redline | 03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe
Size

1.5MB
MD5

dbc7f3dddfbf1b53f5d89cad9a214000
SHA1

319f066b43933f3de580cdf9f542268e1e70f87b
SHA256

03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5
SHA512

c04bc19a5a3c83418b40daf910f8052b410b7fe72786cd0fb692fb524326e5ae3a2e3567a143b4749e6391d85afeeed28980db99fc07a8599a66003ea4ab9c7b
SSDEEP

24576:cyr//pQTAgHR6uZfAgvw09G1jHY0LdfYWZ/dPPW54paBhFo+fxbTZS:LrHCPR6u3w0E17xmG+JTfNZ

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1696	i92142893.exe
1432	i52462854.exe
1868	i09992586.exe
1176	i55267549.exe
976	a55033539.exe

Loads dropped DLL 10 IoCs

pid	Process
1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe
1696	i92142893.exe
1696	i92142893.exe
1432	i52462854.exe
1432	i52462854.exe
1868	i09992586.exe
1868	i09992586.exe
1176	i55267549.exe
1176	i55267549.exe
976	a55033539.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i92142893.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i55267549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i55267549.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i92142893.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52462854.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i52462854.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i09992586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i09992586.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1696	1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe	28
PID 1592 wrote to memory of 1696	1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe	28
PID 1592 wrote to memory of 1696	1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe	28
PID 1592 wrote to memory of 1696	1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe	28
PID 1592 wrote to memory of 1696	1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe	28
PID 1592 wrote to memory of 1696	1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe	28
PID 1592 wrote to memory of 1696	1592	03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe	28
PID 1696 wrote to memory of 1432	1696	i92142893.exe	29
PID 1696 wrote to memory of 1432	1696	i92142893.exe	29
PID 1696 wrote to memory of 1432	1696	i92142893.exe	29
PID 1696 wrote to memory of 1432	1696	i92142893.exe	29
PID 1696 wrote to memory of 1432	1696	i92142893.exe	29
PID 1696 wrote to memory of 1432	1696	i92142893.exe	29
PID 1696 wrote to memory of 1432	1696	i92142893.exe	29
PID 1432 wrote to memory of 1868	1432	i52462854.exe	30
PID 1432 wrote to memory of 1868	1432	i52462854.exe	30
PID 1432 wrote to memory of 1868	1432	i52462854.exe	30
PID 1432 wrote to memory of 1868	1432	i52462854.exe	30
PID 1432 wrote to memory of 1868	1432	i52462854.exe	30
PID 1432 wrote to memory of 1868	1432	i52462854.exe	30
PID 1432 wrote to memory of 1868	1432	i52462854.exe	30
PID 1868 wrote to memory of 1176	1868	i09992586.exe	31
PID 1868 wrote to memory of 1176	1868	i09992586.exe	31
PID 1868 wrote to memory of 1176	1868	i09992586.exe	31
PID 1868 wrote to memory of 1176	1868	i09992586.exe	31
PID 1868 wrote to memory of 1176	1868	i09992586.exe	31
PID 1868 wrote to memory of 1176	1868	i09992586.exe	31
PID 1868 wrote to memory of 1176	1868	i09992586.exe	31
PID 1176 wrote to memory of 976	1176	i55267549.exe	32
PID 1176 wrote to memory of 976	1176	i55267549.exe	32
PID 1176 wrote to memory of 976	1176	i55267549.exe	32
PID 1176 wrote to memory of 976	1176	i55267549.exe	32
PID 1176 wrote to memory of 976	1176	i55267549.exe	32
PID 1176 wrote to memory of 976	1176	i55267549.exe	32
PID 1176 wrote to memory of 976	1176	i55267549.exe	32

C:\Users\Admin\AppData\Local\Temp\03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe
"C:\Users\Admin\AppData\Local\Temp\03505e486ddca50ca61c00606ced77cc5abbba42bb696243be512efd3c59c7c5.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92142893.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92142893.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52462854.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52462854.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09992586.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09992586.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55267549.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55267549.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55033539.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55033539.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92142893.exe

Filesize
1.3MB

MD5
f7a1fd762f6f1b35362c267f7e8b539f

SHA1
140a7817c15f2551e7af04be25490dec82802d44

SHA256
8b9d087ebf136320c69ed8f621309f59312a8c6b280c7a6acba3446b32c6cfce

SHA512
c8813d81a1975965238b365a27dec60ebb29a702f226c0ca26596a6c31105753026ec308d5252c070c8e24e0922459afdbb11cde636dbae2a5c1f2caba4aa83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92142893.exe

Filesize
1.3MB

MD5
f7a1fd762f6f1b35362c267f7e8b539f

SHA1
140a7817c15f2551e7af04be25490dec82802d44

SHA256
8b9d087ebf136320c69ed8f621309f59312a8c6b280c7a6acba3446b32c6cfce

SHA512
c8813d81a1975965238b365a27dec60ebb29a702f226c0ca26596a6c31105753026ec308d5252c070c8e24e0922459afdbb11cde636dbae2a5c1f2caba4aa83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52462854.exe

