redline | fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe
Size

1.5MB
MD5

1d61a947a737891a004722d51d3f7d33
SHA1

01a329701e87f13f0f2c4b3403a055cea5bd6eed
SHA256

fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304
SHA512

06ef98fbb38c1ec2d51ad4dc589ec4e8cb08596ee87e58d3e7941e30313245dbb0ab78d0af590c9be0064231e25c64970b5f772cddf5cea9e6e60ad360198d10
SSDEEP

24576:6ydlA5ZLKaHx8PGcJqRILue5YFXg583FkZMRAeJ5K8N0MIWxJA6Il5F6HDbrAsLc:Bdm5Z+aHxGnJqOCeYXg6SKfK80Yi6WPS

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i62409879.exei96192311.exei53916975.exei90954921.exea14512163.exe

pid process

1440 i62409879.exe
520 i96192311.exe
1736 i53916975.exe
1704 i90954921.exe
1632 a14512163.exe

pid	process
1440	i62409879.exe
520	i96192311.exe
1736	i53916975.exe
1704	i90954921.exe
1632	a14512163.exe

Loads dropped DLL 10 IoCs

Processes:

fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exei62409879.exei96192311.exei53916975.exei90954921.exea14512163.exe

pid	process
1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe
1440	i62409879.exe
1440	i62409879.exe
520	i96192311.exe
520	i96192311.exe
1736	i53916975.exe
1736	i53916975.exe
1704	i90954921.exe
1704	i90954921.exe
1632	a14512163.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i53916975.exefbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exei62409879.exei96192311.exei90954921.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i53916975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i62409879.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i96192311.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i96192311.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i53916975.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i90954921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i90954921.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i62409879.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exei62409879.exei96192311.exei53916975.exei90954921.exe

description	pid	process	target process
PID 1888 wrote to memory of 1440	1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe	i62409879.exe
PID 1888 wrote to memory of 1440	1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe	i62409879.exe
PID 1888 wrote to memory of 1440	1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe	i62409879.exe
PID 1888 wrote to memory of 1440	1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe	i62409879.exe
PID 1888 wrote to memory of 1440	1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe	i62409879.exe
PID 1888 wrote to memory of 1440	1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe	i62409879.exe
PID 1888 wrote to memory of 1440	1888	fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe	i62409879.exe
PID 1440 wrote to memory of 520	1440	i62409879.exe	i96192311.exe
PID 1440 wrote to memory of 520	1440	i62409879.exe	i96192311.exe
PID 1440 wrote to memory of 520	1440	i62409879.exe	i96192311.exe
PID 1440 wrote to memory of 520	1440	i62409879.exe	i96192311.exe
PID 1440 wrote to memory of 520	1440	i62409879.exe	i96192311.exe
PID 1440 wrote to memory of 520	1440	i62409879.exe	i96192311.exe
PID 1440 wrote to memory of 520	1440	i62409879.exe	i96192311.exe
PID 520 wrote to memory of 1736	520	i96192311.exe	i53916975.exe
PID 520 wrote to memory of 1736	520	i96192311.exe	i53916975.exe
PID 520 wrote to memory of 1736	520	i96192311.exe	i53916975.exe
PID 520 wrote to memory of 1736	520	i96192311.exe	i53916975.exe
PID 520 wrote to memory of 1736	520	i96192311.exe	i53916975.exe
PID 520 wrote to memory of 1736	520	i96192311.exe	i53916975.exe
PID 520 wrote to memory of 1736	520	i96192311.exe	i53916975.exe
PID 1736 wrote to memory of 1704	1736	i53916975.exe	i90954921.exe
PID 1736 wrote to memory of 1704	1736	i53916975.exe	i90954921.exe
PID 1736 wrote to memory of 1704	1736	i53916975.exe	i90954921.exe
PID 1736 wrote to memory of 1704	1736	i53916975.exe	i90954921.exe
PID 1736 wrote to memory of 1704	1736	i53916975.exe	i90954921.exe
PID 1736 wrote to memory of 1704	1736	i53916975.exe	i90954921.exe
PID 1736 wrote to memory of 1704	1736	i53916975.exe	i90954921.exe
PID 1704 wrote to memory of 1632	1704	i90954921.exe	a14512163.exe
PID 1704 wrote to memory of 1632	1704	i90954921.exe	a14512163.exe
PID 1704 wrote to memory of 1632	1704	i90954921.exe	a14512163.exe
PID 1704 wrote to memory of 1632	1704	i90954921.exe	a14512163.exe
PID 1704 wrote to memory of 1632	1704	i90954921.exe	a14512163.exe
PID 1704 wrote to memory of 1632	1704	i90954921.exe	a14512163.exe
PID 1704 wrote to memory of 1632	1704	i90954921.exe	a14512163.exe

C:\Users\Admin\AppData\Local\Temp\fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe
"C:\Users\Admin\AppData\Local\Temp\fbf84e2f571d3ecf6045c5a26b7f389c5f7550917d67713e87a988c6620e0304.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62409879.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62409879.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i96192311.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i96192311.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53916975.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53916975.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i90954921.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i90954921.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14512163.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14512163.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62409879.exe

Filesize
1.3MB

MD5
55f898feee62e403375385850cd41731

SHA1
5235e0e7da654606430ead3e003a34fa268d12f8

SHA256
cf2cc30baa561ed0294a8515e577994f3db3a62a5a59ee4d135562c343a811a5

SHA512
8567001e33f1089011956bfc6592281b40abf9ef521613214cf033663d2fa09fed6e89a69b3c919723d05c4bf7d60c0e97e57ba23298ffdb81ee563887a94fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62409879.exe

Filesize
1.3MB

MD5
55f898feee62e403375385850cd41731

SHA1
5235e0e7da654606430ead3e003a34fa268d12f8

SHA256
cf2cc30baa561ed0294a8515e577994f3db3a62a5a59ee4d135562c343a811a5

SHA512
8567001e33f1089011956bfc6592281b40abf9ef521613214cf033663d2fa09fed6e89a69b3c919723d05c4bf7d60c0e97e57ba23298ffdb81ee563887a94fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i96192311.exe

Filesize
1016KB

MD5
efa7be8e4e91b98e754292c014dc1964

SHA1
cfea526a70bb25e35cf05eaf877d80c928da0e9f

SHA256
87496292dcfdf6aa1434c123fb2b1573a43b680236c8d93fc1b17b6c610c8e41

SHA512
7dc50f4dbd5e14bad417af2a7f7d6416af3025ee32c9a5653cc902dde459d15cda49d6aca8109bc69682195601ccc77678fe968a832d258fd8556c859079f968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i96192311.exe

Filesize
1016KB

MD5
efa7be8e4e91b98e754292c014dc1964

SHA1
cfea526a70bb25e35cf05eaf877d80c928da0e9f

SHA256
87496292dcfdf6aa1434c123fb2b1573a43b680236c8d93fc1b17b6c610c8e41

SHA512
7dc50f4dbd5e14bad417af2a7f7d6416af3025ee32c9a5653cc902dde459d15cda49d6aca8109bc69682195601ccc77678fe968a832d258fd8556c859079f968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53916975.exe

Filesize
844KB

MD5
ec0abb734b2c16c25902d4a7a9638352

SHA1
81ee60ebad31f159b6fe0e75ae1fc47279d4784a

SHA256
4ec244d31297c1ef34822a202f56c86399e2e2bb52b3a0bdebf41552138ea838

SHA512
364947ce5b05e1db6a15bb023dadf2e70ca2525e7ecf37b1f0d8bb92935679a46508f9f70e3fa9899abae53ca1746961b8b90176f983ed893e66fcd9841b1cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53916975.exe

Filesize
844KB

MD5
ec0abb734b2c16c25902d4a7a9638352

SHA1
81ee60ebad31f159b6fe0e75ae1fc47279d4784a

SHA256
4ec244d31297c1ef34822a202f56c86399e2e2bb52b3a0bdebf41552138ea838

SHA512
364947ce5b05e1db6a15bb023dadf2e70ca2525e7ecf37b1f0d8bb92935679a46508f9f70e3fa9899abae53ca1746961b8b90176f983ed893e66fcd9841b1cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i90954921.exe

Filesize
371KB

MD5
c1e9b28facb07ac7f31564d148e14b41

SHA1
20f58227dcd9beafde600b2ebe2d15e9fdda7290

SHA256
e2fe72c1772405bf2db99871534144fa6244d9bc36d9d9289440918eef961cc9

SHA512
4bf93daebd98c4543496e9fd9e98071b1dd33adf27a829ae4a28b822b0b2bc29ef3e21fd832455578316f232ac6cb6ef215c74576c300aeafcb551f84f4954cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i90954921.exe

Filesize
371KB

MD5
c1e9b28facb07ac7f31564d148e14b41

SHA1
20f58227dcd9beafde600b2ebe2d15e9fdda7290

SHA256
e2fe72c1772405bf2db99871534144fa6244d9bc36d9d9289440918eef961cc9

SHA512
4bf93daebd98c4543496e9fd9e98071b1dd33adf27a829ae4a28b822b0b2bc29ef3e21fd832455578316f232ac6cb6ef215c74576c300aeafcb551f84f4954cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14512163.exe

Filesize
169KB

MD5
f4722b7eadf96bff85bbbbe1f930c4cd

SHA1
fd359292db736fdb8d6356030bd82492889d4c79

SHA256
d606b22fde746f31973e869744ac4aedb9b17c3275cbe14ba93facfa676ba8d9

SHA512
09296d31acaca120344ec1708461f1e0354e43d2ab6e5187e5150df9baaed7b540d9df5f089bbba43a32f63c83336976615d990bb20a8765c9a5f381d3791838

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14512163.exe

Filesize
169KB

MD5
f4722b7eadf96bff85bbbbe1f930c4cd

SHA1
fd359292db736fdb8d6356030bd82492889d4c79

SHA256
d606b22fde746f31973e869744ac4aedb9b17c3275cbe14ba93facfa676ba8d9

SHA512
09296d31acaca120344ec1708461f1e0354e43d2ab6e5187e5150df9baaed7b540d9df5f089bbba43a32f63c83336976615d990bb20a8765c9a5f381d3791838

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62409879.exe

Filesize
1.3MB

MD5
55f898feee62e403375385850cd41731

SHA1
5235e0e7da654606430ead3e003a34fa268d12f8

SHA256
cf2cc30baa561ed0294a8515e577994f3db3a62a5a59ee4d135562c343a811a5

SHA512
8567001e33f1089011956bfc6592281b40abf9ef521613214cf033663d2fa09fed6e89a69b3c919723d05c4bf7d60c0e97e57ba23298ffdb81ee563887a94fae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62409879.exe

Filesize
1.3MB

MD5
55f898feee62e403375385850cd41731

SHA1
5235e0e7da654606430ead3e003a34fa268d12f8

SHA256
cf2cc30baa561ed0294a8515e577994f3db3a62a5a59ee4d135562c343a811a5

SHA512
8567001e33f1089011956bfc6592281b40abf9ef521613214cf033663d2fa09fed6e89a69b3c919723d05c4bf7d60c0e97e57ba23298ffdb81ee563887a94fae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i96192311.exe

Filesize
1016KB

MD5
efa7be8e4e91b98e754292c014dc1964

SHA1
cfea526a70bb25e35cf05eaf877d80c928da0e9f

SHA256
87496292dcfdf6aa1434c123fb2b1573a43b680236c8d93fc1b17b6c610c8e41

SHA512
7dc50f4dbd5e14bad417af2a7f7d6416af3025ee32c9a5653cc902dde459d15cda49d6aca8109bc69682195601ccc77678fe968a832d258fd8556c859079f968

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i96192311.exe

Filesize
1016KB

MD5
efa7be8e4e91b98e754292c014dc1964

SHA1
cfea526a70bb25e35cf05eaf877d80c928da0e9f

SHA256
87496292dcfdf6aa1434c123fb2b1573a43b680236c8d93fc1b17b6c610c8e41

SHA512
7dc50f4dbd5e14bad417af2a7f7d6416af3025ee32c9a5653cc902dde459d15cda49d6aca8109bc69682195601ccc77678fe968a832d258fd8556c859079f968

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53916975.exe

Filesize
844KB

MD5
ec0abb734b2c16c25902d4a7a9638352

SHA1
81ee60ebad31f159b6fe0e75ae1fc47279d4784a

SHA256
4ec244d31297c1ef34822a202f56c86399e2e2bb52b3a0bdebf41552138ea838

SHA512
364947ce5b05e1db6a15bb023dadf2e70ca2525e7ecf37b1f0d8bb92935679a46508f9f70e3fa9899abae53ca1746961b8b90176f983ed893e66fcd9841b1cb6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53916975.exe

Filesize
844KB

MD5
ec0abb734b2c16c25902d4a7a9638352

SHA1
81ee60ebad31f159b6fe0e75ae1fc47279d4784a

SHA256
4ec244d31297c1ef34822a202f56c86399e2e2bb52b3a0bdebf41552138ea838

SHA512
364947ce5b05e1db6a15bb023dadf2e70ca2525e7ecf37b1f0d8bb92935679a46508f9f70e3fa9899abae53ca1746961b8b90176f983ed893e66fcd9841b1cb6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i90954921.exe

Filesize
371KB

MD5
c1e9b28facb07ac7f31564d148e14b41

SHA1
20f58227dcd9beafde600b2ebe2d15e9fdda7290

SHA256
e2fe72c1772405bf2db99871534144fa6244d9bc36d9d9289440918eef961cc9

SHA512
4bf93daebd98c4543496e9fd9e98071b1dd33adf27a829ae4a28b822b0b2bc29ef3e21fd832455578316f232ac6cb6ef215c74576c300aeafcb551f84f4954cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i90954921.exe

Filesize
371KB

MD5
c1e9b28facb07ac7f31564d148e14b41

SHA1
20f58227dcd9beafde600b2ebe2d15e9fdda7290

SHA256
e2fe72c1772405bf2db99871534144fa6244d9bc36d9d9289440918eef961cc9

SHA512
4bf93daebd98c4543496e9fd9e98071b1dd33adf27a829ae4a28b822b0b2bc29ef3e21fd832455578316f232ac6cb6ef215c74576c300aeafcb551f84f4954cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14512163.exe

Filesize
169KB

MD5
f4722b7eadf96bff85bbbbe1f930c4cd

SHA1
fd359292db736fdb8d6356030bd82492889d4c79

SHA256
d606b22fde746f31973e869744ac4aedb9b17c3275cbe14ba93facfa676ba8d9

SHA512
09296d31acaca120344ec1708461f1e0354e43d2ab6e5187e5150df9baaed7b540d9df5f089bbba43a32f63c83336976615d990bb20a8765c9a5f381d3791838

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14512163.exe

Filesize
169KB

MD5
f4722b7eadf96bff85bbbbe1f930c4cd

SHA1
fd359292db736fdb8d6356030bd82492889d4c79

SHA256
d606b22fde746f31973e869744ac4aedb9b17c3275cbe14ba93facfa676ba8d9

SHA512
09296d31acaca120344ec1708461f1e0354e43d2ab6e5187e5150df9baaed7b540d9df5f089bbba43a32f63c83336976615d990bb20a8765c9a5f381d3791838

Download Submit
memory/1632-104-0x0000000000D90000-0x0000000000DC0000-memory.dmp

Filesize
192KB

Download
memory/1632-105-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1632-106-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1632-107-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download