redline | 2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e

Analysis

max time kernel
196s
max time network
274s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe
Size

1.5MB
MD5

332304208f0813f031272e038f30e917
SHA1

e1fb23d53820b0784e9ad18a040a0592c1764854
SHA256

2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e
SHA512

48833e3be53e67c938ac5a6b4eaa73bcd45ee4edd26183c90cd30f98d9919df41c6124c2e1cefac4d3ef423d1d9588984684f8f6edf8b2815f9db653096a51e3
SSDEEP

24576:5yNxSqTZIl9b8xQiFkgKoPYufqC8l51q0IV7xRw0ZzwBzLeXjeOswmSdl6c4azOx:svSqo9bkQiFkgw87Aj/27w53eXjXCSK

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
436	i36699718.exe
1924	i05071819.exe
1444	i44498141.exe
1568	i06243967.exe
1600	a05609288.exe

Loads dropped DLL 10 IoCs

pid	Process
580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe
436	i36699718.exe
436	i36699718.exe
1924	i05071819.exe
1924	i05071819.exe
1444	i44498141.exe
1444	i44498141.exe
1568	i06243967.exe
1568	i06243967.exe
1600	a05609288.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i36699718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i36699718.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i05071819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i44498141.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i05071819.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i44498141.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i06243967.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i06243967.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 436	580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe	28
PID 580 wrote to memory of 436	580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe	28
PID 580 wrote to memory of 436	580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe	28
PID 580 wrote to memory of 436	580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe	28
PID 580 wrote to memory of 436	580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe	28
PID 580 wrote to memory of 436	580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe	28
PID 580 wrote to memory of 436	580	2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe	28
PID 436 wrote to memory of 1924	436	i36699718.exe	29
PID 436 wrote to memory of 1924	436	i36699718.exe	29
PID 436 wrote to memory of 1924	436	i36699718.exe	29
PID 436 wrote to memory of 1924	436	i36699718.exe	29
PID 436 wrote to memory of 1924	436	i36699718.exe	29
PID 436 wrote to memory of 1924	436	i36699718.exe	29
PID 436 wrote to memory of 1924	436	i36699718.exe	29
PID 1924 wrote to memory of 1444	1924	i05071819.exe	30
PID 1924 wrote to memory of 1444	1924	i05071819.exe	30
PID 1924 wrote to memory of 1444	1924	i05071819.exe	30
PID 1924 wrote to memory of 1444	1924	i05071819.exe	30
PID 1924 wrote to memory of 1444	1924	i05071819.exe	30
PID 1924 wrote to memory of 1444	1924	i05071819.exe	30
PID 1924 wrote to memory of 1444	1924	i05071819.exe	30
PID 1444 wrote to memory of 1568	1444	i44498141.exe	31
PID 1444 wrote to memory of 1568	1444	i44498141.exe	31
PID 1444 wrote to memory of 1568	1444	i44498141.exe	31
PID 1444 wrote to memory of 1568	1444	i44498141.exe	31
PID 1444 wrote to memory of 1568	1444	i44498141.exe	31
PID 1444 wrote to memory of 1568	1444	i44498141.exe	31
PID 1444 wrote to memory of 1568	1444	i44498141.exe	31
PID 1568 wrote to memory of 1600	1568	i06243967.exe	32
PID 1568 wrote to memory of 1600	1568	i06243967.exe	32
PID 1568 wrote to memory of 1600	1568	i06243967.exe	32
PID 1568 wrote to memory of 1600	1568	i06243967.exe	32
PID 1568 wrote to memory of 1600	1568	i06243967.exe	32
PID 1568 wrote to memory of 1600	1568	i06243967.exe	32
PID 1568 wrote to memory of 1600	1568	i06243967.exe	32

C:\Users\Admin\AppData\Local\Temp\2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe
"C:\Users\Admin\AppData\Local\Temp\2558981bf71e5f19b5396c9fa07deeb97cc9a74d7eb797f05b424ecb98f66d6e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36699718.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36699718.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05071819.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05071819.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44498141.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44498141.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i06243967.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i06243967.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05609288.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05609288.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36699718.exe

Filesize
1.3MB

MD5
4ef854141dee24d54de1b26c75fd8515

SHA1
c361293ee82983cc9c739fc3e8b2978eca7eeb23

SHA256
b27b8991fdbd1e67cf14572def0890dbc5bb19246ab082902d199fd8a02baaf8

SHA512
2a2b65380938d3d9c857b534097ce226ae5fe3255d5369686750810c4f914d1b9839b548dd5a01bda02dff477fcacf612568971bb9df2ae192ab281121098bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36699718.exe

Filesize
1.3MB

MD5
4ef854141dee24d54de1b26c75fd8515

SHA1
c361293ee82983cc9c739fc3e8b2978eca7eeb23

SHA256
b27b8991fdbd1e67cf14572def0890dbc5bb19246ab082902d199fd8a02baaf8

SHA512
2a2b65380938d3d9c857b534097ce226ae5fe3255d5369686750810c4f914d1b9839b548dd5a01bda02dff477fcacf612568971bb9df2ae192ab281121098bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05071819.exe

