redline | 00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703

Analysis

max time kernel
129s
max time network
171s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe
Size

1.5MB
MD5

eed9f9e3f24d66a9b1a665384e9edfa3
SHA1

15c21bfecff3c464de57a1825459e8c8bff93422
SHA256

00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703
SHA512

70da9d013e016f61d956169d47e2e64b7f10757cdcae9726e428e773592772fa156dd8138cca12ca01d3d97ab65f4e02c8b481d32b5fae0bbbedc2c4bb6294a3
SSDEEP

24576:ZySRTzcLyMnrYESFtREH4HrwA9EVdNMdSZ/JRT4OQ/7Z2B1xfYxI+3UTz6a7uTQ5:MKcjrYzFtRmDiiRN4OQADxfuCX7uTQ

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
452	i21298638.exe
656	i69044578.exe
1892	i00227076.exe
976	i11804342.exe
1644	a60381939.exe

Loads dropped DLL 10 IoCs

pid	Process
1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe
452	i21298638.exe
452	i21298638.exe
656	i69044578.exe
656	i69044578.exe
1892	i00227076.exe
1892	i00227076.exe
976	i11804342.exe
976	i11804342.exe
1644	a60381939.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i11804342.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i69044578.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i00227076.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i69044578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i00227076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i11804342.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i21298638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i21298638.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 452	1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe	28
PID 1660 wrote to memory of 452	1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe	28
PID 1660 wrote to memory of 452	1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe	28
PID 1660 wrote to memory of 452	1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe	28
PID 1660 wrote to memory of 452	1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe	28
PID 1660 wrote to memory of 452	1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe	28
PID 1660 wrote to memory of 452	1660	00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe	28
PID 452 wrote to memory of 656	452	i21298638.exe	29
PID 452 wrote to memory of 656	452	i21298638.exe	29
PID 452 wrote to memory of 656	452	i21298638.exe	29
PID 452 wrote to memory of 656	452	i21298638.exe	29
PID 452 wrote to memory of 656	452	i21298638.exe	29
PID 452 wrote to memory of 656	452	i21298638.exe	29
PID 452 wrote to memory of 656	452	i21298638.exe	29
PID 656 wrote to memory of 1892	656	i69044578.exe	30
PID 656 wrote to memory of 1892	656	i69044578.exe	30
PID 656 wrote to memory of 1892	656	i69044578.exe	30
PID 656 wrote to memory of 1892	656	i69044578.exe	30
PID 656 wrote to memory of 1892	656	i69044578.exe	30
PID 656 wrote to memory of 1892	656	i69044578.exe	30
PID 656 wrote to memory of 1892	656	i69044578.exe	30
PID 1892 wrote to memory of 976	1892	i00227076.exe	31
PID 1892 wrote to memory of 976	1892	i00227076.exe	31
PID 1892 wrote to memory of 976	1892	i00227076.exe	31
PID 1892 wrote to memory of 976	1892	i00227076.exe	31
PID 1892 wrote to memory of 976	1892	i00227076.exe	31
PID 1892 wrote to memory of 976	1892	i00227076.exe	31
PID 1892 wrote to memory of 976	1892	i00227076.exe	31
PID 976 wrote to memory of 1644	976	i11804342.exe	32
PID 976 wrote to memory of 1644	976	i11804342.exe	32
PID 976 wrote to memory of 1644	976	i11804342.exe	32
PID 976 wrote to memory of 1644	976	i11804342.exe	32
PID 976 wrote to memory of 1644	976	i11804342.exe	32
PID 976 wrote to memory of 1644	976	i11804342.exe	32
PID 976 wrote to memory of 1644	976	i11804342.exe	32

C:\Users\Admin\AppData\Local\Temp\00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe
"C:\Users\Admin\AppData\Local\Temp\00e6a60181beb527c84fd04b1bc029d8598ddec9b6fa91d9326404b00f5f1703.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21298638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21298638.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69044578.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69044578.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00227076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00227076.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i11804342.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i11804342.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60381939.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60381939.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21298638.exe

Filesize
1.3MB

MD5
0792370cdde8dd96fcd09cd3ffc2112a

SHA1
f6ecb7249e7df3425eb0f63fbfbdaafbb691bdee

SHA256
cb09f10070879116584aa17c417b325e4bdabb93d79737a6f963c3bf7d210a5b

SHA512
54355134ae8216a994418073860d3784f4d26a3226c2e009fbe15e0f6cd20a5e6b617a86e7690cdb1c88a72c7c0a0f184d5e6d372d60eb4e9cbd2daf615b847f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21298638.exe

Filesize
1.3MB

MD5
0792370cdde8dd96fcd09cd3ffc2112a

SHA1
f6ecb7249e7df3425eb0f63fbfbdaafbb691bdee

SHA256
cb09f10070879116584aa17c417b325e4bdabb93d79737a6f963c3bf7d210a5b

SHA512
54355134ae8216a994418073860d3784f4d26a3226c2e009fbe15e0f6cd20a5e6b617a86e7690cdb1c88a72c7c0a0f184d5e6d372d60eb4e9cbd2daf615b847f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69044578.exe

