redline | 12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514

Analysis

max time kernel
147s
max time network
160s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe
Size

866KB
MD5

fb0d712bdc57af5d633a86f5871b4ab0
SHA1

8fe9b17d1fddb0f12a2d72be6b329e9cdd0493f3
SHA256

12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514
SHA512

3bf1c733a7c760307092b5ffbdf0e1f207745c2d3f37f9bc8c4e35da0da2f74b0d4742c4c33a2fef947b5e7408fea38f7e7e581d19c9c183ff1474975c7c175f
SSDEEP

24576:UyGDldzz9KrfY/XGaa9zc9ZDyEl/lqwN/7:jixgE/RV9lyEV5

Score

10^/10

redline dark gena infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1380	y50846809.exe
300	p08151772.exe
1968	1.exe
1496	r89599983.exe

Loads dropped DLL 9 IoCs

pid	Process
1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe
1380	y50846809.exe
1380	y50846809.exe
1380	y50846809.exe
300	p08151772.exe
300	p08151772.exe
1968	1.exe
1380	y50846809.exe
1496	r89599983.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y50846809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y50846809.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	300	p08151772.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1380	1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe	28
PID 1700 wrote to memory of 1380	1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe	28
PID 1700 wrote to memory of 1380	1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe	28
PID 1700 wrote to memory of 1380	1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe	28
PID 1700 wrote to memory of 1380	1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe	28
PID 1700 wrote to memory of 1380	1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe	28
PID 1700 wrote to memory of 1380	1700	12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe	28
PID 1380 wrote to memory of 300	1380	y50846809.exe	29
PID 1380 wrote to memory of 300	1380	y50846809.exe	29
PID 1380 wrote to memory of 300	1380	y50846809.exe	29
PID 1380 wrote to memory of 300	1380	y50846809.exe	29
PID 1380 wrote to memory of 300	1380	y50846809.exe	29
PID 1380 wrote to memory of 300	1380	y50846809.exe	29
PID 1380 wrote to memory of 300	1380	y50846809.exe	29
PID 300 wrote to memory of 1968	300	p08151772.exe	30
PID 300 wrote to memory of 1968	300	p08151772.exe	30
PID 300 wrote to memory of 1968	300	p08151772.exe	30
PID 300 wrote to memory of 1968	300	p08151772.exe	30
PID 300 wrote to memory of 1968	300	p08151772.exe	30
PID 300 wrote to memory of 1968	300	p08151772.exe	30
PID 300 wrote to memory of 1968	300	p08151772.exe	30
PID 1380 wrote to memory of 1496	1380	y50846809.exe	31
PID 1380 wrote to memory of 1496	1380	y50846809.exe	31
PID 1380 wrote to memory of 1496	1380	y50846809.exe	31
PID 1380 wrote to memory of 1496	1380	y50846809.exe	31
PID 1380 wrote to memory of 1496	1380	y50846809.exe	31
PID 1380 wrote to memory of 1496	1380	y50846809.exe	31
PID 1380 wrote to memory of 1496	1380	y50846809.exe	31

C:\Users\Admin\AppData\Local\Temp\12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe
"C:\Users\Admin\AppData\Local\Temp\12d85cdc49561a8420fdcf583d64159d8ef4cb0aedc2c7ccc7b1436a1b1d6514.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50846809.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50846809.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r89599983.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r89599983.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50846809.exe

Filesize
577KB

MD5
bced84bd1b7b4d5aa6b598ce1f640763

SHA1
e1449a673eafab7464340bb268ceb31b5539a4ec

SHA256
c211bf06fde7456723e78812a276733d4795b8e7d3c6818680c50ff3f148576e

SHA512
798f288245c1157ed0c359756abb558e2f8f9709889b19991365f79e8cabccbf03503a048a79c528a2b87ae608a0f3ce4d6b77025866f6807a9e93f33dad7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50846809.exe