Filesize
1015KB

MD5
6251bcb20d75fc8fed022da5aecd3fc3

SHA1
273411f4e3c7271e73ca2a4c3a9681a54ac55b47

SHA256
1965f2170b3e6c8228d4ec165856fa414b2edf69c6d2fd41b6c5e7890ca921ed

SHA512
674fe7f051870c663ea70f707fd3c28b783e3effb4bf3af0debc3de14ce6c8554b45b5b27678d1b748cf1b2976efcf4760ba52f84a2131e386a26357f1d73a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52462854.exe

Filesize
1015KB

MD5
6251bcb20d75fc8fed022da5aecd3fc3

SHA1
273411f4e3c7271e73ca2a4c3a9681a54ac55b47

SHA256
1965f2170b3e6c8228d4ec165856fa414b2edf69c6d2fd41b6c5e7890ca921ed

SHA512
674fe7f051870c663ea70f707fd3c28b783e3effb4bf3af0debc3de14ce6c8554b45b5b27678d1b748cf1b2976efcf4760ba52f84a2131e386a26357f1d73a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09992586.exe

Filesize
843KB

MD5
79cc6f186e71e5d1252f4b53945764af

SHA1
43bca3998718e98b2c5de3db476cef24efbf6b30

SHA256
b790cd84c891aa9c8ebad3268c317a050b95b478a93d7aefd2ccdcc7864c30b0

SHA512
ef9b875a3997b36a43f0551cee88787bd01ddb7462f818fdc7c4ca6745fe661499551abf0a294e99e89d9742b9023d373052b7b31c0ce06893f8fa959b2431ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09992586.exe

Filesize
843KB

MD5
79cc6f186e71e5d1252f4b53945764af

SHA1
43bca3998718e98b2c5de3db476cef24efbf6b30

SHA256
b790cd84c891aa9c8ebad3268c317a050b95b478a93d7aefd2ccdcc7864c30b0

SHA512
ef9b875a3997b36a43f0551cee88787bd01ddb7462f818fdc7c4ca6745fe661499551abf0a294e99e89d9742b9023d373052b7b31c0ce06893f8fa959b2431ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55267549.exe

Filesize
371KB

MD5
257d9203c920b39e1f4bcffb28f826ca

SHA1
9a0566df5e30d06f08ae789cfd863cff5b077619

SHA256
0ee102014a430e04aabf789407428ae10fed1d4559855dc723242f229f9fe4f2

SHA512
99d813522ae932b7a7dc1b3464d805e2b8d009e56a2813b2007a52d921b87e2be3bb8a7a00567962c94cf61df03f3855552488f814f86ec5be61536353136ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55267549.exe

Filesize
371KB

MD5
257d9203c920b39e1f4bcffb28f826ca

SHA1
9a0566df5e30d06f08ae789cfd863cff5b077619

SHA256
0ee102014a430e04aabf789407428ae10fed1d4559855dc723242f229f9fe4f2

SHA512
99d813522ae932b7a7dc1b3464d805e2b8d009e56a2813b2007a52d921b87e2be3bb8a7a00567962c94cf61df03f3855552488f814f86ec5be61536353136ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55033539.exe

Filesize
169KB

MD5
b1dccb5abfffe17b4ef83c6be72eae00

SHA1
8b20ce61a8f6425fec42b5f0f27383b06c00a5fc

SHA256
2f73c965d34de2497067603aef1bd336eff23065e6d82cc24ee463239e4ca875

SHA512
771286bf4afbff2d0a76ea128b86dd06990a385363c82ed9fc9dc910a2714ca7997f3cf0e96485c0f987fee3b6e3fd95a7847feb65e85db62bb611411be589a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55033539.exe

Filesize
169KB

MD5
b1dccb5abfffe17b4ef83c6be72eae00

SHA1
8b20ce61a8f6425fec42b5f0f27383b06c00a5fc

SHA256
2f73c965d34de2497067603aef1bd336eff23065e6d82cc24ee463239e4ca875

SHA512
771286bf4afbff2d0a76ea128b86dd06990a385363c82ed9fc9dc910a2714ca7997f3cf0e96485c0f987fee3b6e3fd95a7847feb65e85db62bb611411be589a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92142893.exe

Filesize
1.3MB

MD5
f7a1fd762f6f1b35362c267f7e8b539f

SHA1
140a7817c15f2551e7af04be25490dec82802d44

SHA256
8b9d087ebf136320c69ed8f621309f59312a8c6b280c7a6acba3446b32c6cfce

SHA512
c8813d81a1975965238b365a27dec60ebb29a702f226c0ca26596a6c31105753026ec308d5252c070c8e24e0922459afdbb11cde636dbae2a5c1f2caba4aa83a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i92142893.exe

