redline | 0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33

Analysis

max time kernel
181s
max time network
190s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe
Size

1.5MB
MD5

2c207d98b3aa5d45c10e031b93004941
SHA1

97c5f5de4d19cae8b0833e0a0ef50881efac4a86
SHA256

0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33
SHA512

309100a9069c2a18f3f30f589fd6db0e5ef28486d7293b9ff42bde1766ae8e17d0e9bdf9de42a6dcfa65c827e64ddbb64cc359b420901af483212e37780e0fdb
SSDEEP

24576:SyOT8eilGcBNJsgO5QIcPrUILw/qLob93XZbmIgsUz69FyxMRvIKOR2hiljP5Foe:52BiTZ3PDk/qLqHZbZgsUeSQOMhiljIK

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
340	i37910198.exe
580	i46332247.exe
1480	i03325045.exe
1776	i07756389.exe
1528	a76498526.exe

Loads dropped DLL 10 IoCs

pid	Process
1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe
340	i37910198.exe
340	i37910198.exe
580	i46332247.exe
580	i46332247.exe
1480	i03325045.exe
1480	i03325045.exe
1776	i07756389.exe
1776	i07756389.exe
1528	a76498526.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i46332247.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i03325045.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i07756389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i07756389.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i37910198.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i46332247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i03325045.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i37910198.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 340	1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe	28
PID 1348 wrote to memory of 340	1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe	28
PID 1348 wrote to memory of 340	1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe	28
PID 1348 wrote to memory of 340	1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe	28
PID 1348 wrote to memory of 340	1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe	28
PID 1348 wrote to memory of 340	1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe	28
PID 1348 wrote to memory of 340	1348	0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe	28
PID 340 wrote to memory of 580	340	i37910198.exe	29
PID 340 wrote to memory of 580	340	i37910198.exe	29
PID 340 wrote to memory of 580	340	i37910198.exe	29
PID 340 wrote to memory of 580	340	i37910198.exe	29
PID 340 wrote to memory of 580	340	i37910198.exe	29
PID 340 wrote to memory of 580	340	i37910198.exe	29
PID 340 wrote to memory of 580	340	i37910198.exe	29
PID 580 wrote to memory of 1480	580	i46332247.exe	30
PID 580 wrote to memory of 1480	580	i46332247.exe	30
PID 580 wrote to memory of 1480	580	i46332247.exe	30
PID 580 wrote to memory of 1480	580	i46332247.exe	30
PID 580 wrote to memory of 1480	580	i46332247.exe	30
PID 580 wrote to memory of 1480	580	i46332247.exe	30
PID 580 wrote to memory of 1480	580	i46332247.exe	30
PID 1480 wrote to memory of 1776	1480	i03325045.exe	31
PID 1480 wrote to memory of 1776	1480	i03325045.exe	31
PID 1480 wrote to memory of 1776	1480	i03325045.exe	31
PID 1480 wrote to memory of 1776	1480	i03325045.exe	31
PID 1480 wrote to memory of 1776	1480	i03325045.exe	31
PID 1480 wrote to memory of 1776	1480	i03325045.exe	31
PID 1480 wrote to memory of 1776	1480	i03325045.exe	31
PID 1776 wrote to memory of 1528	1776	i07756389.exe	32
PID 1776 wrote to memory of 1528	1776	i07756389.exe	32
PID 1776 wrote to memory of 1528	1776	i07756389.exe	32
PID 1776 wrote to memory of 1528	1776	i07756389.exe	32
PID 1776 wrote to memory of 1528	1776	i07756389.exe	32
PID 1776 wrote to memory of 1528	1776	i07756389.exe	32
PID 1776 wrote to memory of 1528	1776	i07756389.exe	32

C:\Users\Admin\AppData\Local\Temp\0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0742df311ff410c039367a10a666119f420e58134fc7b2bb956c691e74f6af33.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i37910198.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i37910198.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46332247.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46332247.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03325045.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03325045.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07756389.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07756389.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76498526.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76498526.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i37910198.exe

Filesize
1.3MB

MD5
c02715c9e6ab2cf8cd6b6f60a97b5954

SHA1
c83555458817ee49f47b346da1f92e312b968c98

SHA256
6c1edd57cf7df2c17ff078831b27d6c0da53aae683c20e41777f2c2d2d6b775b

SHA512
ba921eeef88e7333e5766c0104d564449c1f993520ff8e35628cb58ca2ddcd1c6162a910f0eba85b560c5cb2b938fdb24aaa40f6a978c01a58e4201a705018cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i37910198.exe

Filesize
1.3MB

MD5
c02715c9e6ab2cf8cd6b6f60a97b5954

SHA1
c83555458817ee49f47b346da1f92e312b968c98

SHA256
6c1edd57cf7df2c17ff078831b27d6c0da53aae683c20e41777f2c2d2d6b775b

SHA512
ba921eeef88e7333e5766c0104d564449c1f993520ff8e35628cb58ca2ddcd1c6162a910f0eba85b560c5cb2b938fdb24aaa40f6a978c01a58e4201a705018cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46332247.exe

