redline | 0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa

Analysis

max time kernel
145s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe
Size

1.5MB
MD5

e12930e77c5c5bcd02a327f4973064cc
SHA1

55751d89011410484203afdd50e8df712d75a656
SHA256

0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa
SHA512

8c7f29413723c2cd56aeb1564996f26656b79fc89ecf6886a747557618ac04e5a99039ef9df18339cfc5f6014b9498749dea77146e4f1e38baec76d5e3a821ea
SSDEEP

24576:nyEKLa6PDbCd/NCvSpapbT/eqx+2B10wGsGBcFymTX6gi9WQ0stzOfO:yTu6P3Cd0vSpaJDeqxrj0/s7Ft6giAV9

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2016	i00187533.exe
760	i15520910.exe
268	i79487313.exe
1964	i17803617.exe
1524	a23910606.exe

Loads dropped DLL 10 IoCs

pid	Process
1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe
2016	i00187533.exe
2016	i00187533.exe
760	i15520910.exe
760	i15520910.exe
268	i79487313.exe
268	i79487313.exe
1964	i17803617.exe
1964	i17803617.exe
1524	a23910606.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i00187533.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i15520910.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i79487313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i79487313.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i17803617.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i00187533.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i15520910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i17803617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2016	1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe	28
PID 1744 wrote to memory of 2016	1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe	28
PID 1744 wrote to memory of 2016	1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe	28
PID 1744 wrote to memory of 2016	1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe	28
PID 1744 wrote to memory of 2016	1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe	28
PID 1744 wrote to memory of 2016	1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe	28
PID 1744 wrote to memory of 2016	1744	0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe	28
PID 2016 wrote to memory of 760	2016	i00187533.exe	29
PID 2016 wrote to memory of 760	2016	i00187533.exe	29
PID 2016 wrote to memory of 760	2016	i00187533.exe	29
PID 2016 wrote to memory of 760	2016	i00187533.exe	29
PID 2016 wrote to memory of 760	2016	i00187533.exe	29
PID 2016 wrote to memory of 760	2016	i00187533.exe	29
PID 2016 wrote to memory of 760	2016	i00187533.exe	29
PID 760 wrote to memory of 268	760	i15520910.exe	30
PID 760 wrote to memory of 268	760	i15520910.exe	30
PID 760 wrote to memory of 268	760	i15520910.exe	30
PID 760 wrote to memory of 268	760	i15520910.exe	30
PID 760 wrote to memory of 268	760	i15520910.exe	30
PID 760 wrote to memory of 268	760	i15520910.exe	30
PID 760 wrote to memory of 268	760	i15520910.exe	30
PID 268 wrote to memory of 1964	268	i79487313.exe	31
PID 268 wrote to memory of 1964	268	i79487313.exe	31
PID 268 wrote to memory of 1964	268	i79487313.exe	31
PID 268 wrote to memory of 1964	268	i79487313.exe	31
PID 268 wrote to memory of 1964	268	i79487313.exe	31
PID 268 wrote to memory of 1964	268	i79487313.exe	31
PID 268 wrote to memory of 1964	268	i79487313.exe	31
PID 1964 wrote to memory of 1524	1964	i17803617.exe	32
PID 1964 wrote to memory of 1524	1964	i17803617.exe	32
PID 1964 wrote to memory of 1524	1964	i17803617.exe	32
PID 1964 wrote to memory of 1524	1964	i17803617.exe	32
PID 1964 wrote to memory of 1524	1964	i17803617.exe	32
PID 1964 wrote to memory of 1524	1964	i17803617.exe	32
PID 1964 wrote to memory of 1524	1964	i17803617.exe	32

C:\Users\Admin\AppData\Local\Temp\0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe
"C:\Users\Admin\AppData\Local\Temp\0daa13920d227615b65fe0818973f4ddd4f9547c3dd3a51083d9edc18aed50aa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i00187533.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i00187533.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i15520910.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i15520910.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79487313.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79487313.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17803617.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17803617.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23910606.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23910606.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i00187533.exe

Filesize
1.3MB

MD5
1711e44ce30ae601f6eb9cad22e6342f

SHA1
1bbe5dcdd634876f6b492f4445cde9ed0f091c8d

SHA256
60b20a910781473f8c4fe10c3f5c5fe482134ccded597cbe34ac82c8031908dd

SHA512
99cee7f69d0d474b71ea9d036aa7b2548820f0a2eb3e4fd131ea655d4119ca00db6aa22597611e3b89628ad9640d7d613f742a742efc3e8b29fa76406091a2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i00187533.exe

Filesize
1.3MB

MD5
1711e44ce30ae601f6eb9cad22e6342f

SHA1
1bbe5dcdd634876f6b492f4445cde9ed0f091c8d

SHA256
60b20a910781473f8c4fe10c3f5c5fe482134ccded597cbe34ac82c8031908dd

SHA512
99cee7f69d0d474b71ea9d036aa7b2548820f0a2eb3e4fd131ea655d4119ca00db6aa22597611e3b89628ad9640d7d613f742a742efc3e8b29fa76406091a2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i15520910.exe

Filesize
1015KB

MD5
72400a18c81fce759519df5fcdf5baf9

SHA1
081d98377e3a825e08f93b455650aeda3a592c0d

SHA256
eab513a0ca3004841a4d5a2cf2d89d5e8049474db6ee78c0610bea4180c9020e

SHA512
513d135efd9536dbe6aceeb318e75bcb1a5f598b157d172f40cc26cb0ab80de231f277ea83c51163ae543dab99b40ebfc8191e2056b06e253d6d670e8e6ed040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i15520910.exe

Filesize
1015KB

MD5
72400a18c81fce759519df5fcdf5baf9

SHA1
081d98377e3a825e08f93b455650aeda3a592c0d

SHA256
eab513a0ca3004841a4d5a2cf2d89d5e8049474db6ee78c0610bea4180c9020e

SHA512
513d135efd9536dbe6aceeb318e75bcb1a5f598b157d172f40cc26cb0ab80de231f277ea83c51163ae543dab99b40ebfc8191e2056b06e253d6d670e8e6ed040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79487313.exe

Filesize
843KB

MD5
6c549160b899e49a50d3b720ddd022e7

SHA1
99caaa6422bb80fd416c816445ff954f58ae3ea9

SHA256
736c4638ee4e033896ec501b0eb6cfef25eb53a74532161708f927fa238d898e

SHA512
720245f059e091e5b551046ac276fc720354bffa565f05acc7116a226afd1c554fcaca431f4f2fa2faeeb63bff7467c66ae0b40ac695d78a0c784f55f0d29b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79487313.exe

Filesize
843KB

MD5
6c549160b899e49a50d3b720ddd022e7

SHA1
99caaa6422bb80fd416c816445ff954f58ae3ea9

SHA256
736c4638ee4e033896ec501b0eb6cfef25eb53a74532161708f927fa238d898e

SHA512
720245f059e091e5b551046ac276fc720354bffa565f05acc7116a226afd1c554fcaca431f4f2fa2faeeb63bff7467c66ae0b40ac695d78a0c784f55f0d29b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17803617.exe

Filesize
370KB

MD5
ec80eff06c84cb746577780112a362c1

SHA1
faf8c48eb7dfb45d3d3452afd523c6f08aa17c54

SHA256
483380d35941de6bbd2dcedf8cb864786eb6c3b62e0627646764d55a86d48146

SHA512
214bd7fc9d9236f14d53c6fa0df25f6e1527a92a651ba55b23a5f97f9b2290066c2906a5db94423767ad3b3cf2f89b2990488c3c95e86755d6a0de36429c2698

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17803617.exe

Filesize
370KB

MD5
ec80eff06c84cb746577780112a362c1

SHA1
faf8c48eb7dfb45d3d3452afd523c6f08aa17c54

SHA256
483380d35941de6bbd2dcedf8cb864786eb6c3b62e0627646764d55a86d48146

SHA512
214bd7fc9d9236f14d53c6fa0df25f6e1527a92a651ba55b23a5f97f9b2290066c2906a5db94423767ad3b3cf2f89b2990488c3c95e86755d6a0de36429c2698

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23910606.exe

Filesize
169KB

MD5
72c347b589437fbbf982db5c25b783aa

SHA1
73f6fd67a5c56f4a93508d51772d5e991bfaacc9

SHA256
e26ec3fa8aa75893c62d0b8fced2f05d2b1a2e074b7e3b86ca0d4e84d0a55894

SHA512
8b16e85337672c4a8f99b4947c5f5adbc39e00485ddf6bb0160346f78e46f34f436d94da61cc94427e0655fa6f9fa7c76f1c25a2af240fa0c76bba47a539bb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23910606.exe

Filesize
169KB

MD5
72c347b589437fbbf982db5c25b783aa

SHA1
73f6fd67a5c56f4a93508d51772d5e991bfaacc9

SHA256
e26ec3fa8aa75893c62d0b8fced2f05d2b1a2e074b7e3b86ca0d4e84d0a55894

SHA512
8b16e85337672c4a8f99b4947c5f5adbc39e00485ddf6bb0160346f78e46f34f436d94da61cc94427e0655fa6f9fa7c76f1c25a2af240fa0c76bba47a539bb8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i00187533.exe

Filesize
1.3MB

MD5
1711e44ce30ae601f6eb9cad22e6342f

SHA1
1bbe5dcdd634876f6b492f4445cde9ed0f091c8d

SHA256
60b20a910781473f8c4fe10c3f5c5fe482134ccded597cbe34ac82c8031908dd

SHA512
99cee7f69d0d474b71ea9d036aa7b2548820f0a2eb3e4fd131ea655d4119ca00db6aa22597611e3b89628ad9640d7d613f742a742efc3e8b29fa76406091a2fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i00187533.exe

