redline | 2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe
Size

1.5MB
MD5

6fa729927cdfba852ce1d45c6037a38d
SHA1

0b813740bee7a2fb102217154f7ac507a736533b
SHA256

2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9
SHA512

680743089ecbcea67e89cae3ef92ab978fbf80cc88e47b047b31448ae1a1d387393df1228fc4263a88b49b8cd123a6aedf16db8b7d28e46e61e6ad6b20e07115
SSDEEP

24576:XymFhjwIRfp5O2cwXWVbDHq06zL9sYANc75G6XIWcUcKpaX5D+1bkBaojW4ATpsG:imfjfh5TcThDKpzL/Am7kSzcQEcbDYW6

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1500	i20512061.exe
848	i21404480.exe
320	i23548678.exe
2016	i21439371.exe
1468	a94048842.exe

Loads dropped DLL 10 IoCs

pid	Process
1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe
1500	i20512061.exe
1500	i20512061.exe
848	i21404480.exe
848	i21404480.exe
320	i23548678.exe
320	i23548678.exe
2016	i21439371.exe
2016	i21439371.exe
1468	a94048842.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i20512061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i21404480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i23548678.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i21439371.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i20512061.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i21404480.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i23548678.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i21439371.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1500	1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe	27
PID 1612 wrote to memory of 1500	1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe	27
PID 1612 wrote to memory of 1500	1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe	27
PID 1612 wrote to memory of 1500	1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe	27
PID 1612 wrote to memory of 1500	1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe	27
PID 1612 wrote to memory of 1500	1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe	27
PID 1612 wrote to memory of 1500	1612	2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe	27
PID 1500 wrote to memory of 848	1500	i20512061.exe	28
PID 1500 wrote to memory of 848	1500	i20512061.exe	28
PID 1500 wrote to memory of 848	1500	i20512061.exe	28
PID 1500 wrote to memory of 848	1500	i20512061.exe	28
PID 1500 wrote to memory of 848	1500	i20512061.exe	28
PID 1500 wrote to memory of 848	1500	i20512061.exe	28
PID 1500 wrote to memory of 848	1500	i20512061.exe	28
PID 848 wrote to memory of 320	848	i21404480.exe	29
PID 848 wrote to memory of 320	848	i21404480.exe	29
PID 848 wrote to memory of 320	848	i21404480.exe	29
PID 848 wrote to memory of 320	848	i21404480.exe	29
PID 848 wrote to memory of 320	848	i21404480.exe	29
PID 848 wrote to memory of 320	848	i21404480.exe	29
PID 848 wrote to memory of 320	848	i21404480.exe	29
PID 320 wrote to memory of 2016	320	i23548678.exe	30
PID 320 wrote to memory of 2016	320	i23548678.exe	30
PID 320 wrote to memory of 2016	320	i23548678.exe	30
PID 320 wrote to memory of 2016	320	i23548678.exe	30
PID 320 wrote to memory of 2016	320	i23548678.exe	30
PID 320 wrote to memory of 2016	320	i23548678.exe	30
PID 320 wrote to memory of 2016	320	i23548678.exe	30
PID 2016 wrote to memory of 1468	2016	i21439371.exe	31
PID 2016 wrote to memory of 1468	2016	i21439371.exe	31
PID 2016 wrote to memory of 1468	2016	i21439371.exe	31
PID 2016 wrote to memory of 1468	2016	i21439371.exe	31
PID 2016 wrote to memory of 1468	2016	i21439371.exe	31
PID 2016 wrote to memory of 1468	2016	i21439371.exe	31
PID 2016 wrote to memory of 1468	2016	i21439371.exe	31

C:\Users\Admin\AppData\Local\Temp\2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe
"C:\Users\Admin\AppData\Local\Temp\2b88bb7214f0fae3824e79471df127c4c135330f06be113e6c3c2bc3527447e9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20512061.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20512061.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21404480.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21404480.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23548678.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23548678.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21439371.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21439371.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94048842.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94048842.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20512061.exe

Filesize
1.3MB

MD5
ce1eb3c7bdde61ef20effbd586164e96

SHA1
8467a712227d76ccd03698fcda7fa16bce20a42c

SHA256
e6fdb954e4b09d83864ed622a892c2d109f0f72e216b7dddf068405b57dfb6ab

SHA512
e232316ab782fd424473a72893d9374f4237d26cbc6b0ba3d43334f8e49e80b2a77c99d6f7293763f3d76f24306d5d9cb6c476c159a559a6436bf0e79712b289

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20512061.exe

Filesize
1.3MB

MD5
ce1eb3c7bdde61ef20effbd586164e96

SHA1
8467a712227d76ccd03698fcda7fa16bce20a42c

SHA256
e6fdb954e4b09d83864ed622a892c2d109f0f72e216b7dddf068405b57dfb6ab

SHA512
e232316ab782fd424473a72893d9374f4237d26cbc6b0ba3d43334f8e49e80b2a77c99d6f7293763f3d76f24306d5d9cb6c476c159a559a6436bf0e79712b289