Filesize
577KB

MD5
bced84bd1b7b4d5aa6b598ce1f640763

SHA1
e1449a673eafab7464340bb268ceb31b5539a4ec

SHA256
c211bf06fde7456723e78812a276733d4795b8e7d3c6818680c50ff3f148576e

SHA512
798f288245c1157ed0c359756abb558e2f8f9709889b19991365f79e8cabccbf03503a048a79c528a2b87ae608a0f3ce4d6b77025866f6807a9e93f33dad7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe

Filesize
574KB

MD5
b7f561a5fe8bbaa4953cf360bd010278

SHA1
2dd462066a726d20545ee25acc12176d3238867b

SHA256
4dd069e602e308965a630da0308313d491329911f9b62aa366ad56e58ef918d7

SHA512
f25c897cf81593d8b8771bf0c297b0ff3d5bef98cc8dd5dccb46f967fde066851279d0ef265b8b0e772307a717900eb0c8a0bb6a906fa979241154252393488b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe

Filesize
574KB

MD5
b7f561a5fe8bbaa4953cf360bd010278

SHA1
2dd462066a726d20545ee25acc12176d3238867b

SHA256
4dd069e602e308965a630da0308313d491329911f9b62aa366ad56e58ef918d7

SHA512
f25c897cf81593d8b8771bf0c297b0ff3d5bef98cc8dd5dccb46f967fde066851279d0ef265b8b0e772307a717900eb0c8a0bb6a906fa979241154252393488b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe

Filesize
574KB

MD5
b7f561a5fe8bbaa4953cf360bd010278

SHA1
2dd462066a726d20545ee25acc12176d3238867b

SHA256
4dd069e602e308965a630da0308313d491329911f9b62aa366ad56e58ef918d7

SHA512
f25c897cf81593d8b8771bf0c297b0ff3d5bef98cc8dd5dccb46f967fde066851279d0ef265b8b0e772307a717900eb0c8a0bb6a906fa979241154252393488b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r89599983.exe

Filesize
170KB

MD5
ff9b82aa11ffa88232b7cf3412c3f688

SHA1
499d4670ff31ba9aa90ca85e568f1878285789f7

SHA256
5dcfa1d60f453d437ead0dcdd0ff51dba5411e32908ab9bbcf061143701abf87

SHA512
a8d5e5938c5b82018d5a0a73c0aa4388c697e370b186d8493e8a13efaafec5da9bbd23865d29242905c07854c65f4660a8995881e329b5d8fdb9dd22cffc6f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r89599983.exe

Filesize
170KB

MD5
ff9b82aa11ffa88232b7cf3412c3f688

SHA1
499d4670ff31ba9aa90ca85e568f1878285789f7

SHA256
5dcfa1d60f453d437ead0dcdd0ff51dba5411e32908ab9bbcf061143701abf87

SHA512
a8d5e5938c5b82018d5a0a73c0aa4388c697e370b186d8493e8a13efaafec5da9bbd23865d29242905c07854c65f4660a8995881e329b5d8fdb9dd22cffc6f42

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50846809.exe

Filesize
577KB

MD5
bced84bd1b7b4d5aa6b598ce1f640763

SHA1
e1449a673eafab7464340bb268ceb31b5539a4ec

SHA256
c211bf06fde7456723e78812a276733d4795b8e7d3c6818680c50ff3f148576e

SHA512
798f288245c1157ed0c359756abb558e2f8f9709889b19991365f79e8cabccbf03503a048a79c528a2b87ae608a0f3ce4d6b77025866f6807a9e93f33dad7179

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y50846809.exe

Filesize
577KB

MD5
bced84bd1b7b4d5aa6b598ce1f640763

SHA1
e1449a673eafab7464340bb268ceb31b5539a4ec

SHA256
c211bf06fde7456723e78812a276733d4795b8e7d3c6818680c50ff3f148576e

SHA512
798f288245c1157ed0c359756abb558e2f8f9709889b19991365f79e8cabccbf03503a048a79c528a2b87ae608a0f3ce4d6b77025866f6807a9e93f33dad7179

