Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 02:32
Static task
static1
Behavioral task
behavioral1
Sample
5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe
Resource
win10v2004-20230220-en
General
-
Target
5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe
-
Size
1.5MB
-
MD5
e4245f3cf0ca75b89369818589d1e650
-
SHA1
e9f2c879830f433f30674584819e6a578ebc59bf
-
SHA256
5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf
-
SHA512
6db91e32e17ce9130e416713436ac498a67662f8c68de60ee9c99c759ab41cd80384c402bbdc3971780affcb82625974cbd67624d1efa7de3a2c9657f59f10c7
-
SSDEEP
24576:GyxtUH6baH77b/yDSp0gSsLhRSsYNMOzblHwoIAHSJBjBpRoWHQVwG9KV2P:VxtaffrsSpP6vMOzhHwlAHGZBpRoThK
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i65774150.exei65202804.exei93838554.exei29398549.exea65385482.exepid process 2012 i65774150.exe 860 i65202804.exe 1008 i93838554.exe 1756 i29398549.exe 1296 a65385482.exe -
Loads dropped DLL 10 IoCs
Processes:
5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exei65774150.exei65202804.exei93838554.exei29398549.exea65385482.exepid process 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe 2012 i65774150.exe 2012 i65774150.exe 860 i65202804.exe 860 i65202804.exe 1008 i93838554.exe 1008 i93838554.exe 1756 i29398549.exe 1756 i29398549.exe 1296 a65385482.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
i65202804.exei29398549.exe5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exei65774150.exei93838554.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i65202804.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i65202804.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i29398549.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i29398549.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i65774150.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i65774150.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i93838554.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i93838554.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exei65774150.exei65202804.exei93838554.exei29398549.exedescription pid process target process PID 1372 wrote to memory of 2012 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe i65774150.exe PID 1372 wrote to memory of 2012 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe i65774150.exe PID 1372 wrote to memory of 2012 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe i65774150.exe PID 1372 wrote to memory of 2012 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe i65774150.exe PID 1372 wrote to memory of 2012 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe i65774150.exe PID 1372 wrote to memory of 2012 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe i65774150.exe PID 1372 wrote to memory of 2012 1372 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe i65774150.exe PID 2012 wrote to memory of 860 2012 i65774150.exe i65202804.exe PID 2012 wrote to memory of 860 2012 i65774150.exe i65202804.exe PID 2012 wrote to memory of 860 2012 i65774150.exe i65202804.exe PID 2012 wrote to memory of 860 2012 i65774150.exe i65202804.exe PID 2012 wrote to memory of 860 2012 i65774150.exe i65202804.exe PID 2012 wrote to memory of 860 2012 i65774150.exe i65202804.exe PID 2012 wrote to memory of 860 2012 i65774150.exe i65202804.exe PID 860 wrote to memory of 1008 860 i65202804.exe i93838554.exe PID 860 wrote to memory of 1008 860 i65202804.exe i93838554.exe PID 860 wrote to memory of 1008 860 i65202804.exe i93838554.exe PID 860 wrote to memory of 1008 860 i65202804.exe i93838554.exe PID 860 wrote to memory of 1008 860 i65202804.exe i93838554.exe PID 860 wrote to memory of 1008 860 i65202804.exe i93838554.exe PID 860 wrote to memory of 1008 860 i65202804.exe i93838554.exe PID 1008 wrote to memory of 1756 1008 i93838554.exe i29398549.exe PID 1008 wrote to memory of 1756 1008 i93838554.exe i29398549.exe PID 1008 wrote to memory of 1756 1008 i93838554.exe i29398549.exe PID 1008 wrote to memory of 1756 1008 i93838554.exe i29398549.exe PID 1008 wrote to memory of 1756 1008 i93838554.exe i29398549.exe PID 1008 wrote to memory of 1756 1008 i93838554.exe i29398549.exe PID 1008 wrote to memory of 1756 1008 i93838554.exe i29398549.exe PID 1756 wrote to memory of 1296 1756 i29398549.exe a65385482.exe PID 1756 wrote to memory of 1296 1756 i29398549.exe a65385482.exe PID 1756 wrote to memory of 1296 1756 i29398549.exe a65385482.exe PID 1756 wrote to memory of 1296 1756 i29398549.exe a65385482.exe PID 1756 wrote to memory of 1296 1756 i29398549.exe a65385482.exe PID 1756 wrote to memory of 1296 1756 i29398549.exe a65385482.exe PID 1756 wrote to memory of 1296 1756 i29398549.exe a65385482.