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21404480.exe

Filesize
1022KB

MD5
f21676f9669f7c2c2ae32c5422418237

SHA1
8f0b5233e50d14778614601964ee7f623e321ef0

SHA256
44a2185394e56a44c7db1de1fd418c49f33ddba4c445d5027093c0c2d87e1b5c

SHA512
2cda2f1d90f73fbef69a4d19293e6525cf340914f8022227c6de1758808422ff9652ec11eafe93ada7720a85798d9042c8593d8dc92d4bf89760f0824eb06f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21404480.exe

Filesize
1022KB

MD5
f21676f9669f7c2c2ae32c5422418237

SHA1
8f0b5233e50d14778614601964ee7f623e321ef0

SHA256
44a2185394e56a44c7db1de1fd418c49f33ddba4c445d5027093c0c2d87e1b5c

SHA512
2cda2f1d90f73fbef69a4d19293e6525cf340914f8022227c6de1758808422ff9652ec11eafe93ada7720a85798d9042c8593d8dc92d4bf89760f0824eb06f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23548678.exe

Filesize
852KB

MD5
a206a35ca6f3e22a6fb39c0569cd7fb5

SHA1
cb951e497b67cb68f0d59cb59c1ac5a813cce03a

SHA256
5a7391067440d954eecb452a197c985f653863ba2d7bac123175e6f5a408c934

SHA512
6c5b2eac1429931be00b646c457f8a29566d4b31593a2c83719878f63325bff9e7df2b2fadac0d98c542c498e64bc5c42691b60d907da2c06f4c161be54577ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23548678.exe

Filesize
852KB

MD5
a206a35ca6f3e22a6fb39c0569cd7fb5

SHA1
cb951e497b67cb68f0d59cb59c1ac5a813cce03a

SHA256
5a7391067440d954eecb452a197c985f653863ba2d7bac123175e6f5a408c934

SHA512
6c5b2eac1429931be00b646c457f8a29566d4b31593a2c83719878f63325bff9e7df2b2fadac0d98c542c498e64bc5c42691b60d907da2c06f4c161be54577ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21439371.exe

Filesize
375KB

MD5
c20738d79ae7428cf730dc320ba20b47

SHA1
cf9aaaf4bc7aae51badbfa66c0dbb31672bd8635

SHA256
0ec4871e786957ec5a3a07d1c85506a519bb04cf4fc96bd9ae8c826465124216

SHA512
1e7fc3dd4a81dcdbf106aa703d568a6c800ee238f5ec7be15f66eb33a4a830e7d21b461d04d99105c1e1284215df28898e75bc2f07ad7c9c6689a0431289b4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21439371.exe

Filesize
375KB

MD5
c20738d79ae7428cf730dc320ba20b47

SHA1
cf9aaaf4bc7aae51badbfa66c0dbb31672bd8635

SHA256
0ec4871e786957ec5a3a07d1c85506a519bb04cf4fc96bd9ae8c826465124216

SHA512
1e7fc3dd4a81dcdbf106aa703d568a6c800ee238f5ec7be15f66eb33a4a830e7d21b461d04d99105c1e1284215df28898e75bc2f07ad7c9c6689a0431289b4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94048842.exe

Filesize
169KB

MD5
9a7f1de86a06ffa4dd731c4c93bc587d

SHA1
641c030762a223b39c89a8f256dc4c3746425399

SHA256
65672bbcd2455c53197dacfd253b58a8494f379f0d93d5dc48a64872449f9707

SHA512
c663b70096215b9b2591f98b859aec119231e2f8788fdb745c05a65d86e734d9d49af030c577ac636199ebaee7addfcffdb7cbb7de94c4227e1fbc69aa119360

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94048842.exe

Filesize
169KB

MD5
9a7f1de86a06ffa4dd731c4c93bc587d

SHA1
641c030762a223b39c89a8f256dc4c3746425399

SHA256
65672bbcd2455c53197dacfd253b58a8494f379f0d93d5dc48a64872449f9707

SHA512
c663b70096215b9b2591f98b859aec119231e2f8788fdb745c05a65d86e734d9d49af030c577ac636199ebaee7addfcffdb7cbb7de94c4227e1fbc69aa119360

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20512061.exe

Filesize
1.3MB

MD5
ce1eb3c7bdde61ef20effbd586164e96

SHA1
8467a712227d76ccd03698fcda7fa16bce20a42c

SHA256
e6fdb954e4b09d83864ed622a892c2d109f0f72e216b7dddf068405b57dfb6ab

SHA512
e232316ab782fd424473a72893d9374f4237d26cbc6b0ba3d43334f8e49e80b2a77c99d6f7293763f3d76f24306d5d9cb6c476c159a559a6436bf0e79712b289

