redline | 6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f

Analysis

max time kernel
134s
max time network
163s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe
Size

1.5MB
MD5

afee4140b2a2e4bbf6597532ade8c65a
SHA1

f97928f45828ec20545f32de8e881538458e4a1f
SHA256

6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f
SHA512

a858eb2ed2ef3b65a41c2b463fc23b9ce264902d6d182cabb48631bf6699b799729fd2ded343dd46a488c1dd2e6b5150728a2aee1f08de25dc53b43b98b3bff1
SSDEEP

24576:myUdPMrsbvMuy3CbH6vhGlIb+XsTz6SZ/dZFfmeddKemqu3qd6aKabACUC:1UxMIb0k6vV+XsX3Vn1dQqu3qkvanU

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2016	i28438819.exe
560	i12691707.exe
1164	i57493083.exe
1524	i54720293.exe
2040	a71348626.exe

Loads dropped DLL 10 IoCs

pid	Process
1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe
2016	i28438819.exe
2016	i28438819.exe
560	i12691707.exe
560	i12691707.exe
1164	i57493083.exe
1164	i57493083.exe
1524	i54720293.exe
1524	i54720293.exe
2040	a71348626.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i57493083.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i54720293.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i28438819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i28438819.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i12691707.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i12691707.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i54720293.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i57493083.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2016	1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe	28
PID 1460 wrote to memory of 2016	1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe	28
PID 1460 wrote to memory of 2016	1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe	28
PID 1460 wrote to memory of 2016	1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe	28
PID 1460 wrote to memory of 2016	1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe	28
PID 1460 wrote to memory of 2016	1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe	28
PID 1460 wrote to memory of 2016	1460	6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe	28
PID 2016 wrote to memory of 560	2016	i28438819.exe	29
PID 2016 wrote to memory of 560	2016	i28438819.exe	29
PID 2016 wrote to memory of 560	2016	i28438819.exe	29
PID 2016 wrote to memory of 560	2016	i28438819.exe	29
PID 2016 wrote to memory of 560	2016	i28438819.exe	29
PID 2016 wrote to memory of 560	2016	i28438819.exe	29
PID 2016 wrote to memory of 560	2016	i28438819.exe	29
PID 560 wrote to memory of 1164	560	i12691707.exe	30
PID 560 wrote to memory of 1164	560	i12691707.exe	30
PID 560 wrote to memory of 1164	560	i12691707.exe	30
PID 560 wrote to memory of 1164	560	i12691707.exe	30
PID 560 wrote to memory of 1164	560	i12691707.exe	30
PID 560 wrote to memory of 1164	560	i12691707.exe	30
PID 560 wrote to memory of 1164	560	i12691707.exe	30
PID 1164 wrote to memory of 1524	1164	i57493083.exe	31
PID 1164 wrote to memory of 1524	1164	i57493083.exe	31
PID 1164 wrote to memory of 1524	1164	i57493083.exe	31
PID 1164 wrote to memory of 1524	1164	i57493083.exe	31
PID 1164 wrote to memory of 1524	1164	i57493083.exe	31
PID 1164 wrote to memory of 1524	1164	i57493083.exe	31
PID 1164 wrote to memory of 1524	1164	i57493083.exe	31
PID 1524 wrote to memory of 2040	1524	i54720293.exe	32
PID 1524 wrote to memory of 2040	1524	i54720293.exe	32
PID 1524 wrote to memory of 2040	1524	i54720293.exe	32
PID 1524 wrote to memory of 2040	1524	i54720293.exe	32
PID 1524 wrote to memory of 2040	1524	i54720293.exe	32
PID 1524 wrote to memory of 2040	1524	i54720293.exe	32
PID 1524 wrote to memory of 2040	1524	i54720293.exe	32

C:\Users\Admin\AppData\Local\Temp\6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe
"C:\Users\Admin\AppData\Local\Temp\6a6285200e43d42f1bd0afdbf85757bf7f2bde9288123f9e0091b95cb273479f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i28438819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i28438819.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12691707.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12691707.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57493083.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57493083.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i54720293.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i54720293.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71348626.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71348626.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i28438819.exe

Filesize
1.3MB

MD5
46b4f6fbad7a9eb92ef8123457baa24f

SHA1
21c8cc910540cda3666a94a393eda83edb5abfd5

SHA256
a7388cf093314acce12f1dfd221dbc1be05bc2819b24896ebc5d1fd7ab54c56e

SHA512
852115f6e952082768bd9f0a2e52748fd31be5028ff887de2c1fae44283a42de149ec3d7648b831cf6e7b7685645d88a59c6f6676f3c0b4994b162a6e2be3d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i28438819.exe

Filesize
1.3MB

MD5
46b4f6fbad7a9eb92ef8123457baa24f

SHA1
21c8cc910540cda3666a94a393eda83edb5abfd5

SHA256
a7388cf093314acce12f1dfd221dbc1be05bc2819b24896ebc5d1fd7ab54c56e

SHA512
852115f6e952082768bd9f0a2e52748fd31be5028ff887de2c1fae44283a42de149ec3d7648b831cf6e7b7685645d88a59c6f6676f3c0b4994b162a6e2be3d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12691707.exe