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe"C:\Users\Admin\AppData\Local\Temp\5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exeFilesize
1.3MB
MD58465796bc9d253b0b3d4ec3de751d5c5
SHA1fd52fe589fd51b7244d48e890248085c9e104bb7
SHA256d33faed55db69e6b843f9d375fb628093c7f9ed3a6375ab7e9cf332b90e71818
SHA512e5a2dbecb48e072c4ae95e19688081df9488b394bd7343e4dbf70719d8cba58ed0325110d797fca55c310b59e622d4928c0a20f34f43d4d94345db3d74effebe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exeFilesize
1.3MB
MD58465796bc9d253b0b3d4ec3de751d5c5
SHA1fd52fe589fd51b7244d48e890248085c9e104bb7
SHA256d33faed55db69e6b843f9d375fb628093c7f9ed3a6375ab7e9cf332b90e71818
SHA512e5a2dbecb48e072c4ae95e19688081df9488b394bd7343e4dbf70719d8cba58ed0325110d797fca55c310b59e622d4928c0a20f34f43d4d94345db3d74effebe
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exeFilesize
1014KB
MD5f9434700eb7a240e1c2795e89f12d664
SHA1e14104193ce2f49cb00f5f59a1c11ae44403f7fd
SHA256f5a40e22994705b3a646a77c0d318e69ba7fecbd8e9a081fabd31c77215a29f7
SHA512f73f7e6c4a7bdb14683c538657983db4b060166c899eb469874c3f32f8442b591148ff18c324dcf1f89c1a3af98c27deebe43e13a0824922493d5c1e917d328e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exeFilesize
1014KB
MD5f9434700eb7a240e1c2795e89f12d664
SHA1e14104193ce2f49cb00f5f59a1c11ae44403f7fd
SHA256f5a40e22994705b3a646a77c0d318e69ba7fecbd8e9a081fabd31c77215a29f7
SHA512f73f7e6c4a7bdb14683c538657983db4b060166c899eb469874c3f32f8442b591148ff18c324dcf1f89c1a3af98c27deebe43e13a0824922493d5c1e917d328e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exeFilesize
842KB
MD529725d5ac4bc9199bdd1bb029b6acfb5
SHA10dd7bf18d36ffe14dfd4c1f5985d464a1e098e06
SHA256c5518dbbb9cac917cd6d1049d9e762f6292699bd5de7a93f0fec3ff3e57b7ce5
SHA512006cec334d1336d0a02fae33cb9c40d7fb43e617a458f6dfe5bf0a876f748fc297c3a51860989ed8bb72cad8429d1ecd8b4d46765c75a9c9ffcf9c25c9726481
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exeFilesize
842KB
MD529725d5ac4bc9199bdd1bb029b6acfb5
SHA10dd7bf18d36ffe14dfd4c1f5985d464a1e098e06
SHA256c5518dbbb9cac917cd6d1049d9e762f6292699bd5de7a93f0fec3ff3e57b7ce5
SHA512006cec334d1336d0a02fae33cb9c40d7fb43e617a458f6dfe5bf0a876f748fc297c3a51860989ed8bb72cad8429d1ecd8b4d46765c75a9c9ffcf9c25c9726481
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exeFilesize
370KB
MD5cc4f73325e02fe2dafb63a21bc4d7403
SHA1f14bc6e373310a1fd07b0d3153267a09c76dcdaf
SHA2568f2b64b11b6ce370f133e2754d17ed0c5cb4f0c3f57b1d4fe64b1034e4b7940e
SHA512255891eac9082925e0727e220795c84745c5d386748a94406755ebc28f2a7adf1ca4e800ea2d41614e084be8f586e631f9fd909e9b2400a576f4882a4d54ebbc
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exeFilesize
370KB
MD5cc4f73325e02fe2dafb63a21bc4d7403
SHA1f14bc6e373310a1fd07b0d3153267a09c76dcdaf
SHA2568f2b64b11b6ce370f133e2754d17ed0c5cb4f0c3f57b1d4fe64b1034e4b7940e
SHA512255891eac9082925e0727e220795c84745c5d386748a94406755ebc28f2a7adf1ca4e800ea2d41614e084be8f586e631f9fd909e9b2400a576f4882a4d54ebbc
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exeFilesize
169KB
MD55222a3cc0ec8ddb2a6eb9ac7bc3d3336
SHA165903e0dfdf285011f847965d11add7fda392e4a
SHA2567c4983c415ba48d6423e6a5cd6a66a0836f46457cd0f17f82e9bca86361f07e5
SHA51215f3987f64df0534f9338aa0e30104e81aae53a959dfc43669d2d7af719457c39c15b2ab01d5d05936d4cc1ffe9aedb402e538148abbf446821b65ea1db5ccff
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exeFilesize
169KB
MD55222a3cc0ec8ddb2a6eb9ac7bc3d3336
SHA165903e0dfdf285011f847965d11add7fda392e4a
