redline | 5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe
Size

1.5MB
MD5

35df2fd4398d5041e61602b5c425174e
SHA1

31077dfc9deb42f4e417f234757d0132c5c729f3
SHA256

5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4
SHA512

c7dc53b7e462ff730005b3159395482505b93d3120ad26815bb386c54d1f1561965305fa0e34f81e9387a358c1116b3b403acab36bd35d13d54fc88697d48e9e
SSDEEP

24576:cy/IasYpmnZFmV9C/Ku3CFl0Jvv1PMLIPXtaZhABPgdNj1UBM3bqybKIhU:LwasEmnHm7VlKBMOXqeucWuym

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i91940522.exei75929088.exei30309848.exei84166621.exea26014892.exe

pid process

1416 i91940522.exe
472 i75929088.exe
328 i30309848.exe
1940 i84166621.exe
1168 a26014892.exe

pid	process
1416	i91940522.exe
472	i75929088.exe
328	i30309848.exe
1940	i84166621.exe
1168	a26014892.exe

Loads dropped DLL 10 IoCs

Processes:

5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exei91940522.exei75929088.exei30309848.exei84166621.exea26014892.exe

pid	process
1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe
1416	i91940522.exe
1416	i91940522.exe
472	i75929088.exe
472	i75929088.exe
328	i30309848.exe
328	i30309848.exe
1940	i84166621.exe
1940	i84166621.exe
1168	a26014892.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i30309848.exe5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exei91940522.exei75929088.exei84166621.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i30309848.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i30309848.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i91940522.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i75929088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i91940522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i75929088.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i84166621.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i84166621.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exei91940522.exei75929088.exei30309848.exei84166621.exe

description	pid	process	target process
PID 1544 wrote to memory of 1416	1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe	i91940522.exe
PID 1544 wrote to memory of 1416	1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe	i91940522.exe
PID 1544 wrote to memory of 1416	1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe	i91940522.exe
PID 1544 wrote to memory of 1416	1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe	i91940522.exe
PID 1544 wrote to memory of 1416	1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe	i91940522.exe
PID 1544 wrote to memory of 1416	1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe	i91940522.exe
PID 1544 wrote to memory of 1416	1544	5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe	i91940522.exe
PID 1416 wrote to memory of 472	1416	i91940522.exe	i75929088.exe
PID 1416 wrote to memory of 472	1416	i91940522.exe	i75929088.exe
PID 1416 wrote to memory of 472	1416	i91940522.exe	i75929088.exe
PID 1416 wrote to memory of 472	1416	i91940522.exe	i75929088.exe
PID 1416 wrote to memory of 472	1416	i91940522.exe	i75929088.exe
PID 1416 wrote to memory of 472	1416	i91940522.exe	i75929088.exe
PID 1416 wrote to memory of 472	1416	i91940522.exe	i75929088.exe
PID 472 wrote to memory of 328	472	i75929088.exe	i30309848.exe
PID 472 wrote to memory of 328	472	i75929088.exe	i30309848.exe
PID 472 wrote to memory of 328	472	i75929088.exe	i30309848.exe
PID 472 wrote to memory of 328	472	i75929088.exe	i30309848.exe
PID 472 wrote to memory of 328	472	i75929088.exe	i30309848.exe
PID 472 wrote to memory of 328	472	i75929088.exe	i30309848.exe
PID 472 wrote to memory of 328	472	i75929088.exe	i30309848.exe
PID 328 wrote to memory of 1940	328	i30309848.exe	i84166621.exe
PID 328 wrote to memory of 1940	328	i30309848.exe	i84166621.exe
PID 328 wrote to memory of 1940	328	i30309848.exe	i84166621.exe
PID 328 wrote to memory of 1940	328	i30309848.exe	i84166621.exe
PID 328 wrote to memory of 1940	328	i30309848.exe	i84166621.exe
PID 328 wrote to memory of 1940	328	i30309848.exe	i84166621.exe
PID 328 wrote to memory of 1940	328	i30309848.exe	i84166621.exe
PID 1940 wrote to memory of 1168	1940	i84166621.exe	a26014892.exe
PID 1940 wrote to memory of 1168	1940	i84166621.exe	a26014892.exe
PID 1940 wrote to memory of 1168	1940	i84166621.exe	a26014892.exe
PID 1940 wrote to memory of 1168	1940	i84166621.exe	a26014892.exe
PID 1940 wrote to memory of 1168	1940	i84166621.exe	a26014892.exe
PID 1940 wrote to memory of 1168	1940	i84166621.exe	a26014892.exe
PID 1940 wrote to memory of 1168	1940	i84166621.exe	a26014892.exe

C:\Users\Admin\AppData\Local\Temp\5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe
"C:\Users\Admin\AppData\Local\Temp\5ee3f5d1264460f5b147c9cdbd987bfaa0df82ba312482c7d171d71e0c4373e4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i91940522.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i91940522.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75929088.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75929088.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30309848.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30309848.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:328

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i84166621.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i84166621.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26014892.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26014892.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i91940522.exe
Filesize
1.3MB

MD5
d01daefb1ca690d8544c57aacb494803

SHA1
a53df0a24cc04690eb1bd4a76cc469ecc7955110

SHA256
34ffd9891b2b6e476860ed4326c3598d6f2574588d122258543c7ce19ceda45c

SHA512
6c37ff84cf1b3d7caa39de18ff457a82246f4a5e1932d51bc306913752f8eba791d4c41a82551b1cf01c4f0d72d0998a14501b13f6563d2ea86c5f37970ccb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i91940522.exe
Filesize
1.3MB

MD5
d01daefb1ca690d8544c57aacb494803

SHA1
a53df0a24cc04690eb1bd4a76cc469ecc7955110

SHA256
34ffd9891b2b6e476860ed4326c3598d6f2574588d122258543c7ce19ceda45c

SHA512
6c37ff84cf1b3d7caa39de18ff457a82246f4a5e1932d51bc306913752f8eba791d4c41a82551b1cf01c4f0d72d0998a14501b13f6563d2ea86c5f37970ccb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75929088.exe
Filesize
1023KB

MD5
de343c297537e2f0d6fda28b2663ef28

SHA1
8693126a415cf3251952f8ab325297f587c8340e

SHA256
4948ae96d5b57e1251fd53a93f4e5973b9937b0805147c10146bfb4027368f74

SHA512
a462951f5f733c163c4ed0ca6846bd0290b1a82aa0f989a724f60de42b9dd7351992882cd87d0abf3e3493562601ce592541ddd3d7b9275ab0a5075251979305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75929088.exe
Filesize
1023KB

MD5
de343c297537e2f0d6fda28b2663ef28

SHA1
8693126a415cf3251952f8ab325297f587c8340e

SHA256
4948ae96d5b57e1251fd53a93f4e5973b9937b0805147c10146bfb4027368f74

SHA512
a462951f5f733c163c4ed0ca6846bd0290b1a82aa0f989a724f60de42b9dd7351992882cd87d0abf3e3493562601ce592541ddd3d7b9275ab0a5075251979305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30309848.exe
Filesize
852KB

MD5
a7299655463a6c991a82bd9043633cc8

SHA1
0eadeb3654b235ee249417d4cad7a7a77bceaad7

SHA256
1092af278f07a6e8e6283fed68e389619006fc6f426bfd8c2662cd467ea07c04

SHA512
283a696802d63116f70a9c581250fec167b104659a9b271a8615033e363144d8072e39e19a495665fc43b68625470d22238259f8454dafdeb96c1e2cf938ec97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30309848.exe
Filesize
852KB

MD5
a7299655463a6c991a82bd9043633cc8

SHA1
0eadeb3654b235ee249417d4cad7a7a77bceaad7

SHA256
1092af278f07a6e8e6283fed68e389619006fc6f426bfd8c2662cd467ea07c04

SHA512
283a696802d63116f70a9c581250fec167b104659a9b271a8615033e363144d8072e39e19a495665fc43b68625470d22238259f8454dafdeb96c1e2cf938ec97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i84166621.exe
Filesize
375KB

MD5
0dc0dc8efba4f9a76512a696771ede07

SHA1
f490bcc111e8987267ad504262269f4b1d8d2d6b

SHA256
5afc6427543e99da50e70fb9e476c2f2e7bab6331a7961599c63f8faa99e61b9

SHA512
9af1fb21ab63ab4bfb5ef204658c8011d18800caff92bcdcc89caa5766f4b2bc5243f805e41eb2284ccda60d1ce9051e8099b1e294c9b88b85d8fbfe181b29b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i84166621.exe
Filesize
375KB

MD5
0dc0dc8efba4f9a76512a696771ede07

SHA1
f490bcc111e8987267ad504262269f4b1d8d2d6b

SHA256
5afc6427543e99da50e70fb9e476c2f2e7bab6331a7961599c63f8faa99e61b9

SHA512
9af1fb21ab63ab4bfb5ef204658c8011d18800caff92bcdcc89caa5766f4b2bc5243f805e41eb2284ccda60d1ce9051e8099b1e294c9b88b85d8fbfe181b29b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26014892.exe
Filesize
169KB

MD5
cae6e274cc4022445625c20d9e45e6c8

SHA1
71734a406adffee1596d4ace45b81a00f2601732

SHA256
da4a1144b56d4a5c1f8984e7c4254fa9c3a2c4dda211bcbabaae7289096f2e2b

SHA512
eb0d87fade775f06f740d9bf30459e706ecba2a4e31ad1c87caacfc78609ce84403621123556fffa036367741a08abf529dec80ec8e485bec0ac6fff2f8398f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26014892.exe
Filesize
169KB

MD5
cae6e274cc4022445625c20d9e45e6c8

SHA1
71734a406adffee1596d4ace45b81a00f2601732

SHA256
da4a1144b56d4a5c1f8984e7c4254fa9c3a2c4dda211bcbabaae7289096f2e2b

SHA512
eb0d87fade775f06f740d9bf30459e706ecba2a4e31ad1c87caacfc78609ce84403621123556fffa036367741a08abf529dec80ec8e485bec0ac6fff2f8398f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i91940522.exe
Filesize
1.3MB

MD5
d01daefb1ca690d8544c57aacb494803

SHA1
a53df0a24cc04690eb1bd4a76cc469ecc7955110

SHA256
34ffd9891b2b6e476860ed4326c3598d6f2574588d122258543c7ce19ceda45c

SHA512
6c37ff84cf1b3d7caa39de18ff457a82246f4a5e1932d51bc306913752f8eba791d4c41a82551b1cf01c4f0d72d0998a14501b13f6563d2ea86c5f37970ccb2e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i91940522.exe
Filesize
1.3MB

MD5
d01daefb1ca690d8544c57aacb494803

SHA1
a53df0a24cc04690eb1bd4a76cc469ecc7955110

SHA256
34ffd9891b2b6e476860ed4326c3598d6f2574588d122258543c7ce19ceda45c

SHA512
6c37ff84cf1b3d7caa39de18ff457a82246f4a5e1932d51bc306913752f8eba791d4c41a82551b1cf01c4f0d72d0998a14501b13f6563d2ea86c5f37970ccb2e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75929088.exe
Filesize
1023KB

MD5
de343c297537e2f0d6fda28b2663ef28

SHA1
8693126a415cf3251952f8ab325297f587c8340e

SHA256
4948ae96d5b57e1251fd53a93f4e5973b9937b0805147c10146bfb4027368f74

SHA512
a462951f5f733c163c4ed0ca6846bd0290b1a82aa0f989a724f60de42b9dd7351992882cd87d0abf3e3493562601ce592541ddd3d7b9275ab0a5075251979305

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75929088.exe
Filesize
1023KB

MD5
de343c297537e2f0d6fda28b2663ef28

SHA1
8693126a415cf3251952f8ab325297f587c8340e

SHA256
4948ae96d5b57e1251fd53a93f4e5973b9937b0805147c10146bfb4027368f74

SHA512
a462951f5f733c163c4ed0ca6846bd0290b1a82aa0f989a724f60de42b9dd7351992882cd87d0abf3e3493562601ce592541ddd3d7b9275ab0a5075251979305

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30309848.exe
Filesize
852KB

MD5
a7299655463a6c991a82bd9043633cc8

SHA1
0eadeb3654b235ee249417d4cad7a7a77bceaad7

SHA256
1092af278f07a6e8e6283fed68e389619006fc6f426bfd8c2662cd467ea07c04

SHA512
283a696802d63116f70a9c581250fec167b104659a9b271a8615033e363144d8072e39e19a495665fc43b68625470d22238259f8454dafdeb96c1e2cf938ec97

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30309848.exe
Filesize
852KB

MD5
a7299655463a6c991a82bd9043633cc8

SHA1
0eadeb3654b235ee249417d4cad7a7a77bceaad7

SHA256
1092af278f07a6e8e6283fed68e389619006fc6f426bfd8c2662cd467ea07c04

SHA512
283a696802d63116f70a9c581250fec167b104659a9b271a8615033e363144d8072e39e19a495665fc43b68625470d22238259f8454dafdeb96c1e2cf938ec97

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i84166621.exe
Filesize
375KB

MD5
0dc0dc8efba4f9a76512a696771ede07

SHA1
f490bcc111e8987267ad504262269f4b1d8d2d6b

SHA256
5afc6427543e99da50e70fb9e476c2f2e7bab6331a7961599c63f8faa99e61b9

SHA512
9af1fb21ab63ab4bfb5ef204658c8011d18800caff92bcdcc89caa5766f4b2bc5243f805e41eb2284ccda60d1ce9051e8099b1e294c9b88b85d8fbfe181b29b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i84166621.exe
Filesize
375KB

MD5
0dc0dc8efba4f9a76512a696771ede07

SHA1
f490bcc111e8987267ad504262269f4b1d8d2d6b

SHA256
5afc6427543e99da50e70fb9e476c2f2e7bab6331a7961599c63f8faa99e61b9

SHA512
9af1fb21ab63ab4bfb5ef204658c8011d18800caff92bcdcc89caa5766f4b2bc5243f805e41eb2284ccda60d1ce9051e8099b1e294c9b88b85d8fbfe181b29b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26014892.exe
Filesize
169KB

MD5
cae6e274cc4022445625c20d9e45e6c8

SHA1
71734a406adffee1596d4ace45b81a00f2601732

SHA256
da4a1144b56d4a5c1f8984e7c4254fa9c3a2c4dda211bcbabaae7289096f2e2b

SHA512
eb0d87fade775f06f740d9bf30459e706ecba2a4e31ad1c87caacfc78609ce84403621123556fffa036367741a08abf529dec80ec8e485bec0ac6fff2f8398f2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26014892.exe
Filesize
169KB

MD5
cae6e274cc4022445625c20d9e45e6c8

SHA1
71734a406adffee1596d4ace45b81a00f2601732

SHA256
da4a1144b56d4a5c1f8984e7c4254fa9c3a2c4dda211bcbabaae7289096f2e2b

SHA512
eb0d87fade775f06f740d9bf30459e706ecba2a4e31ad1c87caacfc78609ce84403621123556fffa036367741a08abf529dec80ec8e485bec0ac6fff2f8398f2

Download Submit
memory/1168-104-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/1168-105-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/1168-106-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download