Filesize
1015KB

MD5
aaa006e1b847020d8fc70b885eec00cd

SHA1
a1b6964c8b785d6dd9bb08663a759268b7d0806f

SHA256
b79b8004a1381bfa0993e431349516133f8b2639f0310bdfc5252200078bfcaf

SHA512
fcf531004c3d8f10a8e5608a80d0e81e1e12d6863074fd185742428004cdd859d76c6aa76773197b3da8cce2c7e7ad790c15361f59d95ba0b560d2d17d0b4731

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69044578.exe

Filesize
1015KB

MD5
aaa006e1b847020d8fc70b885eec00cd

SHA1
a1b6964c8b785d6dd9bb08663a759268b7d0806f

SHA256
b79b8004a1381bfa0993e431349516133f8b2639f0310bdfc5252200078bfcaf

SHA512
fcf531004c3d8f10a8e5608a80d0e81e1e12d6863074fd185742428004cdd859d76c6aa76773197b3da8cce2c7e7ad790c15361f59d95ba0b560d2d17d0b4731

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00227076.exe

Filesize
843KB

MD5
0587558d235a73ee886f30e83a99f6ca

SHA1
179d8af1bf467af3fab29b9f5e365696e2275732

SHA256
a78b9edbd3a42bfba6ba2e672e298aebc5e49106066cb9e9407f396f17ace161

SHA512
eaaaa01d603ba708d65f85a58f141e799ba580c4d67b49de17d6edf7f64ed1df6c2852189f5da7a5b973f1a8efc5916bdaeac867862fbe3e42bec3fe4fc0d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00227076.exe

Filesize
843KB

MD5
0587558d235a73ee886f30e83a99f6ca

SHA1
179d8af1bf467af3fab29b9f5e365696e2275732

SHA256
a78b9edbd3a42bfba6ba2e672e298aebc5e49106066cb9e9407f396f17ace161

SHA512
eaaaa01d603ba708d65f85a58f141e799ba580c4d67b49de17d6edf7f64ed1df6c2852189f5da7a5b973f1a8efc5916bdaeac867862fbe3e42bec3fe4fc0d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i11804342.exe

Filesize
371KB

MD5
801b1bb6167e2c753adcce6f373b500d

SHA1
c4d05d63a17b4b8df539d2b96929e96540e11472

SHA256
baadf228e8c689dcc7bf68d67a63ef477d239cbefbba626897c9ec7ccf4e4456

SHA512
7676ff0d0618718c805355b0879e1c7bef2142396883cfef1498a613bbc92ba71c6cead2b8c61a6b436585546db147441b2daca1ef197984b8c1ccbca370d50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i11804342.exe

Filesize
371KB

MD5
801b1bb6167e2c753adcce6f373b500d

SHA1
c4d05d63a17b4b8df539d2b96929e96540e11472

SHA256
baadf228e8c689dcc7bf68d67a63ef477d239cbefbba626897c9ec7ccf4e4456

SHA512
7676ff0d0618718c805355b0879e1c7bef2142396883cfef1498a613bbc92ba71c6cead2b8c61a6b436585546db147441b2daca1ef197984b8c1ccbca370d50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60381939.exe

Filesize
169KB

MD5
1d47d6db40d10b3c9701e9f6c88fe9cf

SHA1
e52c0b594e3ac92c9cfd2643f0a408c751dccbcb

SHA256
4cd3ad0ac42a06ab0c1fbfbd6dd9d6211a87419b327d5df193ab399bc36db12c

SHA512
6453ac94e8cd4138486da2f91ba0f2c866c7dc2e8019317e65fc62f4abbc6999a44f968ebf5c1cf2fc28ad474736a0e7f54e2be364061577def4ee3792febb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60381939.exe

Filesize
169KB

MD5
1d47d6db40d10b3c9701e9f6c88fe9cf

SHA1
e52c0b594e3ac92c9cfd2643f0a408c751dccbcb

SHA256
4cd3ad0ac42a06ab0c1fbfbd6dd9d6211a87419b327d5df193ab399bc36db12c

SHA512
6453ac94e8cd4138486da2f91ba0f2c866c7dc2e8019317e65fc62f4abbc6999a44f968ebf5c1cf2fc28ad474736a0e7f54e2be364061577def4ee3792febb0a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21298638.exe

Filesize
1.3MB

MD5
0792370cdde8dd96fcd09cd3ffc2112a

SHA1
f6ecb7249e7df3425eb0f63fbfbdaafbb691bdee

SHA256
cb09f10070879116584aa17c417b325e4bdabb93d79737a6f963c3bf7d210a5b

SHA512
54355134ae8216a994418073860d3784f4d26a3226c2e009fbe15e0f6cd20a5e6b617a86e7690cdb1c88a72c7c0a0f184d5e6d372d60eb4e9cbd2daf615b847f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i21298638.exe

