Analysis
-
max time kernel
189s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 02:33
Static task
static1
Behavioral task
behavioral1
Sample
5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe
Resource
win10v2004-20230220-en
General
-
Target
5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe
-
Size
1.4MB
-
MD5
760589aca2c763c7c6494e3df408943c
-
SHA1
7d9eecd6ae4818c5b7a5ef707ea6bee0ae1ccf06
-
SHA256
5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54
-
SHA512
f75b0813354f2b25137461bc13d4e616a0b56bc55b0a9bd3bc283e9bf5af4aa5aadf6cef2a0963b937c61c7a5683c46d872190b2afe22d032c21368e47ff52a5
-
SSDEEP
24576:nyTQEo0deVoVXaY3x4SH9z2ST2aKIQvtSCn0dYB7u18it66mYCriJ:yjo0deVUqY3xASTfgtSpYtu18irBA
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i47548912.exei05432573.exei23945477.exei57448399.exea53195080.exepid process 1572 i47548912.exe 1300 i05432573.exe 1708 i23945477.exe 1868 i57448399.exe 544 a53195080.exe -
Loads dropped DLL 10 IoCs
Processes:
5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exei47548912.exei05432573.exei23945477.exei57448399.exea53195080.exepid process 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe 1572 i47548912.exe 1572 i47548912.exe 1300 i05432573.exe 1300 i05432573.exe 1708 i23945477.exe 1708 i23945477.exe 1868 i57448399.exe 1868 i57448399.exe 544 a53195080.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exei47548912.exei05432573.exei23945477.exei57448399.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i47548912.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i47548912.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i05432573.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i23945477.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i05432573.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i23945477.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i57448399.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i57448399.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exei47548912.exei05432573.exei23945477.exei57448399.exedescription pid process target process PID 1744 wrote to memory of 1572 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe i47548912.exe PID 1744 wrote to memory of 1572 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe i47548912.exe PID 1744 wrote to memory of 1572 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe i47548912.exe PID 1744 wrote to memory of 1572 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe i47548912.exe PID 1744 wrote to memory of 1572 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe i47548912.exe PID 1744 wrote to memory of 1572 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe i47548912.exe PID 1744 wrote to memory of 1572 1744 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe i47548912.exe PID 1572 wrote to memory of 1300 1572 i47548912.exe i05432573.exe PID 1572 wrote to memory of 1300 1572 i47548912.exe i05432573.exe PID 1572 wrote to memory of 1300 1572 i47548912.exe i05432573.exe PID 1572 wrote to memory of 1300 1572 i47548912.exe i05432573.exe PID 1572 wrote to memory of 1300 1572 i47548912.exe i05432573.exe PID 1572 wrote to memory of 1300 1572 i47548912.exe i05432573.exe PID 1572 wrote to memory of 1300 1572 i47548912.exe i05432573.exe PID 1300 wrote to memory of 1708 1300 i05432573.exe i23945477.exe PID 1300 wrote to memory of 1708 1300 i05432573.exe i23945477.exe PID 1300 wrote to memory of 1708 1300 i05432573.exe i23945477.exe PID 1300 wrote to memory of 1708 1300 i05432573.exe i23945477.exe PID 1300 wrote to memory of 1708 1300 i05432573.exe i23945477.exe PID 1300 wrote to memory of 1708 1300 i05432573.exe i23945477.exe PID 1300 wrote to memory of 1708 1300 i05432573.exe i23945477.exe PID 1708 wrote to memory of 1868 1708 i23945477.exe i57448399.exe PID 1708 wrote to memory of 1868 1708 i23945477.exe i57448399.exe PID 1708 wrote to memory of 1868 1708 i23945477.exe i57448399.exe PID 1708 wrote to memory of 1868 1708 i23945477.exe i57448399.exe PID 1708 wrote to memory of 1868 1708 i23945477.exe i57448399.exe PID 1708 wrote to memory of 1868 1708 i23945477.exe i57448399.exe PID 1708 wrote to memory of 1868 1708 i23945477.exe i57448399.exe PID 1868 wrote to memory of 544 1868 i57448399.exe a53195080.exe PID 1868 wrote to memory of 544 1868 i57448399.exe a53195080.exe PID 1868 wrote to memory of 544 1868 i57448399.exe a53195080.exe PID 1868 wrote to memory of 544 1868 i57448399.exe a53195080.exe PID 1868 wrote to memory of 544 1868 i57448399.exe a53195080.exe PID 1868 wrote to memory of 544 1868 i57448399.exe a53195080.exe PID 1868 wrote to memory of 544 1868 i57448399.exe a53195080.