Filesize
1015KB

MD5
493ca95a6fc9903615c7f8c7fcdb4829

SHA1
85031368cc4584ecf74946a8c5d8b1826ccd24e5

SHA256
8c532e99a1646fdb23bc80a46885d3af92581fb857f3d9f6dd7f8fae900899f7

SHA512
fc11f540b89b7cd4dbd6df6c6deaa35746cf6ea406525fdaba3d4909a0d9f59e1e102eaa0330f97f0ed27325850e3c8f25a186b4b7b7e162093cf1d3354853ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12691707.exe

Filesize
1015KB

MD5
493ca95a6fc9903615c7f8c7fcdb4829

SHA1
85031368cc4584ecf74946a8c5d8b1826ccd24e5

SHA256
8c532e99a1646fdb23bc80a46885d3af92581fb857f3d9f6dd7f8fae900899f7

SHA512
fc11f540b89b7cd4dbd6df6c6deaa35746cf6ea406525fdaba3d4909a0d9f59e1e102eaa0330f97f0ed27325850e3c8f25a186b4b7b7e162093cf1d3354853ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57493083.exe

Filesize
843KB

MD5
838111f858073b0523d8ca20debf86fe

SHA1
6ad1fa43e82d3fe7ac958a6b00919f21f8b85e8d

SHA256
0336531a8d6e9e0a5d469a2f550b75beb5ea14a8d19810364dec6ec5cb479c90

SHA512
96ec648e97628d9679ba12d1492c839e03dacad5387f87a2981df25f1b8d914b8c92f60c9d0df0d9f044a12c3b895bf283865e344241dd8ee9e2c8e84e89caf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57493083.exe

Filesize
843KB

MD5
838111f858073b0523d8ca20debf86fe

SHA1
6ad1fa43e82d3fe7ac958a6b00919f21f8b85e8d

SHA256
0336531a8d6e9e0a5d469a2f550b75beb5ea14a8d19810364dec6ec5cb479c90

SHA512
96ec648e97628d9679ba12d1492c839e03dacad5387f87a2981df25f1b8d914b8c92f60c9d0df0d9f044a12c3b895bf283865e344241dd8ee9e2c8e84e89caf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i54720293.exe

Filesize
371KB

MD5
f71c2bf701cd1608b89f8888f8d75b31

SHA1
710cbcba9a35b409ecb1248353f99a0754b646f6

SHA256
52e67915551b96ad949bfb733a9449e8d54686a8a7abb3c76c453ec51b30f75d

SHA512
e2fc020b69504354e7e0b34e15068750112aac3f34538f28166f81a5f4d94ad5394f24ae5bd682b2e921cad392839757b4b36724b5a8ffb76514a325a16f2c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i54720293.exe

Filesize
371KB

MD5
f71c2bf701cd1608b89f8888f8d75b31

SHA1
710cbcba9a35b409ecb1248353f99a0754b646f6

SHA256
52e67915551b96ad949bfb733a9449e8d54686a8a7abb3c76c453ec51b30f75d

SHA512
e2fc020b69504354e7e0b34e15068750112aac3f34538f28166f81a5f4d94ad5394f24ae5bd682b2e921cad392839757b4b36724b5a8ffb76514a325a16f2c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71348626.exe

Filesize
169KB

MD5
d7d90cbca90a513944c1a9a3a1f09760

SHA1
31df1bb8e892cd3f32aaef62bbc793a9974c69fa

SHA256
3ec0b3ba1ab31bd4b2c1122c3ccda1e8ee5888b480fe7317d9107b04cbe75fba

SHA512
cc969978934e7667eba3dde9c461a0f2ec0599c253ca1132fe94494b85180e4edf73e5797ebba309b4dad98f140adf403bfb5da02586e89c2b0e6ea2a2517c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71348626.exe

Filesize
169KB

MD5
d7d90cbca90a513944c1a9a3a1f09760

SHA1
31df1bb8e892cd3f32aaef62bbc793a9974c69fa

SHA256
3ec0b3ba1ab31bd4b2c1122c3ccda1e8ee5888b480fe7317d9107b04cbe75fba

SHA512
cc969978934e7667eba3dde9c461a0f2ec0599c253ca1132fe94494b85180e4edf73e5797ebba309b4dad98f140adf403bfb5da02586e89c2b0e6ea2a2517c21

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i28438819.exe

Filesize
1.3MB

MD5
46b4f6fbad7a9eb92ef8123457baa24f

SHA1
21c8cc910540cda3666a94a393eda83edb5abfd5

SHA256
a7388cf093314acce12f1dfd221dbc1be05bc2819b24896ebc5d1fd7ab54c56e

SHA512
852115f6e952082768bd9f0a2e52748fd31be5028ff887de2c1fae44283a42de149ec3d7648b831cf6e7b7685645d88a59c6f6676f3c0b4994b162a6e2be3d17

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i28438819.exe

Filesize
1.3MB

MD5
46b4f6fbad7a9eb92ef8123457baa24f

SHA1
21c8cc910540cda3666a94a393eda83edb5abfd5

SHA256
a7388cf093314acce12f1dfd221dbc1be05bc2819b24896ebc5d1fd7ab54c56e

SHA512
852115f6e952082768bd9f0a2e52748fd31be5028ff887de2c1fae44283a42de149ec3d7648b831cf6e7b7685645d88a59c6f6676f3c0b4994b162a6e2be3d17

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12691707.exe

Filesize
1015KB

MD5
493ca95a6fc9903615c7f8c7fcdb4829

SHA1
85031368cc4584ecf74946a8c5d8b1826ccd24e5

SHA256
8c532e99a1646fdb23bc80a46885d3af92581fb857f3d9f6dd7f8fae900899f7

SHA512
fc11f540b89b7cd4dbd6df6c6deaa35746cf6ea406525fdaba3d4909a0d9f59e1e102eaa0330f97f0ed27325850e3c8f25a186b4b7b7e162093cf1d3354853ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12691707.exe

Filesize
1015KB

MD5
493ca95a6fc9903615c7f8c7fcdb4829

SHA1
85031368cc4584ecf74946a8c5d8b1826ccd24e5

SHA256
8c532e99a1646fdb23bc80a46885d3af92581fb857f3d9f6dd7f8fae900899f7

SHA512
fc11f540b89b7cd4dbd6df6c6deaa35746cf6ea406525fdaba3d4909a0d9f59e1e102eaa0330f97f0ed27325850e3c8f25a186b4b7b7e162093cf1d3354853ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57493083.exe

Filesize
843KB

MD5
838111f858073b0523d8ca20debf86fe

SHA1
6ad1fa43e82d3fe7ac958a6b00919f21f8b85e8d

SHA256
0336531a8d6e9e0a5d469a2f550b75beb5ea14a8d19810364dec6ec5cb479c90

SHA512
96ec648e97628d9679ba12d1492c839e03dacad5387f87a2981df25f1b8d914b8c92f60c9d0df0d9f044a12c3b895bf283865e344241dd8ee9e2c8e84e89caf6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i57493083.exe

Filesize
843KB

MD5
838111f858073b0523d8ca20debf86fe

SHA1
6ad1fa43e82d3fe7ac958a6b00919f21f8b85e8d

SHA256
0336531a8d6e9e0a5d469a2f550b75beb5ea14a8d19810364dec6ec5cb479c90

SHA512
96ec648e97628d9679ba12d1492c839e03dacad5387f87a2981df25f1b8d914b8c92f60c9d0df0d9f044a12c3b895bf283865e344241dd8ee9e2c8e84e89caf6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i54720293.exe

Filesize
371KB

MD5
f71c2bf701cd1608b89f8888f8d75b31

SHA1
710cbcba9a35b409ecb1248353f99a0754b646f6

SHA256
52e67915551b96ad949bfb733a9449e8d54686a8a7abb3c76c453ec51b30f75d

SHA512
e2fc020b69504354e7e0b34e15068750112aac3f34538f28166f81a5f4d94ad5394f24ae5bd682b2e921cad392839757b4b36724b5a8ffb76514a325a16f2c7f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i54720293.exe

Filesize
371KB

MD5
f71c2bf701cd1608b89f8888f8d75b31

SHA1
710cbcba9a35b409ecb1248353f99a0754b646f6

SHA256
52e67915551b96ad949bfb733a9449e8d54686a8a7abb3c76c453ec51b30f75d

SHA512
e2fc020b69504354e7e0b34e15068750112aac3f34538f28166f81a5f4d94ad5394f24ae5bd682b2e921cad392839757b4b36724b5a8ffb76514a325a16f2c7f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71348626.exe

Filesize
169KB

MD5
d7d90cbca90a513944c1a9a3a1f09760

SHA1
31df1bb8e892cd3f32aaef62bbc793a9974c69fa

SHA256
3ec0b3ba1ab31bd4b2c1122c3ccda1e8ee5888b480fe7317d9107b04cbe75fba

SHA512
cc969978934e7667eba3dde9c461a0f2ec0599c253ca1132fe94494b85180e4edf73e5797ebba309b4dad98f140adf403bfb5da02586e89c2b0e6ea2a2517c21

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a71348626.exe

Filesize
169KB

MD5
d7d90cbca90a513944c1a9a3a1f09760

SHA1
31df1bb8e892cd3f32aaef62bbc793a9974c69fa

SHA256
3ec0b3ba1ab31bd4b2c1122c3ccda1e8ee5888b480fe7317d9107b04cbe75fba

SHA512
cc969978934e7667eba3dde9c461a0f2ec0599c253ca1132fe94494b85180e4edf73e5797ebba309b4dad98f140adf403bfb5da02586e89c2b0e6ea2a2517c21

Download Submit
memory/2040-104-0x00000000013E0000-0x0000000001410000-memory.dmp

Filesize
192KB

Download
memory/2040-105-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/2040-106-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2040-107-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download