redline | 15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c

Analysis

max time kernel
142s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
Size

1.5MB
MD5

00ae6dead07ceb07981ee20cc8bed234
SHA1

4a004656df37e8f856664596717e961ab5c134be
SHA256

15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c
SHA512

cae633f7503bc632a64c4a7fa72fa2aa3ea30211e23bd0902b702b2abf227824b8d3c39e3e52d4d02ff2f165eeab2cb65ae43e1054b078fe7d971cfae9ca46ca
SSDEEP

24576:My93nDmFoGY8b4IeqvZhxOnR/AlaNE3IUeSXm8n+Oiom9yoR+SUQP7:79wVY8bteEOn19NANeKjKom9y0+fE

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
592	i06589386.exe
976	i47189873.exe
616	i81716811.exe
1664	i17581754.exe
1340	a55865678.exe

Loads dropped DLL 10 IoCs

pid	Process
1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
592	i06589386.exe
592	i06589386.exe
976	i47189873.exe
976	i47189873.exe
616	i81716811.exe
616	i81716811.exe
1664	i17581754.exe
1664	i17581754.exe
1340	a55865678.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i17581754.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i47189873.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i81716811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i81716811.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i17581754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i06589386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i06589386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i47189873.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 592	1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe	28
PID 1456 wrote to memory of 592	1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe	28
PID 1456 wrote to memory of 592	1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe	28
PID 1456 wrote to memory of 592	1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe	28
PID 1456 wrote to memory of 592	1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe	28
PID 1456 wrote to memory of 592	1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe	28
PID 1456 wrote to memory of 592	1456	15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe	28
PID 592 wrote to memory of 976	592	i06589386.exe	29
PID 592 wrote to memory of 976	592	i06589386.exe	29
PID 592 wrote to memory of 976	592	i06589386.exe	29
PID 592 wrote to memory of 976	592	i06589386.exe	29
PID 592 wrote to memory of 976	592	i06589386.exe	29
PID 592 wrote to memory of 976	592	i06589386.exe	29
PID 592 wrote to memory of 976	592	i06589386.exe	29
PID 976 wrote to memory of 616	976	i47189873.exe	30
PID 976 wrote to memory of 616	976	i47189873.exe	30
PID 976 wrote to memory of 616	976	i47189873.exe	30
PID 976 wrote to memory of 616	976	i47189873.exe	30
PID 976 wrote to memory of 616	976	i47189873.exe	30
PID 976 wrote to memory of 616	976	i47189873.exe	30
PID 976 wrote to memory of 616	976	i47189873.exe	30
PID 616 wrote to memory of 1664	616	i81716811.exe	31
PID 616 wrote to memory of 1664	616	i81716811.exe	31
PID 616 wrote to memory of 1664	616	i81716811.exe	31
PID 616 wrote to memory of 1664	616	i81716811.exe	31
PID 616 wrote to memory of 1664	616	i81716811.exe	31
PID 616 wrote to memory of 1664	616	i81716811.exe	31
PID 616 wrote to memory of 1664	616	i81716811.exe	31
PID 1664 wrote to memory of 1340	1664	i17581754.exe	32
PID 1664 wrote to memory of 1340	1664	i17581754.exe	32
PID 1664 wrote to memory of 1340	1664	i17581754.exe	32
PID 1664 wrote to memory of 1340	1664	i17581754.exe	32
PID 1664 wrote to memory of 1340	1664	i17581754.exe	32
PID 1664 wrote to memory of 1340	1664	i17581754.exe	32
PID 1664 wrote to memory of 1340	1664	i17581754.exe	32

C:\Users\Admin\AppData\Local\Temp\15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe
"C:\Users\Admin\AppData\Local\Temp\15cea45abd041a66d4597c55c7ee49e540e15e632148623c76b77e0254a71a4c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exe

Filesize
1.3MB

MD5
315d955d17708d4897c038827b6111d7

SHA1
e8c73232dd39b475fb4e24a6e61ccf01a430c61e

SHA256
1e08b7d3cb760841eb626d24d38558eebf367813a0c08701001d3344aca39a0f

SHA512
0767a02f3943a169b79f18d289ae22e54913cbefa72df6c077c38ace7c74e10f64f99c1880c86dce95b534f71f90ab9d52813d035b1ce1c31e9cd311851df707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exe

Filesize
1.3MB

MD5
315d955d17708d4897c038827b6111d7

SHA1
e8c73232dd39b475fb4e24a6e61ccf01a430c61e

SHA256
1e08b7d3cb760841eb626d24d38558eebf367813a0c08701001d3344aca39a0f

SHA512
0767a02f3943a169b79f18d289ae22e54913cbefa72df6c077c38ace7c74e10f64f99c1880c86dce95b534f71f90ab9d52813d035b1ce1c31e9cd311851df707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exe

