redline | 015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe
Size

1.5MB
MD5

93e176c4a5e13eeaac79a9895c171a63
SHA1

691559862dcdb65cfd29ee782cb1fc3c1989076a
SHA256

015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50
SHA512

466b92e74d61df1179b56ca1bf824e8d2f7dee7a0aa7a53e981dd3e1333056c53357dcaf18eda3569249d0fb388a210462768e30ca82b2a6291e065091a1a3e4
SSDEEP

24576:Ey0KOjVN8JVc97Dkkqexh9B23nc+XIxlILXB82scSRQ+YjkUyugAldBC:T7OxGJV6nqihf23nc+Yf+X3jSeX0Ald

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2000	i20481408.exe
592	i08119169.exe
1464	i19477093.exe
1748	i60574911.exe
1348	a36899493.exe

Loads dropped DLL 10 IoCs

pid	Process
1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe
2000	i20481408.exe
2000	i20481408.exe
592	i08119169.exe
592	i08119169.exe
1464	i19477093.exe
1464	i19477093.exe
1748	i60574911.exe
1748	i60574911.exe
1348	a36899493.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i20481408.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i19477093.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i60574911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i60574911.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i20481408.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08119169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i08119169.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i19477093.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2000	1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe	27
PID 1100 wrote to memory of 2000	1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe	27
PID 1100 wrote to memory of 2000	1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe	27
PID 1100 wrote to memory of 2000	1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe	27
PID 1100 wrote to memory of 2000	1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe	27
PID 1100 wrote to memory of 2000	1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe	27
PID 1100 wrote to memory of 2000	1100	015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe	27
PID 2000 wrote to memory of 592	2000	i20481408.exe	28
PID 2000 wrote to memory of 592	2000	i20481408.exe	28
PID 2000 wrote to memory of 592	2000	i20481408.exe	28
PID 2000 wrote to memory of 592	2000	i20481408.exe	28
PID 2000 wrote to memory of 592	2000	i20481408.exe	28
PID 2000 wrote to memory of 592	2000	i20481408.exe	28
PID 2000 wrote to memory of 592	2000	i20481408.exe	28
PID 592 wrote to memory of 1464	592	i08119169.exe	29
PID 592 wrote to memory of 1464	592	i08119169.exe	29
PID 592 wrote to memory of 1464	592	i08119169.exe	29
PID 592 wrote to memory of 1464	592	i08119169.exe	29
PID 592 wrote to memory of 1464	592	i08119169.exe	29
PID 592 wrote to memory of 1464	592	i08119169.exe	29
PID 592 wrote to memory of 1464	592	i08119169.exe	29
PID 1464 wrote to memory of 1748	1464	i19477093.exe	30
PID 1464 wrote to memory of 1748	1464	i19477093.exe	30
PID 1464 wrote to memory of 1748	1464	i19477093.exe	30
PID 1464 wrote to memory of 1748	1464	i19477093.exe	30
PID 1464 wrote to memory of 1748	1464	i19477093.exe	30
PID 1464 wrote to memory of 1748	1464	i19477093.exe	30
PID 1464 wrote to memory of 1748	1464	i19477093.exe	30
PID 1748 wrote to memory of 1348	1748	i60574911.exe	31
PID 1748 wrote to memory of 1348	1748	i60574911.exe	31
PID 1748 wrote to memory of 1348	1748	i60574911.exe	31
PID 1748 wrote to memory of 1348	1748	i60574911.exe	31
PID 1748 wrote to memory of 1348	1748	i60574911.exe	31
PID 1748 wrote to memory of 1348	1748	i60574911.exe	31
PID 1748 wrote to memory of 1348	1748	i60574911.exe	31

C:\Users\Admin\AppData\Local\Temp\015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe
"C:\Users\Admin\AppData\Local\Temp\015aa5448ec0a4fc941dddf90dc5e73914b7976541b9e51656756bc4e4491c50.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20481408.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20481408.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08119169.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08119169.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i19477093.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i19477093.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i60574911.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i60574911.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a36899493.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a36899493.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20481408.exe

Filesize
1.3MB

MD5
a009104805b87e61a133daf86b2f0d28

SHA1
f81925411eee2a56bdc0c0df72334fc359ea789e

SHA256
4c2c22d7a1861b06ff1aa70d916164d6e93fbe8d211a567b1a57857c02664c8e

SHA512
de4c4ef3efd72fb83d7e0e37e5e1d8a70b0215a1b6248a16a7e57327233369e38bced6cbfbe55415069a68256a426b94692c8ed4acd0af901313c5db3bbe2ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20481408.exe

Filesize
1.3MB

MD5
a009104805b87e61a133daf86b2f0d28

SHA1
f81925411eee2a56bdc0c0df72334fc359ea789e

SHA256
4c2c22d7a1861b06ff1aa70d916164d6e93fbe8d211a567b1a57857c02664c8e

SHA512
de4c4ef3efd72fb83d7e0e37e5e1d8a70b0215a1b6248a16a7e57327233369e38bced6cbfbe55415069a68256a426b94692c8ed4acd0af901313c5db3bbe2ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08119169.exe

Filesize
1022KB

MD5
1305c1364227ba247ab15086130c0a0e

SHA1
09a303b36db249d54816c907f48e166220edfdd2

SHA256
095c9dad3566ad43e97a88d9cad19fd5070b4ca0100e122d899be4bf878226af

SHA512
8d72c9e00d1aabea9f6f6f8820e211dba535a86645d5cfcfd55d7b0bdc0101988ee5a9c6cc674f208fb40a60d615c83a0054c17f804f5d5242f9c68693441a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08119169.exe

Filesize
1022KB

MD5
1305c1364227ba247ab15086130c0a0e

SHA1
09a303b36db249d54816c907f48e166220edfdd2

SHA256
095c9dad3566ad43e97a88d9cad19fd5070b4ca0100e122d899be4bf878226af

SHA512
8d72c9e00d1aabea9f6f6f8820e211dba535a86645d5cfcfd55d7b0bdc0101988ee5a9c6cc674f208fb40a60d615c83a0054c17f804f5d5242f9c68693441a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i19477093.exe

Filesize
851KB

MD5
3ec693f04a4bc4b9c6900742fa6e1e11

SHA1
9a0321b2311db33927fb3e4e68f6cd3aad4e0097

SHA256
ba55928e7594cc4f29dc397488118d22b7cecef34a3f8d93b21713a6de4c2b4a

SHA512
22a5b3c1e909947932c25aa8b2447915e2e25b1f1c3ef2cb1caf42d565e840c4c56e73b907b789062f2b3d623cd06751675559ba6dca608107863ba0dc3b8457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i19477093.exe

Filesize
851KB

MD5
3ec693f04a4bc4b9c6900742fa6e1e11

SHA1
9a0321b2311db33927fb3e4e68f6cd3aad4e0097

SHA256
ba55928e7594cc4f29dc397488118d22b7cecef34a3f8d93b21713a6de4c2b4a

SHA512
22a5b3c1e909947932c25aa8b2447915e2e25b1f1c3ef2cb1caf42d565e840c4c56e73b907b789062f2b3d623cd06751675559ba6dca608107863ba0dc3b8457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i60574911.exe

Filesize
375KB

MD5
9f93c9146cc6bdc8c806d47ec766b88b

SHA1
c3664b270e459746bf13e022b6f5953ea8a8999b

SHA256
696e1d82f6a225bfa1628958c9042c81b73c510bfc221f07a225c227d58ae7aa

SHA512
8d47874bcfb560ce96e4672d0496cb8c814910b4153452d5acd4805f48515ee2606cb784f8e8072118d757d70e77919bfeaa16be40966dd0462ae10c203891e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i60574911.exe

Filesize
375KB

MD5
9f93c9146cc6bdc8c806d47ec766b88b

SHA1
c3664b270e459746bf13e022b6f5953ea8a8999b

SHA256
696e1d82f6a225bfa1628958c9042c81b73c510bfc221f07a225c227d58ae7aa

SHA512
8d47874bcfb560ce96e4672d0496cb8c814910b4153452d5acd4805f48515ee2606cb784f8e8072118d757d70e77919bfeaa16be40966dd0462ae10c203891e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a36899493.exe

Filesize
169KB

MD5
fc8ed402ea7d2eb6a56e3a40358ce865

SHA1
a57472c960a4cfdf2b78020ac805183c74e1c303

SHA256
4aa7c8c121fa02ffd304074195383f658f24bd8c13e8faaebdf695cc7aac86ea

SHA512
26ffe9d871179c56865a30a597d1bae439c4b6a365d45da176d39923e153e2f180309d4ee6b5020e904bc13831257401dfa561c2d1c2998f91a5fa675fe5c88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a36899493.exe

Filesize
169KB

MD5
fc8ed402ea7d2eb6a56e3a40358ce865

SHA1
a57472c960a4cfdf2b78020ac805183c74e1c303

SHA256
4aa7c8c121fa02ffd304074195383f658f24bd8c13e8faaebdf695cc7aac86ea

SHA512
26ffe9d871179c56865a30a597d1bae439c4b6a365d45da176d39923e153e2f180309d4ee6b5020e904bc13831257401dfa561c2d1c2998f91a5fa675fe5c88d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20481408.exe

Filesize
1.3MB

MD5
a009104805b87e61a133daf86b2f0d28

SHA1
f81925411eee2a56bdc0c0df72334fc359ea789e

SHA256
4c2c22d7a1861b06ff1aa70d916164d6e93fbe8d211a567b1a57857c02664c8e

SHA512
de4c4ef3efd72fb83d7e0e37e5e1d8a70b0215a1b6248a16a7e57327233369e38bced6cbfbe55415069a68256a426b94692c8ed4acd0af901313c5db3bbe2ae6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20481408.exe