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe"C:\Users\Admin\AppData\Local\Temp\5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exeFilesize
1.2MB
MD5486fb071e58d4afcba8f5e477e2e9cd0
SHA1b1b4aaf4f561735d594708ed49931d0ed56bab0b
SHA25606b27d9119bab115ff7ce61ace3920fa8694d937f65347e55373bc08f7b5f58e
SHA512167a4051b67bdbd3018984a6ce2ff062437d0e639f77f94c39fcede6823ae6701602e6000542a925261781adfbea59020b2cdb8ecdb3053bde7661ee115c4d00
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exeFilesize
1.2MB
MD5486fb071e58d4afcba8f5e477e2e9cd0
SHA1b1b4aaf4f561735d594708ed49931d0ed56bab0b
SHA25606b27d9119bab115ff7ce61ace3920fa8694d937f65347e55373bc08f7b5f58e
SHA512167a4051b67bdbd3018984a6ce2ff062437d0e639f77f94c39fcede6823ae6701602e6000542a925261781adfbea59020b2cdb8ecdb3053bde7661ee115c4d00
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exeFilesize
1001KB
MD597d7fa20b0c34fc1c955200d3bac309d
SHA127bf9856c6792a7599d2d38cce9c485731d6b6e6
SHA25607191226c19a17f819a3895a1e435537a19fe470621911109b029237e3989668
SHA51275bdf797ccdc6722ab5d356669731461f1c5c662bb97e46ed4334170a7073a1a1fdc090da5e7bc844910beb2cbc3365cee541c5ad3276cac1c5c5a5b21f0596d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exeFilesize
1001KB
MD597d7fa20b0c34fc1c955200d3bac309d
SHA127bf9856c6792a7599d2d38cce9c485731d6b6e6
SHA25607191226c19a17f819a3895a1e435537a19fe470621911109b029237e3989668
SHA51275bdf797ccdc6722ab5d356669731461f1c5c662bb97e46ed4334170a7073a1a1fdc090da5e7bc844910beb2cbc3365cee541c5ad3276cac1c5c5a5b21f0596d
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exeFilesize
828KB
MD5b1aa79a48ab8fb6c8ec7f373bca818d4
SHA11f49393bd7589fb9d7529f861d8a6c8102b70d02
SHA25627f2087869c655603991832e84830bec4f5b6da01f906970997047da455c7383
SHA5122896896bf431e7f33ff7fe061c81083c127c817bb281a09e6a57d4720649c87e28e951f3196162d27d449bf6438299f6b372aee11ba1d14d29e47ad68c7294f8
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exeFilesize
828KB
MD5b1aa79a48ab8fb6c8ec7f373bca818d4
SHA11f49393bd7589fb9d7529f861d8a6c8102b70d02
SHA25627f2087869c655603991832e84830bec4f5b6da01f906970997047da455c7383
SHA5122896896bf431e7f33ff7fe061c81083c127c817bb281a09e6a57d4720649c87e28e951f3196162d27d449bf6438299f6b372aee11ba1d14d29e47ad68c7294f8
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exeFilesize
363KB
MD5815e725d878a240f2881800068c1d052
SHA12e0178cce3226ff86283ada1d64d00d8fe545cc1
SHA2565921374d62dc6c3f39e16c81f6e5f69853f44c98dda461822f8990c44e3eced1
SHA51230cafe6944f4032c70bc6621dfd2f3cb4f402d885d0c88e592b75449070269e7382b7ac62a11ef93d7fad7cf849c42c4bcbf40433cf8d35983da93bf2eb83355
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exeFilesize
363KB
MD5815e725d878a240f2881800068c1d052
SHA12e0178cce3226ff86283ada1d64d00d8fe545cc1
SHA2565921374d62dc6c3f39e16c81f6e5f69853f44c98dda461822f8990c44e3eced1
SHA51230cafe6944f4032c70bc6621dfd2f3cb4f402d885d0c88e592b75449070269e7382b7ac62a11ef93d7fad7cf849c42c4bcbf40433cf8d35983da93bf2eb83355
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exeFilesize
170KB
MD5a8bd842f7bad18af1f59c52de50f491c
SHA1601d33025964a556151d42cadb68137ad517cd4e
SHA256362f3e1af9af0e6896f10b42c981a38f43317e542b1238375d4e718c4788f610
SHA5128042546d3729c4378d90bbb3993eea11f082d518ee1ea71c458b8574bcb0b1e800b83f9aaaa07d762df3f1ac5b7b28b326d9145b23040e4c42548c6603f0502d
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exeFilesize
170KB
MD5a8bd842f7bad18af1f59c52de50f491c
SHA1601d33025964a556151d42cadb68137ad517cd4e