Filesize
1.3MB

MD5
f7a1fd762f6f1b35362c267f7e8b539f

SHA1
140a7817c15f2551e7af04be25490dec82802d44

SHA256
8b9d087ebf136320c69ed8f621309f59312a8c6b280c7a6acba3446b32c6cfce

SHA512
c8813d81a1975965238b365a27dec60ebb29a702f226c0ca26596a6c31105753026ec308d5252c070c8e24e0922459afdbb11cde636dbae2a5c1f2caba4aa83a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52462854.exe

Filesize
1015KB

MD5
6251bcb20d75fc8fed022da5aecd3fc3

SHA1
273411f4e3c7271e73ca2a4c3a9681a54ac55b47

SHA256
1965f2170b3e6c8228d4ec165856fa414b2edf69c6d2fd41b6c5e7890ca921ed

SHA512
674fe7f051870c663ea70f707fd3c28b783e3effb4bf3af0debc3de14ce6c8554b45b5b27678d1b748cf1b2976efcf4760ba52f84a2131e386a26357f1d73a4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i52462854.exe

Filesize
1015KB

MD5
6251bcb20d75fc8fed022da5aecd3fc3

SHA1
273411f4e3c7271e73ca2a4c3a9681a54ac55b47

SHA256
1965f2170b3e6c8228d4ec165856fa414b2edf69c6d2fd41b6c5e7890ca921ed

SHA512
674fe7f051870c663ea70f707fd3c28b783e3effb4bf3af0debc3de14ce6c8554b45b5b27678d1b748cf1b2976efcf4760ba52f84a2131e386a26357f1d73a4e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09992586.exe

Filesize
843KB

MD5
79cc6f186e71e5d1252f4b53945764af

SHA1
43bca3998718e98b2c5de3db476cef24efbf6b30

SHA256
b790cd84c891aa9c8ebad3268c317a050b95b478a93d7aefd2ccdcc7864c30b0

SHA512
ef9b875a3997b36a43f0551cee88787bd01ddb7462f818fdc7c4ca6745fe661499551abf0a294e99e89d9742b9023d373052b7b31c0ce06893f8fa959b2431ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i09992586.exe

Filesize
843KB

MD5
79cc6f186e71e5d1252f4b53945764af

SHA1
43bca3998718e98b2c5de3db476cef24efbf6b30

SHA256
b790cd84c891aa9c8ebad3268c317a050b95b478a93d7aefd2ccdcc7864c30b0

SHA512
ef9b875a3997b36a43f0551cee88787bd01ddb7462f818fdc7c4ca6745fe661499551abf0a294e99e89d9742b9023d373052b7b31c0ce06893f8fa959b2431ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55267549.exe

Filesize
371KB

MD5
257d9203c920b39e1f4bcffb28f826ca

SHA1
9a0566df5e30d06f08ae789cfd863cff5b077619

SHA256
0ee102014a430e04aabf789407428ae10fed1d4559855dc723242f229f9fe4f2

SHA512
99d813522ae932b7a7dc1b3464d805e2b8d009e56a2813b2007a52d921b87e2be3bb8a7a00567962c94cf61df03f3855552488f814f86ec5be61536353136ffa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i55267549.exe

Filesize
371KB

MD5
257d9203c920b39e1f4bcffb28f826ca

SHA1
9a0566df5e30d06f08ae789cfd863cff5b077619

SHA256
0ee102014a430e04aabf789407428ae10fed1d4559855dc723242f229f9fe4f2

SHA512
99d813522ae932b7a7dc1b3464d805e2b8d009e56a2813b2007a52d921b87e2be3bb8a7a00567962c94cf61df03f3855552488f814f86ec5be61536353136ffa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55033539.exe

Filesize
169KB

MD5
b1dccb5abfffe17b4ef83c6be72eae00

SHA1
8b20ce61a8f6425fec42b5f0f27383b06c00a5fc

SHA256
2f73c965d34de2497067603aef1bd336eff23065e6d82cc24ee463239e4ca875

SHA512
771286bf4afbff2d0a76ea128b86dd06990a385363c82ed9fc9dc910a2714ca7997f3cf0e96485c0f987fee3b6e3fd95a7847feb65e85db62bb611411be589a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55033539.exe

Filesize
169KB

MD5
b1dccb5abfffe17b4ef83c6be72eae00

SHA1
8b20ce61a8f6425fec42b5f0f27383b06c00a5fc

SHA256
2f73c965d34de2497067603aef1bd336eff23065e6d82cc24ee463239e4ca875

SHA512
771286bf4afbff2d0a76ea128b86dd06990a385363c82ed9fc9dc910a2714ca7997f3cf0e96485c0f987fee3b6e3fd95a7847feb65e85db62bb611411be589a8

Download Submit
memory/976-104-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

Filesize
192KB

Download
memory/976-105-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/976-106-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download