SHA2567c4983c415ba48d6423e6a5cd6a66a0836f46457cd0f17f82e9bca86361f07e5
SHA51215f3987f64df0534f9338aa0e30104e81aae53a959dfc43669d2d7af719457c39c15b2ab01d5d05936d4cc1ffe9aedb402e538148abbf446821b65ea1db5ccff
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exeFilesize
1.3MB
MD58465796bc9d253b0b3d4ec3de751d5c5
SHA1fd52fe589fd51b7244d48e890248085c9e104bb7
SHA256d33faed55db69e6b843f9d375fb628093c7f9ed3a6375ab7e9cf332b90e71818
SHA512e5a2dbecb48e072c4ae95e19688081df9488b394bd7343e4dbf70719d8cba58ed0325110d797fca55c310b59e622d4928c0a20f34f43d4d94345db3d74effebe
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exeFilesize
1.3MB
MD58465796bc9d253b0b3d4ec3de751d5c5
SHA1fd52fe589fd51b7244d48e890248085c9e104bb7
SHA256d33faed55db69e6b843f9d375fb628093c7f9ed3a6375ab7e9cf332b90e71818
SHA512e5a2dbecb48e072c4ae95e19688081df9488b394bd7343e4dbf70719d8cba58ed0325110d797fca55c310b59e622d4928c0a20f34f43d4d94345db3d74effebe
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exeFilesize
1014KB
MD5f9434700eb7a240e1c2795e89f12d664
SHA1e14104193ce2f49cb00f5f59a1c11ae44403f7fd
SHA256f5a40e22994705b3a646a77c0d318e69ba7fecbd8e9a081fabd31c77215a29f7
SHA512f73f7e6c4a7bdb14683c538657983db4b060166c899eb469874c3f32f8442b591148ff18c324dcf1f89c1a3af98c27deebe43e13a0824922493d5c1e917d328e
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exeFilesize
1014KB
MD5f9434700eb7a240e1c2795e89f12d664
SHA1e14104193ce2f49cb00f5f59a1c11ae44403f7fd
SHA256f5a40e22994705b3a646a77c0d318e69ba7fecbd8e9a081fabd31c77215a29f7
SHA512f73f7e6c4a7bdb14683c538657983db4b060166c899eb469874c3f32f8442b591148ff18c324dcf1f89c1a3af98c27deebe43e13a0824922493d5c1e917d328e
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exeFilesize
842KB
MD529725d5ac4bc9199bdd1bb029b6acfb5
SHA10dd7bf18d36ffe14dfd4c1f5985d464a1e098e06
SHA256c5518dbbb9cac917cd6d1049d9e762f6292699bd5de7a93f0fec3ff3e57b7ce5
SHA512006cec334d1336d0a02fae33cb9c40d7fb43e617a458f6dfe5bf0a876f748fc297c3a51860989ed8bb72cad8429d1ecd8b4d46765c75a9c9ffcf9c25c9726481
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exeFilesize
842KB
MD529725d5ac4bc9199bdd1bb029b6acfb5
SHA10dd7bf18d36ffe14dfd4c1f5985d464a1e098e06
SHA256c5518dbbb9cac917cd6d1049d9e762f6292699bd5de7a93f0fec3ff3e57b7ce5
SHA512006cec334d1336d0a02fae33cb9c40d7fb43e617a458f6dfe5bf0a876f748fc297c3a51860989ed8bb72cad8429d1ecd8b4d46765c75a9c9ffcf9c25c9726481
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exeFilesize
370KB
MD5cc4f73325e02fe2dafb63a21bc4d7403
SHA1f14bc6e373310a1fd07b0d3153267a09c76dcdaf
SHA2568f2b64b11b6ce370f133e2754d17ed0c5cb4f0c3f57b1d4fe64b1034e4b7940e
SHA512255891eac9082925e0727e220795c84745c5d386748a94406755ebc28f2a7adf1ca4e800ea2d41614e084be8f586e631f9fd909e9b2400a576f4882a4d54ebbc
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exeFilesize
370KB
MD5cc4f73325e02fe2dafb63a21bc4d7403
SHA1f14bc6e373310a1fd07b0d3153267a09c76dcdaf
SHA2568f2b64b11b6ce370f133e2754d17ed0c5cb4f0c3f57b1d4fe64b1034e4b7940e
SHA512255891eac9082925e0727e220795c84745c5d386748a94406755ebc28f2a7adf1ca4e800ea2d41614e084be8f586e631f9fd909e9b2400a576f4882a4d54ebbc
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exeFilesize
169KB
MD55222a3cc0ec8ddb2a6eb9ac7bc3d3336
SHA165903e0dfdf285011f847965d11add7fda392e4a
SHA2567c4983c415ba48d6423e6a5cd6a66a0836f46457cd0f17f82e9bca86361f07e5
SHA51215f3987f64df0534f9338aa0e30104e81aae53a959dfc43669d2d7af719457c39c15b2ab01d5d05936d4cc1ffe9aedb402e538148abbf446821b65ea1db5ccff
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exeFilesize
169KB
MD55222a3cc0ec8ddb2a6eb9ac7bc3d3336
SHA165903e0dfdf285011f847965d11add7fda392e4a
SHA2567c4983c415ba48d6423e6a5cd6a66a0836f46457cd0f17f82e9bca86361f07e5
SHA51215f3987f64df0534f9338aa0e30104e81aae53a959dfc43669d2d7af719457c39c15b2ab01d5d05936d4cc1ffe9aedb402e538148abbf446821b65ea1db5ccff
-
memory/1296-104-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/1296-105-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/1296-106-0x00000000008C0000-0x0000000000900000-memory.dmpFilesize
256KB
-
memory/1296-107-0x00000000008C0000-0x0000000000900000-memory.dmpFilesize
256KB