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i20512061.exe

Filesize
1.3MB

MD5
ce1eb3c7bdde61ef20effbd586164e96

SHA1
8467a712227d76ccd03698fcda7fa16bce20a42c

SHA256
e6fdb954e4b09d83864ed622a892c2d109f0f72e216b7dddf068405b57dfb6ab

SHA512
e232316ab782fd424473a72893d9374f4237d26cbc6b0ba3d43334f8e49e80b2a77c99d6f7293763f3d76f24306d5d9cb6c476c159a559a6436bf0e79712b289

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21404480.exe

Filesize
1022KB

MD5
f21676f9669f7c2c2ae32c5422418237

SHA1
8f0b5233e50d14778614601964ee7f623e321ef0

SHA256
44a2185394e56a44c7db1de1fd418c49f33ddba4c445d5027093c0c2d87e1b5c

SHA512
2cda2f1d90f73fbef69a4d19293e6525cf340914f8022227c6de1758808422ff9652ec11eafe93ada7720a85798d9042c8593d8dc92d4bf89760f0824eb06f04

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i21404480.exe

Filesize
1022KB

MD5
f21676f9669f7c2c2ae32c5422418237

SHA1
8f0b5233e50d14778614601964ee7f623e321ef0

SHA256
44a2185394e56a44c7db1de1fd418c49f33ddba4c445d5027093c0c2d87e1b5c

SHA512
2cda2f1d90f73fbef69a4d19293e6525cf340914f8022227c6de1758808422ff9652ec11eafe93ada7720a85798d9042c8593d8dc92d4bf89760f0824eb06f04

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23548678.exe

Filesize
852KB

MD5
a206a35ca6f3e22a6fb39c0569cd7fb5

SHA1
cb951e497b67cb68f0d59cb59c1ac5a813cce03a

SHA256
5a7391067440d954eecb452a197c985f653863ba2d7bac123175e6f5a408c934

SHA512
6c5b2eac1429931be00b646c457f8a29566d4b31593a2c83719878f63325bff9e7df2b2fadac0d98c542c498e64bc5c42691b60d907da2c06f4c161be54577ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23548678.exe

Filesize
852KB

MD5
a206a35ca6f3e22a6fb39c0569cd7fb5

SHA1
cb951e497b67cb68f0d59cb59c1ac5a813cce03a

SHA256
5a7391067440d954eecb452a197c985f653863ba2d7bac123175e6f5a408c934

SHA512
6c5b2eac1429931be00b646c457f8a29566d4b31593a2c83719878f63325bff9e7df2b2fadac0d98c542c498e64bc5c42691b60d907da2c06f4c161be54577ec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21439371.exe

Filesize
375KB

MD5
c20738d79ae7428cf730dc320ba20b47

SHA1
cf9aaaf4bc7aae51badbfa66c0dbb31672bd8635

SHA256
0ec4871e786957ec5a3a07d1c85506a519bb04cf4fc96bd9ae8c826465124216

SHA512
1e7fc3dd4a81dcdbf106aa703d568a6c800ee238f5ec7be15f66eb33a4a830e7d21b461d04d99105c1e1284215df28898e75bc2f07ad7c9c6689a0431289b4a3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i21439371.exe

Filesize
375KB

MD5
c20738d79ae7428cf730dc320ba20b47

SHA1
cf9aaaf4bc7aae51badbfa66c0dbb31672bd8635

SHA256
0ec4871e786957ec5a3a07d1c85506a519bb04cf4fc96bd9ae8c826465124216

SHA512
1e7fc3dd4a81dcdbf106aa703d568a6c800ee238f5ec7be15f66eb33a4a830e7d21b461d04d99105c1e1284215df28898e75bc2f07ad7c9c6689a0431289b4a3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94048842.exe

Filesize
169KB

MD5
9a7f1de86a06ffa4dd731c4c93bc587d

SHA1
641c030762a223b39c89a8f256dc4c3746425399

SHA256
65672bbcd2455c53197dacfd253b58a8494f379f0d93d5dc48a64872449f9707

SHA512
c663b70096215b9b2591f98b859aec119231e2f8788fdb745c05a65d86e734d9d49af030c577ac636199ebaee7addfcffdb7cbb7de94c4227e1fbc69aa119360

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94048842.exe

Filesize
169KB

MD5
9a7f1de86a06ffa4dd731c4c93bc587d

SHA1
641c030762a223b39c89a8f256dc4c3746425399

SHA256
65672bbcd2455c53197dacfd253b58a8494f379f0d93d5dc48a64872449f9707

SHA512
c663b70096215b9b2591f98b859aec119231e2f8788fdb745c05a65d86e734d9d49af030c577ac636199ebaee7addfcffdb7cbb7de94c4227e1fbc69aa119360

Download Submit
memory/1468-104-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/1468-105-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/1468-106-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download
memory/1468-107-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download