SHA256362f3e1af9af0e6896f10b42c981a38f43317e542b1238375d4e718c4788f610
SHA5128042546d3729c4378d90bbb3993eea11f082d518ee1ea71c458b8574bcb0b1e800b83f9aaaa07d762df3f1ac5b7b28b326d9145b23040e4c42548c6603f0502d
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exeFilesize
1.2MB
MD5486fb071e58d4afcba8f5e477e2e9cd0
SHA1b1b4aaf4f561735d594708ed49931d0ed56bab0b
SHA25606b27d9119bab115ff7ce61ace3920fa8694d937f65347e55373bc08f7b5f58e
SHA512167a4051b67bdbd3018984a6ce2ff062437d0e639f77f94c39fcede6823ae6701602e6000542a925261781adfbea59020b2cdb8ecdb3053bde7661ee115c4d00
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exeFilesize
1.2MB
MD5486fb071e58d4afcba8f5e477e2e9cd0
SHA1b1b4aaf4f561735d594708ed49931d0ed56bab0b
SHA25606b27d9119bab115ff7ce61ace3920fa8694d937f65347e55373bc08f7b5f58e
SHA512167a4051b67bdbd3018984a6ce2ff062437d0e639f77f94c39fcede6823ae6701602e6000542a925261781adfbea59020b2cdb8ecdb3053bde7661ee115c4d00
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exeFilesize
1001KB
MD597d7fa20b0c34fc1c955200d3bac309d
SHA127bf9856c6792a7599d2d38cce9c485731d6b6e6
SHA25607191226c19a17f819a3895a1e435537a19fe470621911109b029237e3989668
SHA51275bdf797ccdc6722ab5d356669731461f1c5c662bb97e46ed4334170a7073a1a1fdc090da5e7bc844910beb2cbc3365cee541c5ad3276cac1c5c5a5b21f0596d
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exeFilesize
1001KB
MD597d7fa20b0c34fc1c955200d3bac309d
SHA127bf9856c6792a7599d2d38cce9c485731d6b6e6
SHA25607191226c19a17f819a3895a1e435537a19fe470621911109b029237e3989668
SHA51275bdf797ccdc6722ab5d356669731461f1c5c662bb97e46ed4334170a7073a1a1fdc090da5e7bc844910beb2cbc3365cee541c5ad3276cac1c5c5a5b21f0596d
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exeFilesize
828KB
MD5b1aa79a48ab8fb6c8ec7f373bca818d4
SHA11f49393bd7589fb9d7529f861d8a6c8102b70d02
SHA25627f2087869c655603991832e84830bec4f5b6da01f906970997047da455c7383
SHA5122896896bf431e7f33ff7fe061c81083c127c817bb281a09e6a57d4720649c87e28e951f3196162d27d449bf6438299f6b372aee11ba1d14d29e47ad68c7294f8
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exeFilesize
828KB
MD5b1aa79a48ab8fb6c8ec7f373bca818d4
SHA11f49393bd7589fb9d7529f861d8a6c8102b70d02
SHA25627f2087869c655603991832e84830bec4f5b6da01f906970997047da455c7383
SHA5122896896bf431e7f33ff7fe061c81083c127c817bb281a09e6a57d4720649c87e28e951f3196162d27d449bf6438299f6b372aee11ba1d14d29e47ad68c7294f8
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exeFilesize
363KB
MD5815e725d878a240f2881800068c1d052
SHA12e0178cce3226ff86283ada1d64d00d8fe545cc1
SHA2565921374d62dc6c3f39e16c81f6e5f69853f44c98dda461822f8990c44e3eced1
SHA51230cafe6944f4032c70bc6621dfd2f3cb4f402d885d0c88e592b75449070269e7382b7ac62a11ef93d7fad7cf849c42c4bcbf40433cf8d35983da93bf2eb83355
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exeFilesize
363KB
MD5815e725d878a240f2881800068c1d052
SHA12e0178cce3226ff86283ada1d64d00d8fe545cc1
SHA2565921374d62dc6c3f39e16c81f6e5f69853f44c98dda461822f8990c44e3eced1
SHA51230cafe6944f4032c70bc6621dfd2f3cb4f402d885d0c88e592b75449070269e7382b7ac62a11ef93d7fad7cf849c42c4bcbf40433cf8d35983da93bf2eb83355
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exeFilesize
170KB
MD5a8bd842f7bad18af1f59c52de50f491c
SHA1601d33025964a556151d42cadb68137ad517cd4e
SHA256362f3e1af9af0e6896f10b42c981a38f43317e542b1238375d4e718c4788f610
SHA5128042546d3729c4378d90bbb3993eea11f082d518ee1ea71c458b8574bcb0b1e800b83f9aaaa07d762df3f1ac5b7b28b326d9145b23040e4c42548c6603f0502d
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exeFilesize
170KB
MD5a8bd842f7bad18af1f59c52de50f491c
SHA1601d33025964a556151d42cadb68137ad517cd4e
SHA256362f3e1af9af0e6896f10b42c981a38f43317e542b1238375d4e718c4788f610
SHA5128042546d3729c4378d90bbb3993eea11f082d518ee1ea71c458b8574bcb0b1e800b83f9aaaa07d762df3f1ac5b7b28b326d9145b23040e4c42548c6603f0502d
-
memory/544-104-0x0000000000BB0000-0x0000000000BE0000-memory.dmpFilesize
192KB
-
memory/544-105-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/544-106-0x0000000004CB0000-0x0000000004CF0000-memory.dmpFilesize
256KB
-
memory/544-107-0x0000000004CB0000-0x0000000004CF0000-memory.dmpFilesize
256KB