Filesize
1016KB

MD5
4f0797a08587f50c3f2d981dcf357f39

SHA1
5a06edd7231fd2f3e6c05668d521de82dacfea2c

SHA256
5ba236189821f5029c75d9bd07f8091729376a7d3ba91d9fcf0dfa973168ab07

SHA512
ce342fd94bb4cf4ee33e4cf5ee17ed87468259423842caea325cecefdb2d9f8db8c8eacd0099c5cec4dea0a09d8cb26f9dfd77bd9f644dfed4548ee812cbe52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46332247.exe

Filesize
1016KB

MD5
4f0797a08587f50c3f2d981dcf357f39

SHA1
5a06edd7231fd2f3e6c05668d521de82dacfea2c

SHA256
5ba236189821f5029c75d9bd07f8091729376a7d3ba91d9fcf0dfa973168ab07

SHA512
ce342fd94bb4cf4ee33e4cf5ee17ed87468259423842caea325cecefdb2d9f8db8c8eacd0099c5cec4dea0a09d8cb26f9dfd77bd9f644dfed4548ee812cbe52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03325045.exe

Filesize
844KB

MD5
1e2c8e5e024a8de16bdd0633c4b92eed

SHA1
3990aa36fe2f16b58fb31b91b1a003ccf9f33439

SHA256
03e5f937e1620da76062e9d23196169547aa2c74a78dcfe85d4864f404a4b2ce

SHA512
befacedc964acc03c9036c07dee23ce31faf8a3cd33568d7213029c130c2884b858956d8747d58dad4efe930f5593db42147b1b03060a8fde53321451a745c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03325045.exe

Filesize
844KB

MD5
1e2c8e5e024a8de16bdd0633c4b92eed

SHA1
3990aa36fe2f16b58fb31b91b1a003ccf9f33439

SHA256
03e5f937e1620da76062e9d23196169547aa2c74a78dcfe85d4864f404a4b2ce

SHA512
befacedc964acc03c9036c07dee23ce31faf8a3cd33568d7213029c130c2884b858956d8747d58dad4efe930f5593db42147b1b03060a8fde53321451a745c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07756389.exe

Filesize
371KB

MD5
8f4f1254765fde2fe876e43f2f11447e

SHA1
14eba25e225c46e718bafd33d5cba462aabde0db

SHA256
fc9cc4c90257d8bd8824ff755c14f5683ba61814cb80534b7c772559e2c4e815

SHA512
bda8b5b15dcead23366dd1d91b3b99a3ff351d3a925713417340f4e327c232066d0c5d486167b03971102d49df103d6fbc21a1a5c7297cf4508f4a0dd673ea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07756389.exe

Filesize
371KB

MD5
8f4f1254765fde2fe876e43f2f11447e

SHA1
14eba25e225c46e718bafd33d5cba462aabde0db

SHA256
fc9cc4c90257d8bd8824ff755c14f5683ba61814cb80534b7c772559e2c4e815

SHA512
bda8b5b15dcead23366dd1d91b3b99a3ff351d3a925713417340f4e327c232066d0c5d486167b03971102d49df103d6fbc21a1a5c7297cf4508f4a0dd673ea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76498526.exe

Filesize
169KB

MD5
cf2f4f11279cfeb2c10c4604735b4929

SHA1
2b98c6d839c27b94bbf9d8222b2b51dce7e10499

SHA256
2341c2f72aad7e9d303648829aaceff3d23649e0630585bea9d37dcb7a599c51

SHA512
1c70268b17c44cd23f729db93c9f79f76b315174bd738612cad35126f706e8762d97eb9d3279a8d3b20eac39cb9c9f43638b6e61a90748eeddbdad7dd3bcf200

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76498526.exe

Filesize
169KB

MD5
cf2f4f11279cfeb2c10c4604735b4929

SHA1
2b98c6d839c27b94bbf9d8222b2b51dce7e10499

SHA256
2341c2f72aad7e9d303648829aaceff3d23649e0630585bea9d37dcb7a599c51

SHA512
1c70268b17c44cd23f729db93c9f79f76b315174bd738612cad35126f706e8762d97eb9d3279a8d3b20eac39cb9c9f43638b6e61a90748eeddbdad7dd3bcf200

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i37910198.exe

Filesize
1.3MB

MD5
c02715c9e6ab2cf8cd6b6f60a97b5954

SHA1
c83555458817ee49f47b346da1f92e312b968c98

SHA256
6c1edd57cf7df2c17ff078831b27d6c0da53aae683c20e41777f2c2d2d6b775b

SHA512
ba921eeef88e7333e5766c0104d564449c1f993520ff8e35628cb58ca2ddcd1c6162a910f0eba85b560c5cb2b938fdb24aaa40f6a978c01a58e4201a705018cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i37910198.exe