Filesize
1023KB

MD5
f7c98d4cf54eef3f5fd3fa5317082788

SHA1
a044d3447aa1c54c33b20bf22c33ecd279f82593

SHA256
d107c02636602f1e8d8e6fd1929156f2ec0f3b24a6430e41776d753787f8b14b

SHA512
d4911133a18aad2e1b55bc040274f9a974684abab0183eb13d25981c8c5ea1f12447dbe53ded93b1824ff6e9fd35bdb3671a166b3115ca79d854c1c7f9d38b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exe

Filesize
1023KB

MD5
f7c98d4cf54eef3f5fd3fa5317082788

SHA1
a044d3447aa1c54c33b20bf22c33ecd279f82593

SHA256
d107c02636602f1e8d8e6fd1929156f2ec0f3b24a6430e41776d753787f8b14b

SHA512
d4911133a18aad2e1b55bc040274f9a974684abab0183eb13d25981c8c5ea1f12447dbe53ded93b1824ff6e9fd35bdb3671a166b3115ca79d854c1c7f9d38b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exe

Filesize
852KB

MD5
220c63931af67fd6a2585bfd4662c3c5

SHA1
11684de4b2454d24fa7c7bb1a28b6a7b502bc4cf

SHA256
2ca7858590a723c763dbdfc6216911b815bec0a6f87067bbb72e749a65c10dcd

SHA512
9242d7b30eaaa63d5698c611fb3d63b55274494116e748a83dc1031265ef6d94359bb05a53aa1204975b3d6108a3e48c0ee556ff518e157b05e2921b7466098d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exe

Filesize
852KB

MD5
220c63931af67fd6a2585bfd4662c3c5

SHA1
11684de4b2454d24fa7c7bb1a28b6a7b502bc4cf

SHA256
2ca7858590a723c763dbdfc6216911b815bec0a6f87067bbb72e749a65c10dcd

SHA512
9242d7b30eaaa63d5698c611fb3d63b55274494116e748a83dc1031265ef6d94359bb05a53aa1204975b3d6108a3e48c0ee556ff518e157b05e2921b7466098d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exe

Filesize
375KB

MD5
44360cfbb346e5ad17b58c3bf4c0440e

SHA1
0e4134f73776b3fbf84f46f240f5ff111b3e9cce

SHA256
e8746187fd2922fb35a06b8ddd6e26dacdf3483cedd043147cedb98ab4189e8e

SHA512
0b79a26f31beadfecba0bacea4363b015a4535228fecad7db1a80fb25532bab31ceaf09fb51aae4555907b0822ba1ed00a7f482cd07a7960cf8399cd89b1b65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exe

Filesize
375KB

MD5
44360cfbb346e5ad17b58c3bf4c0440e

SHA1
0e4134f73776b3fbf84f46f240f5ff111b3e9cce

SHA256
e8746187fd2922fb35a06b8ddd6e26dacdf3483cedd043147cedb98ab4189e8e

SHA512
0b79a26f31beadfecba0bacea4363b015a4535228fecad7db1a80fb25532bab31ceaf09fb51aae4555907b0822ba1ed00a7f482cd07a7960cf8399cd89b1b65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exe

Filesize
169KB

MD5
5cdd55d16bf31601244c756ec5463e6b

SHA1
1862568ef8a0b281f14fb5f5457eade8c8888222

SHA256
11f631599345230f387df3b006d521c8875e699e224fcbcdaeaeb0bdcc72c06e

SHA512
d0c7f18fe52ee2b90198134e8e93635ea9d6280e4da3d28d94775647fa6a56d595693ee1499684963f0429ab3e7bbcd7855efb68014dbbb58795902bf47068f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exe

Filesize
169KB

MD5
5cdd55d16bf31601244c756ec5463e6b

SHA1
1862568ef8a0b281f14fb5f5457eade8c8888222

SHA256
11f631599345230f387df3b006d521c8875e699e224fcbcdaeaeb0bdcc72c06e

SHA512
d0c7f18fe52ee2b90198134e8e93635ea9d6280e4da3d28d94775647fa6a56d595693ee1499684963f0429ab3e7bbcd7855efb68014dbbb58795902bf47068f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exe

Filesize
1.3MB

MD5
315d955d17708d4897c038827b6111d7

SHA1
e8c73232dd39b475fb4e24a6e61ccf01a430c61e

SHA256
1e08b7d3cb760841eb626d24d38558eebf367813a0c08701001d3344aca39a0f

SHA512
0767a02f3943a169b79f18d289ae22e54913cbefa72df6c077c38ace7c74e10f64f99c1880c86dce95b534f71f90ab9d52813d035b1ce1c31e9cd311851df707

