Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 02:32
Static task
static1
Behavioral task
behavioral1
Sample
5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe
Resource
win10v2004-20230220-en
General
-
Target
5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe
-
Size
1.5MB
-
MD5
f5fbe007d36a35e1882a177e071d6d8b
-
SHA1
2e4d6f71552d1b10921bd0e5984a848200e7f6ca
-
SHA256
5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c
-
SHA512
95f0945e53dbdf7ac1c6e0da58675482f5eb1463d622bd4bb5b8765bd5eb52190333a9f5b12e7ba23daab4a3be100d0d78f67dc1d57bbc5f963e78383c2dca34
-
SSDEEP
24576:LySVXRIK2xUnFVvHgJokypBJPTxwxYS78dauD5Dk+QMKIO697ushjD7FvmYZEFO:+SVXRIK2oFx/FaxYS78cw5I+QpN6o2js
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i11647612.exei20476563.exei39727170.exei31836311.exea43944319.exepid process 1264 i11647612.exe 876 i20476563.exe 1916 i39727170.exe 1504 i31836311.exe 1860 a43944319.exe -
Loads dropped DLL 10 IoCs
Processes:
5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exei11647612.exei20476563.exei39727170.exei31836311.exea43944319.exepid process 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe 1264 i11647612.exe 1264 i11647612.exe 876 i20476563.exe 876 i20476563.exe 1916 i39727170.exe 1916 i39727170.exe 1504 i31836311.exe 1504 i31836311.exe 1860 a43944319.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
i31836311.exei11647612.exei20476563.exei39727170.exe5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i31836311.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i11647612.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i20476563.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i31836311.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i20476563.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i39727170.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i39727170.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i11647612.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exei11647612.exei20476563.exei39727170.exei31836311.exedescription pid process target process PID 1764 wrote to memory of 1264 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe i11647612.exe PID 1764 wrote to memory of 1264 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe i11647612.exe PID 1764 wrote to memory of 1264 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe i11647612.exe PID 1764 wrote to memory of 1264 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe i11647612.exe PID 1764 wrote to memory of 1264 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe i11647612.exe PID 1764 wrote to memory of 1264 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe i11647612.exe PID 1764 wrote to memory of 1264 1764 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe i11647612.exe PID 1264 wrote to memory of 876 1264 i11647612.exe i20476563.exe PID 1264 wrote to memory of 876 1264 i11647612.exe i20476563.exe PID 1264 wrote to memory of 876 1264 i11647612.exe i20476563.exe PID 1264 wrote to memory of 876 1264 i11647612.exe i20476563.exe PID 1264 wrote to memory of 876 1264 i11647612.exe i20476563.exe PID 1264 wrote to memory of 876 1264 i11647612.exe i20476563.exe PID 1264 wrote to memory of 876 1264 i11647612.exe i20476563.exe PID 876 wrote to memory of 1916 876 i20476563.exe i39727170.exe PID 876 wrote to memory of 1916 876 i20476563.exe i39727170.exe PID 876 wrote to memory of 1916 876 i20476563.exe i39727170.exe PID 876 wrote to memory of 1916 876 i20476563.exe i39727170.exe PID 876 wrote to memory of 1916 876 i20476563.exe i39727170.exe PID 876 wrote to memory of 1916 876 i20476563.exe i39727170.exe PID 876 wrote to memory of 1916 876 i20476563.exe i39727170.exe PID 1916 wrote to memory of 1504 1916 i39727170.exe i31836311.exe PID 1916 wrote to memory of 1504 1916 i39727170.exe i31836311.exe PID 1916 wrote to memory of 1504 1916 i39727170.exe i31836311.exe PID 1916 wrote to memory of 1504 1916 i39727170.exe i31836311.exe PID 1916 wrote to memory of 1504 1916 i39727170.exe i31836311.exe PID 1916 wrote to memory of 1504 1916 i39727170.exe i31836311.exe PID 1916 wrote to memory of 1504 1916 i39727170.exe i31836311.exe PID 1504 wrote to memory of 1860 1504 i31836311.exe a43944319.exe PID 1504 wrote to memory of 1860 1504 i31836311.exe a43944319.exe PID 1504 wrote to memory of 1860 1504 i31836311.exe a43944319.exe PID 1504 wrote to memory of 1860 1504 i31836311.exe a43944319.exe PID 1504 wrote to memory of 1860 1504 i31836311.exe a43944319.exe PID 1504 wrote to memory of 1860 1504 i31836311.exe a43944319.exe PID 1504 wrote to memory of 1860 1504 i31836311.exe a43944319.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe"C:\Users\Admin\AppData\Local\Temp\5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exeFilesize
1.3MB
MD5cee058fb140dde339dd06235f8efde27
SHA1cadf25b99502fce4556f3d892ef6d8c35d304705
SHA2567636c9d164f0dc7f365c8557a4302838db32a6379060097f15f063f2c0c4276f
SHA5124d5084bae077c9c0affe80ac5c9977bbf8165eac56958a4db9e8a1b22151d3b93a911d3cf07b0835aef6084f5b4101cbdb0d9d625f70402c457dfa9d5a40a496
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exeFilesize
1.3MB
MD5cee058fb140dde339dd06235f8efde27
SHA1cadf25b99502fce4556f3d892ef6d8c35d304705
SHA2567636c9d164f0dc7f365c8557a4302838db32a6379060097f15f063f2c0c4276f
SHA5124d5084bae077c9c0affe80ac5c9977bbf8165eac56958a4db9e8a1b22151d3b93a911d3cf07b0835aef6084f5b4101cbdb0d9d625f70402c457dfa9d5a40a496
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exeFilesize
1023KB
MD545e905d38bd3699a5aca8f657a904fe4
SHA1d1c66ceb2e4723bbbcc575b036e0b509903a9640
SHA256475722e3a389b72c6f6775bd25d70d381ee8d72e12b9aa82d96a600d73350e81
SHA512898b0036e86e315492864cd987d46411491e783a1ef840c728847318532aa67cc19b4b78e29bbbbe80b2573b939f61d481ec063aeacf24091ba4fdfb7a558a60
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exeFilesize
1023KB
MD545e905d38bd3699a5aca8f657a904fe4
SHA1d1c66ceb2e4723bbbcc575b036e0b509903a9640
SHA256475722e3a389b72c6f6775bd25d70d381ee8d72e12b9aa82d96a600d73350e81
SHA512898b0036e86e315492864cd987d46411491e783a1ef840c728847318532aa67cc19b4b78e29bbbbe80b2573b939f61d481ec063aeacf24091ba4fdfb7a558a60
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exeFilesize
852KB
MD5455f77652c0c6219753c911231830489
SHA1da4115e7c47161493b3e50499e19be65daa4461c
SHA256467e9ae1ecd11d2e076d8b9a0fb51ea64b39b3056807e6d4dfa20bb6b60bf675
SHA5123a0787c594d6b139fcbdab11dab9ef2294db3cfb69caaf0573cd8b4503384e2cbd6c21bcc694daa9723b1afd90123cac4057d0b1560628fdb86786dfe1232418
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exeFilesize
852KB
MD5455f77652c0c6219753c911231830489
SHA1da4115e7c47161493b3e50499e19be65daa4461c
SHA256467e9ae1ecd11d2e076d8b9a0fb51ea64b39b3056807e6d4dfa20bb6b60bf675
SHA5123a0787c594d6b139fcbdab11dab9ef2294db3cfb69caaf0573cd8b4503384e2cbd6c21bcc694daa9723b1afd90123cac4057d0b1560628fdb86786dfe1232418
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exeFilesize
375KB
MD55f259458024eb6246214115514a3dab1
SHA186b18b18fd8cbeb0daed9a06215a774b3c1709c5
SHA2561c011b279814b3c6aa0febb3e3d681803172cbd72f84f0969cf04e74de0a9ea1
SHA5127b62d71589889c2f1690d26e5d9c4448c6f7c1848b3423c447048b8f46db5f483762377dd4079b52224cdb667557a6b0950fefdc99d9d5681c84fa3283edc8b5
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exeFilesize
375KB
MD55f259458024eb6246214115514a3dab1
SHA186b18b18fd8cbeb0daed9a06215a774b3c1709c5
SHA2561c011b279814b3c6aa0febb3e3d681803172cbd72f84f0969cf04e74de0a9ea1
SHA5127b62d71589889c2f1690d26e5d9c4448c6f7c1848b3423c447048b8f46db5f483762377dd4079b52224cdb667557a6b0950fefdc99d9d5681c84fa3283edc8b5
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exeFilesize
169KB
MD5cb70f1bd6418e111a88be218435283ba
SHA1159dc1e22e6af3823a44571c7968de492441c558
SHA256973f864c77f7655f359097562df97aeb8af29e63dfca08a7204d49bc1cf647bb
SHA51266b5a870a65cf4bd82c5c116147d4cd7d1e4aa3d2c2bba32ecaea50a0f4c5ac51291654fab9974841e3e1608acc8042a96429c47ed2cba47399e12fad48215f4
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exeFilesize
169KB
MD5cb70f1bd6418e111a88be218435283ba
SHA1159dc1e22e6af3823a44571c7968de492441c558
SHA256973f864c77f7655f359097562df97aeb8af29e63dfca08a7204d49bc1cf647bb
SHA51266b5a870a65cf4bd82c5c116147d4cd7d1e4aa3d2c2bba32ecaea50a0f4c5ac51291654fab9974841e3e1608acc8042a96429c47ed2cba47399e12fad48215f4
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exeFilesize
1.3MB
MD5cee058fb140dde339dd06235f8efde27
SHA1cadf25b99502fce4556f3d892ef6d8c35d304705
SHA2567636c9d164f0dc7f365c8557a4302838db32a6379060097f15f063f2c0c4276f
SHA5124d5084bae077c9c0affe80ac5c9977bbf8165eac56958a4db9e8a1b22151d3b93a911d3cf07b0835aef6084f5b4101cbdb0d9d625f70402c457dfa9d5a40a496
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exeFilesize
1.3MB
MD5cee058fb140dde339dd06235f8efde27
SHA1cadf25b99502fce4556f3d892ef6d8c35d304705
SHA2567636c9d164f0dc7f365c8557a4302838db32a6379060097f15f063f2c0c4276f
SHA5124d5084bae077c9c0affe80ac5c9977bbf8165eac56958a4db9e8a1b22151d3b93a911d3cf07b0835aef6084f5b4101cbdb0d9d625f70402c457dfa9d5a40a496
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exeFilesize
1023KB
MD545e905d38bd3699a5aca8f657a904fe4
SHA1d1c66ceb2e4723bbbcc575b036e0b509903a9640
SHA256475722e3a389b72c6f6775bd25d70d381ee8d72e12b9aa82d96a600d73350e81
SHA512898b0036e86e315492864cd987d46411491e783a1ef840c728847318532aa67cc19b4b78e29bbbbe80b2573b939f61d481ec063aeacf24091ba4fdfb7a558a60
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exeFilesize
1023KB
MD545e905d38bd3699a5aca8f657a904fe4
SHA1d1c66ceb2e4723bbbcc575b036e0b509903a9640
SHA256475722e3a389b72c6f6775bd25d70d381ee8d72e12b9aa82d96a600d73350e81
SHA512898b0036e86e315492864cd987d46411491e783a1ef840c728847318532aa67cc19b4b78e29bbbbe80b2573b939f61d481ec063aeacf24091ba4fdfb7a558a60
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exeFilesize
852KB
MD5455f77652c0c6219753c911231830489
SHA1da4115e7c47161493b3e50499e19be65daa4461c
SHA256467e9ae1ecd11d2e076d8b9a0fb51ea64b39b3056807e6d4dfa20bb6b60bf675
SHA5123a0787c594d6b139fcbdab11dab9ef2294db3cfb69caaf0573cd8b4503384e2cbd6c21bcc694daa9723b1afd90123cac4057d0b1560628fdb86786dfe1232418
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exeFilesize
852KB
MD5455f77652c0c6219753c911231830489
SHA1da4115e7c47161493b3e50499e19be65daa4461c
SHA256467e9ae1ecd11d2e076d8b9a0fb51ea64b39b3056807e6d4dfa20bb6b60bf675
SHA5123a0787c594d6b139fcbdab11dab9ef2294db3cfb69caaf0573cd8b4503384e2cbd6c21bcc694daa9723b1afd90123cac4057d0b1560628fdb86786dfe1232418
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exeFilesize
375KB
MD55f259458024eb6246214115514a3dab1
SHA186b18b18fd8cbeb0daed9a06215a774b3c1709c5
SHA2561c011b279814b3c6aa0febb3e3d681803172cbd72f84f0969cf04e74de0a9ea1
SHA5127b62d71589889c2f1690d26e5d9c4448c6f7c1848b3423c447048b8f46db5f483762377dd4079b52224cdb667557a6b0950fefdc99d9d5681c84fa3283edc8b5
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exeFilesize
375KB
MD55f259458024eb6246214115514a3dab1
SHA186b18b18fd8cbeb0daed9a06215a774b3c1709c5
SHA2561c011b279814b3c6aa0febb3e3d681803172cbd72f84f0969cf04e74de0a9ea1
SHA5127b62d71589889c2f1690d26e5d9c4448c6f7c1848b3423c447048b8f46db5f483762377dd4079b52224cdb667557a6b0950fefdc99d9d5681c84fa3283edc8b5
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exeFilesize
169KB
MD5cb70f1bd6418e111a88be218435283ba
SHA1159dc1e22e6af3823a44571c7968de492441c558
SHA256973f864c77f7655f359097562df97aeb8af29e63dfca08a7204d49bc1cf647bb
SHA51266b5a870a65cf4bd82c5c116147d4cd7d1e4aa3d2c2bba32ecaea50a0f4c5ac51291654fab9974841e3e1608acc8042a96429c47ed2cba47399e12fad48215f4
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exeFilesize
169KB
MD5cb70f1bd6418e111a88be218435283ba
SHA1159dc1e22e6af3823a44571c7968de492441c558
SHA256973f864c77f7655f359097562df97aeb8af29e63dfca08a7204d49bc1cf647bb
SHA51266b5a870a65cf4bd82c5c116147d4cd7d1e4aa3d2c2bba32ecaea50a0f4c5ac51291654fab9974841e3e1608acc8042a96429c47ed2cba47399e12fad48215f4
-
memory/1860-104-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/1860-105-0x0000000000350000-0x0000000000356000-memory.dmpFilesize
24KB
-
memory/1860-106-0x0000000004BD0000-0x0000000004C10000-memory.dmpFilesize
256KB
-
memory/1860-107-0x0000000004BD0000-0x0000000004C10000-memory.dmpFilesize
256KB