Filesize
1.3MB

MD5
1711e44ce30ae601f6eb9cad22e6342f

SHA1
1bbe5dcdd634876f6b492f4445cde9ed0f091c8d

SHA256
60b20a910781473f8c4fe10c3f5c5fe482134ccded597cbe34ac82c8031908dd

SHA512
99cee7f69d0d474b71ea9d036aa7b2548820f0a2eb3e4fd131ea655d4119ca00db6aa22597611e3b89628ad9640d7d613f742a742efc3e8b29fa76406091a2fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i15520910.exe

Filesize
1015KB

MD5
72400a18c81fce759519df5fcdf5baf9

SHA1
081d98377e3a825e08f93b455650aeda3a592c0d

SHA256
eab513a0ca3004841a4d5a2cf2d89d5e8049474db6ee78c0610bea4180c9020e

SHA512
513d135efd9536dbe6aceeb318e75bcb1a5f598b157d172f40cc26cb0ab80de231f277ea83c51163ae543dab99b40ebfc8191e2056b06e253d6d670e8e6ed040

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i15520910.exe

Filesize
1015KB

MD5
72400a18c81fce759519df5fcdf5baf9

SHA1
081d98377e3a825e08f93b455650aeda3a592c0d

SHA256
eab513a0ca3004841a4d5a2cf2d89d5e8049474db6ee78c0610bea4180c9020e

SHA512
513d135efd9536dbe6aceeb318e75bcb1a5f598b157d172f40cc26cb0ab80de231f277ea83c51163ae543dab99b40ebfc8191e2056b06e253d6d670e8e6ed040

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79487313.exe

Filesize
843KB

MD5
6c549160b899e49a50d3b720ddd022e7

SHA1
99caaa6422bb80fd416c816445ff954f58ae3ea9

SHA256
736c4638ee4e033896ec501b0eb6cfef25eb53a74532161708f927fa238d898e

SHA512
720245f059e091e5b551046ac276fc720354bffa565f05acc7116a226afd1c554fcaca431f4f2fa2faeeb63bff7467c66ae0b40ac695d78a0c784f55f0d29b9e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79487313.exe

Filesize
843KB

MD5
6c549160b899e49a50d3b720ddd022e7

SHA1
99caaa6422bb80fd416c816445ff954f58ae3ea9

SHA256
736c4638ee4e033896ec501b0eb6cfef25eb53a74532161708f927fa238d898e

SHA512
720245f059e091e5b551046ac276fc720354bffa565f05acc7116a226afd1c554fcaca431f4f2fa2faeeb63bff7467c66ae0b40ac695d78a0c784f55f0d29b9e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17803617.exe

Filesize
370KB

MD5
ec80eff06c84cb746577780112a362c1

SHA1
faf8c48eb7dfb45d3d3452afd523c6f08aa17c54

SHA256
483380d35941de6bbd2dcedf8cb864786eb6c3b62e0627646764d55a86d48146

SHA512
214bd7fc9d9236f14d53c6fa0df25f6e1527a92a651ba55b23a5f97f9b2290066c2906a5db94423767ad3b3cf2f89b2990488c3c95e86755d6a0de36429c2698

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17803617.exe

Filesize
370KB

MD5
ec80eff06c84cb746577780112a362c1

SHA1
faf8c48eb7dfb45d3d3452afd523c6f08aa17c54

SHA256
483380d35941de6bbd2dcedf8cb864786eb6c3b62e0627646764d55a86d48146

SHA512
214bd7fc9d9236f14d53c6fa0df25f6e1527a92a651ba55b23a5f97f9b2290066c2906a5db94423767ad3b3cf2f89b2990488c3c95e86755d6a0de36429c2698

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23910606.exe

Filesize
169KB

MD5
72c347b589437fbbf982db5c25b783aa

SHA1
73f6fd67a5c56f4a93508d51772d5e991bfaacc9

SHA256
e26ec3fa8aa75893c62d0b8fced2f05d2b1a2e074b7e3b86ca0d4e84d0a55894

SHA512
8b16e85337672c4a8f99b4947c5f5adbc39e00485ddf6bb0160346f78e46f34f436d94da61cc94427e0655fa6f9fa7c76f1c25a2af240fa0c76bba47a539bb8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a23910606.exe

Filesize
169KB

MD5
72c347b589437fbbf982db5c25b783aa

SHA1
73f6fd67a5c56f4a93508d51772d5e991bfaacc9

SHA256
e26ec3fa8aa75893c62d0b8fced2f05d2b1a2e074b7e3b86ca0d4e84d0a55894

SHA512
8b16e85337672c4a8f99b4947c5f5adbc39e00485ddf6bb0160346f78e46f34f436d94da61cc94427e0655fa6f9fa7c76f1c25a2af240fa0c76bba47a539bb8b

Download Submit
memory/1524-104-0x0000000001280000-0x00000000012B0000-memory.dmp

Filesize
192KB

Download
memory/1524-105-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/1524-106-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1524-107-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download