Filesize
1023KB

MD5
4c65fcb94fb3463993a5488f07a50695

SHA1
8e07eede5ec3f78e6a232825013785c83ff167a4

SHA256
bd5ed263db3afacfa055fa95be14ce9bfda400afc87a912c9446415f5623182e

SHA512
f70ada2bc991dd5aaa4cd291137217fe5051d0e01508bf1cf4112569e64ec78ba3ec0a1cea7a86d8a4ae72a43bc802f4b830040dfb60b90a00a7c7d67fe391eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05071819.exe

Filesize
1023KB

MD5
4c65fcb94fb3463993a5488f07a50695

SHA1
8e07eede5ec3f78e6a232825013785c83ff167a4

SHA256
bd5ed263db3afacfa055fa95be14ce9bfda400afc87a912c9446415f5623182e

SHA512
f70ada2bc991dd5aaa4cd291137217fe5051d0e01508bf1cf4112569e64ec78ba3ec0a1cea7a86d8a4ae72a43bc802f4b830040dfb60b90a00a7c7d67fe391eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44498141.exe

Filesize
851KB

MD5
84c55ef4aa6ed4206dceb6d6fcb7613f

SHA1
438dbcb54dec6ac9b0fae6c92455e907e63842dc

SHA256
80d37f7830b884d68b1a6bef4ef6c016588601858a51ea6907d40c463419c64f

SHA512
55da88652dea83fda5a8db3c0c4dec085369845d0e175c842673044aee68af95fa50a4d17802ef80712a58887b04bb16af03e31b735494f40342ace20fe5f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44498141.exe

Filesize
851KB

MD5
84c55ef4aa6ed4206dceb6d6fcb7613f

SHA1
438dbcb54dec6ac9b0fae6c92455e907e63842dc

SHA256
80d37f7830b884d68b1a6bef4ef6c016588601858a51ea6907d40c463419c64f

SHA512
55da88652dea83fda5a8db3c0c4dec085369845d0e175c842673044aee68af95fa50a4d17802ef80712a58887b04bb16af03e31b735494f40342ace20fe5f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i06243967.exe

Filesize
375KB

MD5
d320e65e1c6a9a65cb72b60be1a47c68

SHA1
1775dd7d2411b0f70995c423480de62fd93d9be3

SHA256
99bd60512728bc578a98d5c4b317be509620e2fe32ad7b5d719f6cfcb05f0b92

SHA512
8897e4baa1030a26db8b1aa217492a284aa8f4b84692d4aeed8a057b03795cdd29b09e141b4f54b22f7d456b582082ad505b28b73ae5d4c5237553b7225ba014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i06243967.exe

Filesize
375KB

MD5
d320e65e1c6a9a65cb72b60be1a47c68

SHA1
1775dd7d2411b0f70995c423480de62fd93d9be3

SHA256
99bd60512728bc578a98d5c4b317be509620e2fe32ad7b5d719f6cfcb05f0b92

SHA512
8897e4baa1030a26db8b1aa217492a284aa8f4b84692d4aeed8a057b03795cdd29b09e141b4f54b22f7d456b582082ad505b28b73ae5d4c5237553b7225ba014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05609288.exe

Filesize
169KB

MD5
59e6bf0eeca63256793f142dafea2d9b

SHA1
b39180f7e34b349808ea4417e75a3fa1ecc36b1b

SHA256
189f81a2ecf34c5aba8e9655041ecc40ddb1edd2ceb7311e41a44565a32d2984

SHA512
8c64f4e8cbfe972a522f1cd3f4d527f6af7f21c5b103e0c5c620bd04b2b3881867fcf7c0609acc7d8edcec207d5eb60a6b005bd2aa74fba3388dd065d9ad5ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05609288.exe

Filesize
169KB

MD5
59e6bf0eeca63256793f142dafea2d9b

SHA1
b39180f7e34b349808ea4417e75a3fa1ecc36b1b

SHA256
189f81a2ecf34c5aba8e9655041ecc40ddb1edd2ceb7311e41a44565a32d2984

SHA512
8c64f4e8cbfe972a522f1cd3f4d527f6af7f21c5b103e0c5c620bd04b2b3881867fcf7c0609acc7d8edcec207d5eb60a6b005bd2aa74fba3388dd065d9ad5ab0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36699718.exe

Filesize
1.3MB

MD5
4ef854141dee24d54de1b26c75fd8515

SHA1
c361293ee82983cc9c739fc3e8b2978eca7eeb23

SHA256
b27b8991fdbd1e67cf14572def0890dbc5bb19246ab082902d199fd8a02baaf8

SHA512
2a2b65380938d3d9c857b534097ce226ae5fe3255d5369686750810c4f914d1b9839b548dd5a01bda02dff477fcacf612568971bb9df2ae192ab281121098bea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36699718.exe