Filesize
1.3MB

MD5
a009104805b87e61a133daf86b2f0d28

SHA1
f81925411eee2a56bdc0c0df72334fc359ea789e

SHA256
4c2c22d7a1861b06ff1aa70d916164d6e93fbe8d211a567b1a57857c02664c8e

SHA512
de4c4ef3efd72fb83d7e0e37e5e1d8a70b0215a1b6248a16a7e57327233369e38bced6cbfbe55415069a68256a426b94692c8ed4acd0af901313c5db3bbe2ae6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08119169.exe

Filesize
1022KB

MD5
1305c1364227ba247ab15086130c0a0e

SHA1
09a303b36db249d54816c907f48e166220edfdd2

SHA256
095c9dad3566ad43e97a88d9cad19fd5070b4ca0100e122d899be4bf878226af

SHA512
8d72c9e00d1aabea9f6f6f8820e211dba535a86645d5cfcfd55d7b0bdc0101988ee5a9c6cc674f208fb40a60d615c83a0054c17f804f5d5242f9c68693441a1f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08119169.exe

Filesize
1022KB

MD5
1305c1364227ba247ab15086130c0a0e

SHA1
09a303b36db249d54816c907f48e166220edfdd2

SHA256
095c9dad3566ad43e97a88d9cad19fd5070b4ca0100e122d899be4bf878226af

SHA512
8d72c9e00d1aabea9f6f6f8820e211dba535a86645d5cfcfd55d7b0bdc0101988ee5a9c6cc674f208fb40a60d615c83a0054c17f804f5d5242f9c68693441a1f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i19477093.exe

Filesize
851KB

MD5
3ec693f04a4bc4b9c6900742fa6e1e11

SHA1
9a0321b2311db33927fb3e4e68f6cd3aad4e0097

SHA256
ba55928e7594cc4f29dc397488118d22b7cecef34a3f8d93b21713a6de4c2b4a

SHA512
22a5b3c1e909947932c25aa8b2447915e2e25b1f1c3ef2cb1caf42d565e840c4c56e73b907b789062f2b3d623cd06751675559ba6dca608107863ba0dc3b8457

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i19477093.exe

Filesize
851KB

MD5
3ec693f04a4bc4b9c6900742fa6e1e11

SHA1
9a0321b2311db33927fb3e4e68f6cd3aad4e0097

SHA256
ba55928e7594cc4f29dc397488118d22b7cecef34a3f8d93b21713a6de4c2b4a

SHA512
22a5b3c1e909947932c25aa8b2447915e2e25b1f1c3ef2cb1caf42d565e840c4c56e73b907b789062f2b3d623cd06751675559ba6dca608107863ba0dc3b8457

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i60574911.exe

Filesize
375KB

MD5
9f93c9146cc6bdc8c806d47ec766b88b

SHA1
c3664b270e459746bf13e022b6f5953ea8a8999b

SHA256
696e1d82f6a225bfa1628958c9042c81b73c510bfc221f07a225c227d58ae7aa

SHA512
8d47874bcfb560ce96e4672d0496cb8c814910b4153452d5acd4805f48515ee2606cb784f8e8072118d757d70e77919bfeaa16be40966dd0462ae10c203891e0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i60574911.exe

Filesize
375KB

MD5
9f93c9146cc6bdc8c806d47ec766b88b

SHA1
c3664b270e459746bf13e022b6f5953ea8a8999b

SHA256
696e1d82f6a225bfa1628958c9042c81b73c510bfc221f07a225c227d58ae7aa

SHA512
8d47874bcfb560ce96e4672d0496cb8c814910b4153452d5acd4805f48515ee2606cb784f8e8072118d757d70e77919bfeaa16be40966dd0462ae10c203891e0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a36899493.exe

Filesize
169KB

MD5
fc8ed402ea7d2eb6a56e3a40358ce865

SHA1
a57472c960a4cfdf2b78020ac805183c74e1c303

SHA256
4aa7c8c121fa02ffd304074195383f658f24bd8c13e8faaebdf695cc7aac86ea

SHA512
26ffe9d871179c56865a30a597d1bae439c4b6a365d45da176d39923e153e2f180309d4ee6b5020e904bc13831257401dfa561c2d1c2998f91a5fa675fe5c88d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a36899493.exe

Filesize
169KB

MD5
fc8ed402ea7d2eb6a56e3a40358ce865

SHA1
a57472c960a4cfdf2b78020ac805183c74e1c303

SHA256
4aa7c8c121fa02ffd304074195383f658f24bd8c13e8faaebdf695cc7aac86ea

SHA512
26ffe9d871179c56865a30a597d1bae439c4b6a365d45da176d39923e153e2f180309d4ee6b5020e904bc13831257401dfa561c2d1c2998f91a5fa675fe5c88d

Download Submit
memory/1348-104-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/1348-105-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/1348-106-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/1348-107-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download