Filesize
1.3MB

MD5
c02715c9e6ab2cf8cd6b6f60a97b5954

SHA1
c83555458817ee49f47b346da1f92e312b968c98

SHA256
6c1edd57cf7df2c17ff078831b27d6c0da53aae683c20e41777f2c2d2d6b775b

SHA512
ba921eeef88e7333e5766c0104d564449c1f993520ff8e35628cb58ca2ddcd1c6162a910f0eba85b560c5cb2b938fdb24aaa40f6a978c01a58e4201a705018cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46332247.exe

Filesize
1016KB

MD5
4f0797a08587f50c3f2d981dcf357f39

SHA1
5a06edd7231fd2f3e6c05668d521de82dacfea2c

SHA256
5ba236189821f5029c75d9bd07f8091729376a7d3ba91d9fcf0dfa973168ab07

SHA512
ce342fd94bb4cf4ee33e4cf5ee17ed87468259423842caea325cecefdb2d9f8db8c8eacd0099c5cec4dea0a09d8cb26f9dfd77bd9f644dfed4548ee812cbe52e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46332247.exe

Filesize
1016KB

MD5
4f0797a08587f50c3f2d981dcf357f39

SHA1
5a06edd7231fd2f3e6c05668d521de82dacfea2c

SHA256
5ba236189821f5029c75d9bd07f8091729376a7d3ba91d9fcf0dfa973168ab07

SHA512
ce342fd94bb4cf4ee33e4cf5ee17ed87468259423842caea325cecefdb2d9f8db8c8eacd0099c5cec4dea0a09d8cb26f9dfd77bd9f644dfed4548ee812cbe52e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03325045.exe

Filesize
844KB

MD5
1e2c8e5e024a8de16bdd0633c4b92eed

SHA1
3990aa36fe2f16b58fb31b91b1a003ccf9f33439

SHA256
03e5f937e1620da76062e9d23196169547aa2c74a78dcfe85d4864f404a4b2ce

SHA512
befacedc964acc03c9036c07dee23ce31faf8a3cd33568d7213029c130c2884b858956d8747d58dad4efe930f5593db42147b1b03060a8fde53321451a745c40

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03325045.exe

Filesize
844KB

MD5
1e2c8e5e024a8de16bdd0633c4b92eed

SHA1
3990aa36fe2f16b58fb31b91b1a003ccf9f33439

SHA256
03e5f937e1620da76062e9d23196169547aa2c74a78dcfe85d4864f404a4b2ce

SHA512
befacedc964acc03c9036c07dee23ce31faf8a3cd33568d7213029c130c2884b858956d8747d58dad4efe930f5593db42147b1b03060a8fde53321451a745c40

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07756389.exe

Filesize
371KB

MD5
8f4f1254765fde2fe876e43f2f11447e

SHA1
14eba25e225c46e718bafd33d5cba462aabde0db

SHA256
fc9cc4c90257d8bd8824ff755c14f5683ba61814cb80534b7c772559e2c4e815

SHA512
bda8b5b15dcead23366dd1d91b3b99a3ff351d3a925713417340f4e327c232066d0c5d486167b03971102d49df103d6fbc21a1a5c7297cf4508f4a0dd673ea89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07756389.exe

Filesize
371KB

MD5
8f4f1254765fde2fe876e43f2f11447e

SHA1
14eba25e225c46e718bafd33d5cba462aabde0db

SHA256
fc9cc4c90257d8bd8824ff755c14f5683ba61814cb80534b7c772559e2c4e815

SHA512
bda8b5b15dcead23366dd1d91b3b99a3ff351d3a925713417340f4e327c232066d0c5d486167b03971102d49df103d6fbc21a1a5c7297cf4508f4a0dd673ea89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76498526.exe

Filesize
169KB

MD5
cf2f4f11279cfeb2c10c4604735b4929

SHA1
2b98c6d839c27b94bbf9d8222b2b51dce7e10499

SHA256
2341c2f72aad7e9d303648829aaceff3d23649e0630585bea9d37dcb7a599c51

SHA512
1c70268b17c44cd23f729db93c9f79f76b315174bd738612cad35126f706e8762d97eb9d3279a8d3b20eac39cb9c9f43638b6e61a90748eeddbdad7dd3bcf200

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76498526.exe

Filesize
169KB

MD5
cf2f4f11279cfeb2c10c4604735b4929

SHA1
2b98c6d839c27b94bbf9d8222b2b51dce7e10499

SHA256
2341c2f72aad7e9d303648829aaceff3d23649e0630585bea9d37dcb7a599c51

SHA512
1c70268b17c44cd23f729db93c9f79f76b315174bd738612cad35126f706e8762d97eb9d3279a8d3b20eac39cb9c9f43638b6e61a90748eeddbdad7dd3bcf200

Download Submit
memory/1528-104-0x0000000000A80000-0x0000000000AB0000-memory.dmp

Filesize
192KB

Download
memory/1528-105-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1528-106-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/1528-107-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download