Filesize
1.3MB

MD5
4ef854141dee24d54de1b26c75fd8515

SHA1
c361293ee82983cc9c739fc3e8b2978eca7eeb23

SHA256
b27b8991fdbd1e67cf14572def0890dbc5bb19246ab082902d199fd8a02baaf8

SHA512
2a2b65380938d3d9c857b534097ce226ae5fe3255d5369686750810c4f914d1b9839b548dd5a01bda02dff477fcacf612568971bb9df2ae192ab281121098bea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05071819.exe

Filesize
1023KB

MD5
4c65fcb94fb3463993a5488f07a50695

SHA1
8e07eede5ec3f78e6a232825013785c83ff167a4

SHA256
bd5ed263db3afacfa055fa95be14ce9bfda400afc87a912c9446415f5623182e

SHA512
f70ada2bc991dd5aaa4cd291137217fe5051d0e01508bf1cf4112569e64ec78ba3ec0a1cea7a86d8a4ae72a43bc802f4b830040dfb60b90a00a7c7d67fe391eb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05071819.exe

Filesize
1023KB

MD5
4c65fcb94fb3463993a5488f07a50695

SHA1
8e07eede5ec3f78e6a232825013785c83ff167a4

SHA256
bd5ed263db3afacfa055fa95be14ce9bfda400afc87a912c9446415f5623182e

SHA512
f70ada2bc991dd5aaa4cd291137217fe5051d0e01508bf1cf4112569e64ec78ba3ec0a1cea7a86d8a4ae72a43bc802f4b830040dfb60b90a00a7c7d67fe391eb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44498141.exe

Filesize
851KB

MD5
84c55ef4aa6ed4206dceb6d6fcb7613f

SHA1
438dbcb54dec6ac9b0fae6c92455e907e63842dc

SHA256
80d37f7830b884d68b1a6bef4ef6c016588601858a51ea6907d40c463419c64f

SHA512
55da88652dea83fda5a8db3c0c4dec085369845d0e175c842673044aee68af95fa50a4d17802ef80712a58887b04bb16af03e31b735494f40342ace20fe5f6bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44498141.exe

Filesize
851KB

MD5
84c55ef4aa6ed4206dceb6d6fcb7613f

SHA1
438dbcb54dec6ac9b0fae6c92455e907e63842dc

SHA256
80d37f7830b884d68b1a6bef4ef6c016588601858a51ea6907d40c463419c64f

SHA512
55da88652dea83fda5a8db3c0c4dec085369845d0e175c842673044aee68af95fa50a4d17802ef80712a58887b04bb16af03e31b735494f40342ace20fe5f6bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i06243967.exe

Filesize
375KB

MD5
d320e65e1c6a9a65cb72b60be1a47c68

SHA1
1775dd7d2411b0f70995c423480de62fd93d9be3

SHA256
99bd60512728bc578a98d5c4b317be509620e2fe32ad7b5d719f6cfcb05f0b92

SHA512
8897e4baa1030a26db8b1aa217492a284aa8f4b84692d4aeed8a057b03795cdd29b09e141b4f54b22f7d456b582082ad505b28b73ae5d4c5237553b7225ba014

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i06243967.exe

Filesize
375KB

MD5
d320e65e1c6a9a65cb72b60be1a47c68

SHA1
1775dd7d2411b0f70995c423480de62fd93d9be3

SHA256
99bd60512728bc578a98d5c4b317be509620e2fe32ad7b5d719f6cfcb05f0b92

SHA512
8897e4baa1030a26db8b1aa217492a284aa8f4b84692d4aeed8a057b03795cdd29b09e141b4f54b22f7d456b582082ad505b28b73ae5d4c5237553b7225ba014

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05609288.exe

Filesize
169KB

MD5
59e6bf0eeca63256793f142dafea2d9b

SHA1
b39180f7e34b349808ea4417e75a3fa1ecc36b1b

SHA256
189f81a2ecf34c5aba8e9655041ecc40ddb1edd2ceb7311e41a44565a32d2984

SHA512
8c64f4e8cbfe972a522f1cd3f4d527f6af7f21c5b103e0c5c620bd04b2b3881867fcf7c0609acc7d8edcec207d5eb60a6b005bd2aa74fba3388dd065d9ad5ab0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a05609288.exe

Filesize
169KB

MD5
59e6bf0eeca63256793f142dafea2d9b

SHA1
b39180f7e34b349808ea4417e75a3fa1ecc36b1b

SHA256
189f81a2ecf34c5aba8e9655041ecc40ddb1edd2ceb7311e41a44565a32d2984

SHA512
8c64f4e8cbfe972a522f1cd3f4d527f6af7f21c5b103e0c5c620bd04b2b3881867fcf7c0609acc7d8edcec207d5eb60a6b005bd2aa74fba3388dd065d9ad5ab0

Download Submit
memory/1600-104-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/1600-105-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1600-106-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1600-107-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download