604de91c3d2de271dbf035c7f35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a90137436.exe

Filesize
169KB

MD5
de331fea894743b772b9640a0c5b2dae

SHA1
4405415130edea372f0f1699c06817ea871e2b86

SHA256
83c158a78b71380f06804472a7035b3095e6806c50a5168cbd85c055d63ec81a

SHA512
21b154ad1c4e2daa8a452db14431c7fbf507dfe185575d98192f632081f772fa7eb421027e5cfca720ebcaa31e1c48b077ee8604de91c3d2de271dbf035c7f35

Download Submit
memory/1492-104-0x0000000001020000-0x0000000001050000-memory.dmp

Filesize
192KB

Download
memory/1492-105-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1492-106-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/1492-107-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download