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe

Filesize
574KB

MD5
b7f561a5fe8bbaa4953cf360bd010278

SHA1
2dd462066a726d20545ee25acc12176d3238867b

SHA256
4dd069e602e308965a630da0308313d491329911f9b62aa366ad56e58ef918d7

SHA512
f25c897cf81593d8b8771bf0c297b0ff3d5bef98cc8dd5dccb46f967fde066851279d0ef265b8b0e772307a717900eb0c8a0bb6a906fa979241154252393488b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe

Filesize
574KB

MD5
b7f561a5fe8bbaa4953cf360bd010278

SHA1
2dd462066a726d20545ee25acc12176d3238867b

SHA256
4dd069e602e308965a630da0308313d491329911f9b62aa366ad56e58ef918d7

SHA512
f25c897cf81593d8b8771bf0c297b0ff3d5bef98cc8dd5dccb46f967fde066851279d0ef265b8b0e772307a717900eb0c8a0bb6a906fa979241154252393488b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p08151772.exe

Filesize
574KB

MD5
b7f561a5fe8bbaa4953cf360bd010278

SHA1
2dd462066a726d20545ee25acc12176d3238867b

SHA256
4dd069e602e308965a630da0308313d491329911f9b62aa366ad56e58ef918d7

SHA512
f25c897cf81593d8b8771bf0c297b0ff3d5bef98cc8dd5dccb46f967fde066851279d0ef265b8b0e772307a717900eb0c8a0bb6a906fa979241154252393488b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r89599983.exe

Filesize
170KB

MD5
ff9b82aa11ffa88232b7cf3412c3f688

SHA1
499d4670ff31ba9aa90ca85e568f1878285789f7

SHA256
5dcfa1d60f453d437ead0dcdd0ff51dba5411e32908ab9bbcf061143701abf87

SHA512
a8d5e5938c5b82018d5a0a73c0aa4388c697e370b186d8493e8a13efaafec5da9bbd23865d29242905c07854c65f4660a8995881e329b5d8fdb9dd22cffc6f42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r89599983.exe

Filesize
170KB

MD5
ff9b82aa11ffa88232b7cf3412c3f688

SHA1
499d4670ff31ba9aa90ca85e568f1878285789f7

SHA256
5dcfa1d60f453d437ead0dcdd0ff51dba5411e32908ab9bbcf061143701abf87

SHA512
a8d5e5938c5b82018d5a0a73c0aa4388c697e370b186d8493e8a13efaafec5da9bbd23865d29242905c07854c65f4660a8995881e329b5d8fdb9dd22cffc6f42

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/300-115-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-133-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-91-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-93-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-95-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-97-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-99-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-101-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-103-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-105-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-109-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-107-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-111-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-113-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-87-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-117-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-119-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-121-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-123-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-125-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-127-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-131-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-129-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-89-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-135-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-137-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-141-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-143-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-145-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-147-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-139-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-2230-0x0000000004E70000-0x0000000004EA2000-memory.dmp

Filesize
200KB

Download
memory/300-85-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-84-0x0000000002890000-0x00000000028F0000-memory.dmp

Filesize
384KB

Download
memory/300-83-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/300-78-0x00000000026E0000-0x0000000002748000-memory.dmp

Filesize
416KB

Download
memory/300-80-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/300-2238-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/300-79-0x0000000002890000-0x00000000028F6000-memory.dmp

Filesize
408KB

Download
memory/300-82-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/300-81-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1496-2250-0x00000000008F0000-0x0000000000920000-memory.dmp

Filesize
192KB

Download
memory/1496-2251-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1496-2252-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1496-2253-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1968-2243-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1968-2241-0x0000000000C40000-0x0000000000C6E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads