redline | 25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b

Analysis

max time kernel
143s
max time network
177s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
Size

850KB
MD5

dd610090fcca1ab9dca44e75fa6ec956
SHA1

09db66afa9c17bfb0987cd68b92a11935a84391b
SHA256

25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b
SHA512

d365ed9fbab8368e517d9bb64176c7f8a87fef7409c4c2920da60a170ad5b6fa7d3b497756440b47d85e5d3c6dbbe5b458ca29cbeec7859b3baef5a373267986
SSDEEP

12288:Ky90oUEXsNWbXV+ikWmP0SvAVq/U4aj4E7KvCcFuqo2ZNVoCoFOtwx3+m2Ti1Vb:KyYUsYRdkWNSoVevClyZT3Fwx12TiPb

Score

10^/10

redline donka gena infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

donka

185.161.248.73:4164

Attributes

auth_value
ebd13e189a2e7c34425e5f4c46bb7a55

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1508	y47429866.exe
748	p20982233.exe
1972	1.exe
848	r07177252.exe

Loads dropped DLL 9 IoCs

pid	Process
1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
1508	y47429866.exe
1508	y47429866.exe
1508	y47429866.exe
748	p20982233.exe
748	p20982233.exe
1972	1.exe
1508	y47429866.exe
848	r07177252.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y47429866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y47429866.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	p20982233.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1508	1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	28
PID 1608 wrote to memory of 1508	1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	28
PID 1608 wrote to memory of 1508	1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	28
PID 1608 wrote to memory of 1508	1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	28
PID 1608 wrote to memory of 1508	1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	28
PID 1608 wrote to memory of 1508	1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	28
PID 1608 wrote to memory of 1508	1608	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	28
PID 1508 wrote to memory of 748	1508	y47429866.exe	29
PID 1508 wrote to memory of 748	1508	y47429866.exe	29
PID 1508 wrote to memory of 748	1508	y47429866.exe	29
PID 1508 wrote to memory of 748	1508	y47429866.exe	29
PID 1508 wrote to memory of 748	1508	y47429866.exe	29
PID 1508 wrote to memory of 748	1508	y47429866.exe	29
PID 1508 wrote to memory of 748	1508	y47429866.exe	29
PID 748 wrote to memory of 1972	748	p20982233.exe	30
PID 748 wrote to memory of 1972	748	p20982233.exe	30
PID 748 wrote to memory of 1972	748	p20982233.exe	30
PID 748 wrote to memory of 1972	748	p20982233.exe	30
PID 748 wrote to memory of 1972	748	p20982233.exe	30
PID 748 wrote to memory of 1972	748	p20982233.exe	30
PID 748 wrote to memory of 1972	748	p20982233.exe	30
PID 1508 wrote to memory of 848	1508	y47429866.exe	31
PID 1508 wrote to memory of 848	1508	y47429866.exe	31
PID 1508 wrote to memory of 848	1508	y47429866.exe	31
PID 1508 wrote to memory of 848	1508	y47429866.exe	31
PID 1508 wrote to memory of 848	1508	y47429866.exe	31
PID 1508 wrote to memory of 848	1508	y47429866.exe	31
PID 1508 wrote to memory of 848	1508	y47429866.exe	31

C:\Users\Admin\AppData\Local\Temp\25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
"C:\Users\Admin\AppData\Local\Temp\25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r07177252.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r07177252.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe

Filesize
570KB

MD5
1e1bf584822663a6ec66e111117c01eb

SHA1
7ddb0c6cea0e94d49bf8013c15c839e8d4a960d2

SHA256
9d999b489e3556acb62eb7396bf7dfab9dd236296e29b4c61853a4c6f943f6b2

SHA512
ed71772b77fd35dfd40ca57e851c2bca3c69eebad4798974179894e6c3e7fbf65b459db045f166e5bccf118c4d22360be3543dae57146e0d225e50a3dc302856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe

Filesize
570KB

MD5
1e1bf584822663a6ec66e111117c01eb

SHA1
7ddb0c6cea0e94d49bf8013c15c839e8d4a960d2

SHA256
9d999b489e3556acb62eb7396bf7dfab9dd236296e29b4c61853a4c6f943f6b2

SHA512
ed71772b77fd35dfd40ca57e851c2bca3c69eebad4798974179894e6c3e7fbf65b459db045f166e5bccf118c4d22360be3543dae57146e0d225e50a3dc302856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r07177252.exe

Filesize
168KB

MD5
743619fc20d63a31de7d8f4bcec619ee

SHA1
669ccf725eb8f3a71fdd75bc098d93f685e25800

SHA256
0d1e315740bfef51c4867273af48dbfc922bf19a0ae7382d5a22d9b5c3085fb5

SHA512
d4bbb4ae2874c5959c035d612880d4cecc3ebc3a683fa5bd43b6f988c5179e11b4a63e0fbfbcde26e94ea47675f02068b340da647c464e45e1652d5335f49c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r07177252.exe

Filesize
168KB

MD5
743619fc20d63a31de7d8f4bcec619ee

SHA1
669ccf725eb8f3a71fdd75bc098d93f685e25800

SHA256
0d1e315740bfef51c4867273af48dbfc922bf19a0ae7382d5a22d9b5c3085fb5

SHA512
d4bbb4ae2874c5959c035d612880d4cecc3ebc3a683fa5bd43b6f988c5179e11b4a63e0fbfbcde26e94ea47675f02068b340da647c464e45e1652d5335f49c30

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe

Filesize
570KB

MD5
1e1bf584822663a6ec66e111117c01eb

SHA1
7ddb0c6cea0e94d49bf8013c15c839e8d4a960d2

SHA256
9d999b489e3556acb62eb7396bf7dfab9dd236296e29b4c61853a4c6f943f6b2

SHA512
ed71772b77fd35dfd40ca57e851c2bca3c69eebad4798974179894e6c3e7fbf65b459db045f166e5bccf118c4d22360be3543dae57146e0d225e50a3dc302856

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe

Filesize
570KB

MD5
1e1bf584822663a6ec66e111117c01eb

SHA1
7ddb0c6cea0e94d49bf8013c15c839e8d4a960d2

SHA256
9d999b489e3556acb62eb7396bf7dfab9dd236296e29b4c61853a4c6f943f6b2

SHA512
ed71772b77fd35dfd40ca57e851c2bca3c69eebad4798974179894e6c3e7fbf65b459db045f166e5bccf118c4d22360be3543dae57146e0d225e50a3dc302856

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r07177252.exe

Filesize
168KB

MD5
743619fc20d63a31de7d8f4bcec619ee

SHA1
669ccf725eb8f3a71fdd75bc098d93f685e25800

SHA256
0d1e315740bfef51c4867273af48dbfc922bf19a0ae7382d5a22d9b5c3085fb5

SHA512
d4bbb4ae2874c5959c035d612880d4cecc3ebc3a683fa5bd43b6f988c5179e11b4a63e0fbfbcde26e94ea47675f02068b340da647c464e45e1652d5335f49c30

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r07177252.exe

Filesize
168KB

MD5
743619fc20d63a31de7d8f4bcec619ee

SHA1
669ccf725eb8f3a71fdd75bc098d93f685e25800

SHA256
0d1e315740bfef51c4867273af48dbfc922bf19a0ae7382d5a22d9b5c3085fb5

SHA512
d4bbb4ae2874c5959c035d612880d4cecc3ebc3a683fa5bd43b6f988c5179e11b4a63e0fbfbcde26e94ea47675f02068b340da647c464e45e1652d5335f49c30

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/748-115-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-135-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-95-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-99-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-101-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-97-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-93-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-107-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-105-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-103-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-111-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-113-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-109-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-117-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-89-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-119-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-121-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-125-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-127-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-123-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-131-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-129-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-133-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-91-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-139-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-137-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-143-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-141-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-145-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-148-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/748-146-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/748-2230-0x00000000023C0000-0x00000000023F2000-memory.dmp

Filesize
200KB

Download
memory/748-87-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-85-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-83-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-82-0x0000000002500000-0x0000000002560000-memory.dmp

Filesize
384KB

Download
memory/748-81-0x0000000002500000-0x0000000002566000-memory.dmp

Filesize
408KB

Download
memory/748-78-0x0000000000DC0000-0x0000000000E28000-memory.dmp

Filesize
416KB

Download
memory/748-79-0x0000000000280000-0x00000000002DB000-memory.dmp

Filesize
364KB

Download
memory/748-80-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/848-2247-0x00000000013B0000-0x00000000013E0000-memory.dmp

Filesize
192KB

Download
memory/848-2249-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/848-2251-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/848-2253-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/1972-2248-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1972-2242-0x00000000010A0000-0x00000000010CE000-memory.dmp

Filesize
184KB

Download
memory/1972-2250-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1972-2252-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads