redline | 6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199

Analysis

max time kernel
128s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
Size

1.5MB
MD5

294c68f78d021215839d4d47e1831417
SHA1

524c82f41d84b902744af28b3838e841b5d9f47e
SHA256

6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199
SHA512

8921a6ea1d52678eef7a1a0c4cf98993a985986fd4bf4a68ee44e74066baf2cd3a3c5e7108525dad11aae4feed17a98575acbdc12d356a5594d54899317a5c6e
SSDEEP

24576:EyY7GOUei+Rr2DEQL0UTNC4BlbU9V/Hf1yeqWw4OI+8C88AGjc:TpT4BYE6q9V/f1yeSbIR8f

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i68450354.exei04512922.exei00774195.exei64224404.exea34985584.exe

pid process

2000 i68450354.exe
1192 i04512922.exe
1364 i00774195.exe
1828 i64224404.exe
1540 a34985584.exe

pid	process
2000	i68450354.exe
1192	i04512922.exe
1364	i00774195.exe
1828	i64224404.exe
1540	a34985584.exe

Loads dropped DLL 10 IoCs

Processes:

6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exei68450354.exei04512922.exei00774195.exei64224404.exea34985584.exe

pid	process
2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
2000	i68450354.exe
2000	i68450354.exe
1192	i04512922.exe
1192	i04512922.exe
1364	i00774195.exe
1364	i00774195.exe
1828	i64224404.exe
1828	i64224404.exe
1540	a34985584.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exei00774195.exei64224404.exei68450354.exei04512922.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i00774195.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i64224404.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i68450354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i68450354.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i04512922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i04512922.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i00774195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i64224404.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exei68450354.exei04512922.exei00774195.exei64224404.exe

description	pid	process	target process
PID 2032 wrote to memory of 2000	2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe	i68450354.exe
PID 2032 wrote to memory of 2000	2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe	i68450354.exe
PID 2032 wrote to memory of 2000	2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe	i68450354.exe
PID 2032 wrote to memory of 2000	2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe	i68450354.exe
PID 2032 wrote to memory of 2000	2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe	i68450354.exe
PID 2032 wrote to memory of 2000	2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe	i68450354.exe
PID 2032 wrote to memory of 2000	2032	6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe	i68450354.exe
PID 2000 wrote to memory of 1192	2000	i68450354.exe	i04512922.exe
PID 2000 wrote to memory of 1192	2000	i68450354.exe	i04512922.exe
PID 2000 wrote to memory of 1192	2000	i68450354.exe	i04512922.exe
PID 2000 wrote to memory of 1192	2000	i68450354.exe	i04512922.exe
PID 2000 wrote to memory of 1192	2000	i68450354.exe	i04512922.exe
PID 2000 wrote to memory of 1192	2000	i68450354.exe	i04512922.exe
PID 2000 wrote to memory of 1192	2000	i68450354.exe	i04512922.exe
PID 1192 wrote to memory of 1364	1192	i04512922.exe	i00774195.exe
PID 1192 wrote to memory of 1364	1192	i04512922.exe	i00774195.exe
PID 1192 wrote to memory of 1364	1192	i04512922.exe	i00774195.exe
PID 1192 wrote to memory of 1364	1192	i04512922.exe	i00774195.exe
PID 1192 wrote to memory of 1364	1192	i04512922.exe	i00774195.exe
PID 1192 wrote to memory of 1364	1192	i04512922.exe	i00774195.exe
PID 1192 wrote to memory of 1364	1192	i04512922.exe	i00774195.exe
PID 1364 wrote to memory of 1828	1364	i00774195.exe	i64224404.exe
PID 1364 wrote to memory of 1828	1364	i00774195.exe	i64224404.exe
PID 1364 wrote to memory of 1828	1364	i00774195.exe	i64224404.exe
PID 1364 wrote to memory of 1828	1364	i00774195.exe	i64224404.exe
PID 1364 wrote to memory of 1828	1364	i00774195.exe	i64224404.exe
PID 1364 wrote to memory of 1828	1364	i00774195.exe	i64224404.exe
PID 1364 wrote to memory of 1828	1364	i00774195.exe	i64224404.exe
PID 1828 wrote to memory of 1540	1828	i64224404.exe	a34985584.exe
PID 1828 wrote to memory of 1540	1828	i64224404.exe	a34985584.exe
PID 1828 wrote to memory of 1540	1828	i64224404.exe	a34985584.exe
PID 1828 wrote to memory of 1540	1828	i64224404.exe	a34985584.exe
PID 1828 wrote to memory of 1540	1828	i64224404.exe	a34985584.exe
PID 1828 wrote to memory of 1540	1828	i64224404.exe	a34985584.exe
PID 1828 wrote to memory of 1540	1828	i64224404.exe	a34985584.exe

C:\Users\Admin\AppData\Local\Temp\6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe
"C:\Users\Admin\AppData\Local\Temp\6013f8da39ad14aeebaf5da0b47a7b263494482ed034ab9594d0f03c86769199.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exe
Filesize
1.3MB

MD5
60196df2a8e2b30c3884d88f409ffc5a

SHA1
a9a5df703ce83a4d5b646d5dde4040770c2b0024

SHA256
21ca774c7887cb5849cd199eb4892d10f02b5e9c7d58f8c80850c7245607518f

SHA512
e795bc71dc89253e92fe83445a209fea6afc2ef59c30ffb8ccb4a180c9ad5773c4a072bba7d1434f76eddf67eea281377b2a27827cc1fb7041a2fb462bcc1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exe
Filesize
1.3MB

MD5
60196df2a8e2b30c3884d88f409ffc5a

SHA1
a9a5df703ce83a4d5b646d5dde4040770c2b0024

SHA256
21ca774c7887cb5849cd199eb4892d10f02b5e9c7d58f8c80850c7245607518f

SHA512
e795bc71dc89253e92fe83445a209fea6afc2ef59c30ffb8ccb4a180c9ad5773c4a072bba7d1434f76eddf67eea281377b2a27827cc1fb7041a2fb462bcc1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exe
Filesize
1001KB

MD5
984f9303104dcb330f509888e57e824f

SHA1
1e3e30faa193d4cd39136cb9934b34f560bcd2ff

SHA256
df745342821e09279ccd4047212e3fb1558bd0ea730256d8b7174d2af4d9e126

SHA512
32248aec404f9d1e23d8e5472f42d9b2e1fbc408ad2841db87f95e9effbdaa799b8fb1c3a901fc8b26770387739f9c0a79d95c99ac1bffa3faa01ad699dae8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exe
Filesize
1001KB

MD5
984f9303104dcb330f509888e57e824f

SHA1
1e3e30faa193d4cd39136cb9934b34f560bcd2ff

SHA256
df745342821e09279ccd4047212e3fb1558bd0ea730256d8b7174d2af4d9e126

SHA512
32248aec404f9d1e23d8e5472f42d9b2e1fbc408ad2841db87f95e9effbdaa799b8fb1c3a901fc8b26770387739f9c0a79d95c99ac1bffa3faa01ad699dae8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exe
Filesize
829KB

MD5
7130a31366ba78df04b87a2700fd57bb

SHA1
08bcebafa2204e4fc0de95b8458b4ede267af12a

SHA256
226a402a8587a4aaf0bdb024558ca95f22cb1a80f1ec68d1ff73941d577702a0

SHA512
30e16c5fc01b022858138a76792b6c8d12f34979591bb809908bcdb78477b72dde14ca2801a3632febae8e7a91f8da74f0fc777cb779a7034fd82490d1646f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exe
Filesize
829KB

MD5
7130a31366ba78df04b87a2700fd57bb

SHA1
08bcebafa2204e4fc0de95b8458b4ede267af12a

SHA256
226a402a8587a4aaf0bdb024558ca95f22cb1a80f1ec68d1ff73941d577702a0

SHA512
30e16c5fc01b022858138a76792b6c8d12f34979591bb809908bcdb78477b72dde14ca2801a3632febae8e7a91f8da74f0fc777cb779a7034fd82490d1646f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exe
Filesize
364KB

MD5
57eb4b5f5dcb6485fb9dff901f1f1404

SHA1
d1328434d74782ef4755b9f7c2646c28c4124956

SHA256
0382fc257049e74b8cf85e3d4001b4df2cdf4ae359c064f6a3dcc866a5205d8e

SHA512
5148c378b62cf6d8370423f41441b2409a0f14deba440809d0797754955b45b563eeff5d226ac43e006f31a4f863b77c694c9c3377da015b64b5dcfd2faf3a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exe
Filesize
364KB

MD5
57eb4b5f5dcb6485fb9dff901f1f1404

SHA1
d1328434d74782ef4755b9f7c2646c28c4124956

SHA256
0382fc257049e74b8cf85e3d4001b4df2cdf4ae359c064f6a3dcc866a5205d8e

SHA512
5148c378b62cf6d8370423f41441b2409a0f14deba440809d0797754955b45b563eeff5d226ac43e006f31a4f863b77c694c9c3377da015b64b5dcfd2faf3a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exe
Filesize
170KB

MD5
b6a96f6ffeec0723101dcfa47ceb5463

SHA1
e2b71f363ada04e2c4cd08d125ff749273707d4b

SHA256
6fc9f60c32437c6fe41bb417601d3730f42c214ba10e9e385da8b7775db1656e

SHA512
337619495ab491f17e0a54c4c6ff7f4c6110d0f59d2546f144e14512b8d68ff1fdf1a6ad2e0ed7dbaea44315114d9a40bfbd3ab6410c7ec8d13d66b45a4f599c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exe
Filesize
170KB

MD5
b6a96f6ffeec0723101dcfa47ceb5463

SHA1
e2b71f363ada04e2c4cd08d125ff749273707d4b

SHA256
6fc9f60c32437c6fe41bb417601d3730f42c214ba10e9e385da8b7775db1656e

SHA512
337619495ab491f17e0a54c4c6ff7f4c6110d0f59d2546f144e14512b8d68ff1fdf1a6ad2e0ed7dbaea44315114d9a40bfbd3ab6410c7ec8d13d66b45a4f599c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exe
Filesize
1.3MB

MD5
60196df2a8e2b30c3884d88f409ffc5a

SHA1
a9a5df703ce83a4d5b646d5dde4040770c2b0024

SHA256
21ca774c7887cb5849cd199eb4892d10f02b5e9c7d58f8c80850c7245607518f

SHA512
e795bc71dc89253e92fe83445a209fea6afc2ef59c30ffb8ccb4a180c9ad5773c4a072bba7d1434f76eddf67eea281377b2a27827cc1fb7041a2fb462bcc1401

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68450354.exe
Filesize
1.3MB

MD5
60196df2a8e2b30c3884d88f409ffc5a

SHA1
a9a5df703ce83a4d5b646d5dde4040770c2b0024

SHA256
21ca774c7887cb5849cd199eb4892d10f02b5e9c7d58f8c80850c7245607518f

SHA512
e795bc71dc89253e92fe83445a209fea6afc2ef59c30ffb8ccb4a180c9ad5773c4a072bba7d1434f76eddf67eea281377b2a27827cc1fb7041a2fb462bcc1401

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exe
Filesize
1001KB

MD5
984f9303104dcb330f509888e57e824f

SHA1
1e3e30faa193d4cd39136cb9934b34f560bcd2ff

SHA256
df745342821e09279ccd4047212e3fb1558bd0ea730256d8b7174d2af4d9e126

SHA512
32248aec404f9d1e23d8e5472f42d9b2e1fbc408ad2841db87f95e9effbdaa799b8fb1c3a901fc8b26770387739f9c0a79d95c99ac1bffa3faa01ad699dae8a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04512922.exe
Filesize
1001KB

MD5
984f9303104dcb330f509888e57e824f

SHA1
1e3e30faa193d4cd39136cb9934b34f560bcd2ff

SHA256
df745342821e09279ccd4047212e3fb1558bd0ea730256d8b7174d2af4d9e126

SHA512
32248aec404f9d1e23d8e5472f42d9b2e1fbc408ad2841db87f95e9effbdaa799b8fb1c3a901fc8b26770387739f9c0a79d95c99ac1bffa3faa01ad699dae8a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exe
Filesize
829KB

MD5
7130a31366ba78df04b87a2700fd57bb

SHA1
08bcebafa2204e4fc0de95b8458b4ede267af12a

SHA256
226a402a8587a4aaf0bdb024558ca95f22cb1a80f1ec68d1ff73941d577702a0

SHA512
30e16c5fc01b022858138a76792b6c8d12f34979591bb809908bcdb78477b72dde14ca2801a3632febae8e7a91f8da74f0fc777cb779a7034fd82490d1646f63

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i00774195.exe
Filesize
829KB

MD5
7130a31366ba78df04b87a2700fd57bb

SHA1
08bcebafa2204e4fc0de95b8458b4ede267af12a

SHA256
226a402a8587a4aaf0bdb024558ca95f22cb1a80f1ec68d1ff73941d577702a0

SHA512
30e16c5fc01b022858138a76792b6c8d12f34979591bb809908bcdb78477b72dde14ca2801a3632febae8e7a91f8da74f0fc777cb779a7034fd82490d1646f63

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exe
Filesize
364KB

MD5
57eb4b5f5dcb6485fb9dff901f1f1404

SHA1
d1328434d74782ef4755b9f7c2646c28c4124956

SHA256
0382fc257049e74b8cf85e3d4001b4df2cdf4ae359c064f6a3dcc866a5205d8e

SHA512
5148c378b62cf6d8370423f41441b2409a0f14deba440809d0797754955b45b563eeff5d226ac43e006f31a4f863b77c694c9c3377da015b64b5dcfd2faf3a5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64224404.exe
Filesize
364KB

MD5
57eb4b5f5dcb6485fb9dff901f1f1404

SHA1
d1328434d74782ef4755b9f7c2646c28c4124956

SHA256
0382fc257049e74b8cf85e3d4001b4df2cdf4ae359c064f6a3dcc866a5205d8e

SHA512
5148c378b62cf6d8370423f41441b2409a0f14deba440809d0797754955b45b563eeff5d226ac43e006f31a4f863b77c694c9c3377da015b64b5dcfd2faf3a5b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exe
Filesize
170KB

MD5
b6a96f6ffeec0723101dcfa47ceb5463

SHA1
e2b71f363ada04e2c4cd08d125ff749273707d4b

SHA256
6fc9f60c32437c6fe41bb417601d3730f42c214ba10e9e385da8b7775db1656e

SHA512
337619495ab491f17e0a54c4c6ff7f4c6110d0f59d2546f144e14512b8d68ff1fdf1a6ad2e0ed7dbaea44315114d9a40bfbd3ab6410c7ec8d13d66b45a4f599c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a34985584.exe
Filesize
170KB

MD5
b6a96f6ffeec0723101dcfa47ceb5463

SHA1
e2b71f363ada04e2c4cd08d125ff749273707d4b

SHA256
6fc9f60c32437c6fe41bb417601d3730f42c214ba10e9e385da8b7775db1656e

SHA512
337619495ab491f17e0a54c4c6ff7f4c6110d0f59d2546f144e14512b8d68ff1fdf1a6ad2e0ed7dbaea44315114d9a40bfbd3ab6410c7ec8d13d66b45a4f599c

Download Submit
memory/1540-104-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/1540-105-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/1540-106-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download
memory/1540-107-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download