Filesize
1.3MB

MD5
0792370cdde8dd96fcd09cd3ffc2112a

SHA1
f6ecb7249e7df3425eb0f63fbfbdaafbb691bdee

SHA256
cb09f10070879116584aa17c417b325e4bdabb93d79737a6f963c3bf7d210a5b

SHA512
54355134ae8216a994418073860d3784f4d26a3226c2e009fbe15e0f6cd20a5e6b617a86e7690cdb1c88a72c7c0a0f184d5e6d372d60eb4e9cbd2daf615b847f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69044578.exe

Filesize
1015KB

MD5
aaa006e1b847020d8fc70b885eec00cd

SHA1
a1b6964c8b785d6dd9bb08663a759268b7d0806f

SHA256
b79b8004a1381bfa0993e431349516133f8b2639f0310bdfc5252200078bfcaf

SHA512
fcf531004c3d8f10a8e5608a80d0e81e1e12d6863074fd185742428004cdd859d76c6aa76773197b3da8cce2c7e7ad790c15361f59d95ba0b560d2d17d0b4731

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69044578.exe

Filesize
1015KB

MD5
aaa006e1b847020d8fc70b885eec00cd

SHA1
a1b6964c8b785d6dd9bb08663a759268b7d0806f

SHA256
b79b8004a1381bfa0993e431349516133f8b2639f0310bdfc5252200078bfcaf

SHA512
fcf531004c3d8f10a8e5608a80d0e81e1e12d6863074fd185742428004cdd859d76c6aa76773197b3da8cce2c7e7ad790c15361f59d95ba0b560d2d17d0b4731

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00227076.exe

Filesize
843KB

MD5
0587558d235a73ee886f30e83a99f6ca

SHA1
179d8af1bf467af3fab29b9f5e365696e2275732

SHA256
a78b9edbd3a42bfba6ba2e672e298aebc5e49106066cb9e9407f396f17ace161

SHA512
eaaaa01d603ba708d65f85a58f141e799ba580c4d67b49de17d6edf7f64ed1df6c2852189f5da7a5b973f1a8efc5916bdaeac867862fbe3e42bec3fe4fc0d5d6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00227076.exe

Filesize
843KB

MD5
0587558d235a73ee886f30e83a99f6ca

SHA1
179d8af1bf467af3fab29b9f5e365696e2275732

SHA256
a78b9edbd3a42bfba6ba2e672e298aebc5e49106066cb9e9407f396f17ace161

SHA512
eaaaa01d603ba708d65f85a58f141e799ba580c4d67b49de17d6edf7f64ed1df6c2852189f5da7a5b973f1a8efc5916bdaeac867862fbe3e42bec3fe4fc0d5d6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i11804342.exe

Filesize
371KB

MD5
801b1bb6167e2c753adcce6f373b500d

SHA1
c4d05d63a17b4b8df539d2b96929e96540e11472

SHA256
baadf228e8c689dcc7bf68d67a63ef477d239cbefbba626897c9ec7ccf4e4456

SHA512
7676ff0d0618718c805355b0879e1c7bef2142396883cfef1498a613bbc92ba71c6cead2b8c61a6b436585546db147441b2daca1ef197984b8c1ccbca370d50a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i11804342.exe

Filesize
371KB

MD5
801b1bb6167e2c753adcce6f373b500d

SHA1
c4d05d63a17b4b8df539d2b96929e96540e11472

SHA256
baadf228e8c689dcc7bf68d67a63ef477d239cbefbba626897c9ec7ccf4e4456

SHA512
7676ff0d0618718c805355b0879e1c7bef2142396883cfef1498a613bbc92ba71c6cead2b8c61a6b436585546db147441b2daca1ef197984b8c1ccbca370d50a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60381939.exe

Filesize
169KB

MD5
1d47d6db40d10b3c9701e9f6c88fe9cf

SHA1
e52c0b594e3ac92c9cfd2643f0a408c751dccbcb

SHA256
4cd3ad0ac42a06ab0c1fbfbd6dd9d6211a87419b327d5df193ab399bc36db12c

SHA512
6453ac94e8cd4138486da2f91ba0f2c866c7dc2e8019317e65fc62f4abbc6999a44f968ebf5c1cf2fc28ad474736a0e7f54e2be364061577def4ee3792febb0a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60381939.exe

Filesize
169KB

MD5
1d47d6db40d10b3c9701e9f6c88fe9cf

SHA1
e52c0b594e3ac92c9cfd2643f0a408c751dccbcb

SHA256
4cd3ad0ac42a06ab0c1fbfbd6dd9d6211a87419b327d5df193ab399bc36db12c

SHA512
6453ac94e8cd4138486da2f91ba0f2c866c7dc2e8019317e65fc62f4abbc6999a44f968ebf5c1cf2fc28ad474736a0e7f54e2be364061577def4ee3792febb0a

Download Submit
memory/1644-104-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/1644-105-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/1644-106-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1644-107-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download