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i06589386.exe

Filesize
1.3MB

MD5
315d955d17708d4897c038827b6111d7

SHA1
e8c73232dd39b475fb4e24a6e61ccf01a430c61e

SHA256
1e08b7d3cb760841eb626d24d38558eebf367813a0c08701001d3344aca39a0f

SHA512
0767a02f3943a169b79f18d289ae22e54913cbefa72df6c077c38ace7c74e10f64f99c1880c86dce95b534f71f90ab9d52813d035b1ce1c31e9cd311851df707

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exe

Filesize
1023KB

MD5
f7c98d4cf54eef3f5fd3fa5317082788

SHA1
a044d3447aa1c54c33b20bf22c33ecd279f82593

SHA256
d107c02636602f1e8d8e6fd1929156f2ec0f3b24a6430e41776d753787f8b14b

SHA512
d4911133a18aad2e1b55bc040274f9a974684abab0183eb13d25981c8c5ea1f12447dbe53ded93b1824ff6e9fd35bdb3671a166b3115ca79d854c1c7f9d38b77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47189873.exe

Filesize
1023KB

MD5
f7c98d4cf54eef3f5fd3fa5317082788

SHA1
a044d3447aa1c54c33b20bf22c33ecd279f82593

SHA256
d107c02636602f1e8d8e6fd1929156f2ec0f3b24a6430e41776d753787f8b14b

SHA512
d4911133a18aad2e1b55bc040274f9a974684abab0183eb13d25981c8c5ea1f12447dbe53ded93b1824ff6e9fd35bdb3671a166b3115ca79d854c1c7f9d38b77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exe

Filesize
852KB

MD5
220c63931af67fd6a2585bfd4662c3c5

SHA1
11684de4b2454d24fa7c7bb1a28b6a7b502bc4cf

SHA256
2ca7858590a723c763dbdfc6216911b815bec0a6f87067bbb72e749a65c10dcd

SHA512
9242d7b30eaaa63d5698c611fb3d63b55274494116e748a83dc1031265ef6d94359bb05a53aa1204975b3d6108a3e48c0ee556ff518e157b05e2921b7466098d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i81716811.exe

Filesize
852KB

MD5
220c63931af67fd6a2585bfd4662c3c5

SHA1
11684de4b2454d24fa7c7bb1a28b6a7b502bc4cf

SHA256
2ca7858590a723c763dbdfc6216911b815bec0a6f87067bbb72e749a65c10dcd

SHA512
9242d7b30eaaa63d5698c611fb3d63b55274494116e748a83dc1031265ef6d94359bb05a53aa1204975b3d6108a3e48c0ee556ff518e157b05e2921b7466098d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exe

Filesize
375KB

MD5
44360cfbb346e5ad17b58c3bf4c0440e

SHA1
0e4134f73776b3fbf84f46f240f5ff111b3e9cce

SHA256
e8746187fd2922fb35a06b8ddd6e26dacdf3483cedd043147cedb98ab4189e8e

SHA512
0b79a26f31beadfecba0bacea4363b015a4535228fecad7db1a80fb25532bab31ceaf09fb51aae4555907b0822ba1ed00a7f482cd07a7960cf8399cd89b1b65c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17581754.exe

Filesize
375KB

MD5
44360cfbb346e5ad17b58c3bf4c0440e

SHA1
0e4134f73776b3fbf84f46f240f5ff111b3e9cce

SHA256
e8746187fd2922fb35a06b8ddd6e26dacdf3483cedd043147cedb98ab4189e8e

SHA512
0b79a26f31beadfecba0bacea4363b015a4535228fecad7db1a80fb25532bab31ceaf09fb51aae4555907b0822ba1ed00a7f482cd07a7960cf8399cd89b1b65c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exe

Filesize
169KB

MD5
5cdd55d16bf31601244c756ec5463e6b

SHA1
1862568ef8a0b281f14fb5f5457eade8c8888222

SHA256
11f631599345230f387df3b006d521c8875e699e224fcbcdaeaeb0bdcc72c06e

SHA512
d0c7f18fe52ee2b90198134e8e93635ea9d6280e4da3d28d94775647fa6a56d595693ee1499684963f0429ab3e7bbcd7855efb68014dbbb58795902bf47068f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a55865678.exe

Filesize
169KB

MD5
5cdd55d16bf31601244c756ec5463e6b

SHA1
1862568ef8a0b281f14fb5f5457eade8c8888222

SHA256
11f631599345230f387df3b006d521c8875e699e224fcbcdaeaeb0bdcc72c06e

SHA512
d0c7f18fe52ee2b90198134e8e93635ea9d6280e4da3d28d94775647fa6a56d595693ee1499684963f0429ab3e7bbcd7855efb68014dbbb58795902bf47068f4

Download Submit
memory/1340-104-0x0000000000B90000-0x0000000000BC0000-memory.dmp

Filesize
192KB

Download
memory/1340-105-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1340-106-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/1340-107-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download