redline | fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
Size

1.5MB
MD5

06c49a40cde38474e581fe8196c97144
SHA1

f51d89725de428ac98e99058b1196398617889ec
SHA256

fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf
SHA512

728e092ea4d12203e7417cedfb409e5884337f8966e6c119f08c752e59bff9876b566b5074d0a54a356cca4678ef0a3f41735bac70770bce07f73c8d86afcc95
SSDEEP

24576:6y4w1qBXlgNPrt/ernl6VRL8tg+m7+MYmZfpHVlS6rQZsNHOmm5jAltG0I5QyFvu:B4wglaz/EQVJAuYmVpHDTrQaup9AlkFN

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i41733190.exei44010740.exei45434198.exei96358631.exea67267342.exe

pid process

2040 i41733190.exe
772 i44010740.exe
1876 i45434198.exe
1728 i96358631.exe
1480 a67267342.exe

pid	process
2040	i41733190.exe
772	i44010740.exe
1876	i45434198.exe
1728	i96358631.exe
1480	a67267342.exe

Loads dropped DLL 10 IoCs

Processes:

fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exei41733190.exei44010740.exei45434198.exei96358631.exea67267342.exe

pid	process
1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
2040	i41733190.exe
2040	i41733190.exe
772	i44010740.exe
772	i44010740.exe
1876	i45434198.exe
1876	i45434198.exe
1728	i96358631.exe
1728	i96358631.exe
1480	a67267342.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i96358631.exefe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exei44010740.exei45434198.exei41733190.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i96358631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i44010740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i44010740.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i96358631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i45434198.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i41733190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i41733190.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i45434198.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exei41733190.exei44010740.exei45434198.exei96358631.exe

description	pid	process	target process
PID 1752 wrote to memory of 2040	1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe	i41733190.exe
PID 1752 wrote to memory of 2040	1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe	i41733190.exe
PID 1752 wrote to memory of 2040	1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe	i41733190.exe
PID 1752 wrote to memory of 2040	1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe	i41733190.exe
PID 1752 wrote to memory of 2040	1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe	i41733190.exe
PID 1752 wrote to memory of 2040	1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe	i41733190.exe
PID 1752 wrote to memory of 2040	1752	fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe	i41733190.exe
PID 2040 wrote to memory of 772	2040	i41733190.exe	i44010740.exe
PID 2040 wrote to memory of 772	2040	i41733190.exe	i44010740.exe
PID 2040 wrote to memory of 772	2040	i41733190.exe	i44010740.exe
PID 2040 wrote to memory of 772	2040	i41733190.exe	i44010740.exe
PID 2040 wrote to memory of 772	2040	i41733190.exe	i44010740.exe
PID 2040 wrote to memory of 772	2040	i41733190.exe	i44010740.exe
PID 2040 wrote to memory of 772	2040	i41733190.exe	i44010740.exe
PID 772 wrote to memory of 1876	772	i44010740.exe	i45434198.exe
PID 772 wrote to memory of 1876	772	i44010740.exe	i45434198.exe
PID 772 wrote to memory of 1876	772	i44010740.exe	i45434198.exe
PID 772 wrote to memory of 1876	772	i44010740.exe	i45434198.exe
PID 772 wrote to memory of 1876	772	i44010740.exe	i45434198.exe
PID 772 wrote to memory of 1876	772	i44010740.exe	i45434198.exe
PID 772 wrote to memory of 1876	772	i44010740.exe	i45434198.exe
PID 1876 wrote to memory of 1728	1876	i45434198.exe	i96358631.exe
PID 1876 wrote to memory of 1728	1876	i45434198.exe	i96358631.exe
PID 1876 wrote to memory of 1728	1876	i45434198.exe	i96358631.exe
PID 1876 wrote to memory of 1728	1876	i45434198.exe	i96358631.exe
PID 1876 wrote to memory of 1728	1876	i45434198.exe	i96358631.exe
PID 1876 wrote to memory of 1728	1876	i45434198.exe	i96358631.exe
PID 1876 wrote to memory of 1728	1876	i45434198.exe	i96358631.exe
PID 1728 wrote to memory of 1480	1728	i96358631.exe	a67267342.exe
PID 1728 wrote to memory of 1480	1728	i96358631.exe	a67267342.exe
PID 1728 wrote to memory of 1480	1728	i96358631.exe	a67267342.exe
PID 1728 wrote to memory of 1480	1728	i96358631.exe	a67267342.exe
PID 1728 wrote to memory of 1480	1728	i96358631.exe	a67267342.exe
PID 1728 wrote to memory of 1480	1728	i96358631.exe	a67267342.exe
PID 1728 wrote to memory of 1480	1728	i96358631.exe	a67267342.exe

C:\Users\Admin\AppData\Local\Temp\fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe
"C:\Users\Admin\AppData\Local\Temp\fe85520c2d97cce594dd0d6da42162284554c5d501f4c50cd2a37c6708c9a6cf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exe
Filesize
1.3MB

MD5
3e6abf641867fa06a81980beff90e3a7

SHA1
d49d47a9b0ab47d7ee69ec72d4624b3fb5b921a8

SHA256
00dda400c4bfa5623e78f1660a436a03a3fbd1c17a8227ceef264a3024e28964

SHA512
c45ba1f74d18254a547ac7d0ccfc54379262d7d2d92dce4419f8455fe7d1c831bdb0e55e6b359a624a47e1848ccd6c0bc88b94e8ad5091a0b640891971cd9e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exe
Filesize
1.3MB

MD5
3e6abf641867fa06a81980beff90e3a7

SHA1
d49d47a9b0ab47d7ee69ec72d4624b3fb5b921a8

SHA256
00dda400c4bfa5623e78f1660a436a03a3fbd1c17a8227ceef264a3024e28964

SHA512
c45ba1f74d18254a547ac7d0ccfc54379262d7d2d92dce4419f8455fe7d1c831bdb0e55e6b359a624a47e1848ccd6c0bc88b94e8ad5091a0b640891971cd9e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exe
Filesize
1014KB

MD5
4af0cae50c7a40bf423f5a3598963f0a

SHA1
fba8c4995e281a1d5c6d8150a4898e569cdfdd62

SHA256
4beca234c18bd275d3e9e1ef6b9582285272d91d1bb20b2e2d382e0ed08cec60

SHA512
309523ea3418854a21bf6320686684c76dd1bf1844075bccc23293951f6b6be44e4bc4dece65857e75290beaa8f46f222fc7e88c7660a9d67404c7199d7092d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exe
Filesize
1014KB

MD5
4af0cae50c7a40bf423f5a3598963f0a

SHA1
fba8c4995e281a1d5c6d8150a4898e569cdfdd62

SHA256
4beca234c18bd275d3e9e1ef6b9582285272d91d1bb20b2e2d382e0ed08cec60

SHA512
309523ea3418854a21bf6320686684c76dd1bf1844075bccc23293951f6b6be44e4bc4dece65857e75290beaa8f46f222fc7e88c7660a9d67404c7199d7092d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exe
Filesize
842KB

MD5
3ab63240985369b23718100b596275c8

SHA1
f7ce0c5202be8bf751098d265d47f98b29e8248c

SHA256
df72145e25a32cb15157b25d77b2257a80bef087a780d648c5e0e059f77bf7e5

SHA512
9218cf765dfd75b75000aa469adff05d8f94869db197e2e3f5dae15cc0fd91e0e09b52d8ca017077ead87c9ea9b0a359a1d5eb7d4bd346fd337326aaa0076177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exe
Filesize
842KB

MD5
3ab63240985369b23718100b596275c8

SHA1
f7ce0c5202be8bf751098d265d47f98b29e8248c

SHA256
df72145e25a32cb15157b25d77b2257a80bef087a780d648c5e0e059f77bf7e5

SHA512
9218cf765dfd75b75000aa469adff05d8f94869db197e2e3f5dae15cc0fd91e0e09b52d8ca017077ead87c9ea9b0a359a1d5eb7d4bd346fd337326aaa0076177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exe
Filesize
370KB

MD5
8274ec3f196c145f59b912a3d38e3c6d

SHA1
352ef45be6b8a8524870b9b5be4d5d6f47611dcc

SHA256
5e83ebdd6963b7d1186e25aeef5b60df50f12e876a3ae529e8870bbe6565bdf0

SHA512
d039afe4dab661ae51150a97fc2149eef77e4a0530062d28a86f08ebd57378c9d04d25e3a0ad5c939dd4565582f286309a60d5bcce696bc2f42054f9e6954555

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exe
Filesize
370KB

MD5
8274ec3f196c145f59b912a3d38e3c6d

SHA1
352ef45be6b8a8524870b9b5be4d5d6f47611dcc

SHA256
5e83ebdd6963b7d1186e25aeef5b60df50f12e876a3ae529e8870bbe6565bdf0

SHA512
d039afe4dab661ae51150a97fc2149eef77e4a0530062d28a86f08ebd57378c9d04d25e3a0ad5c939dd4565582f286309a60d5bcce696bc2f42054f9e6954555

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exe
Filesize
169KB

MD5
c25c8b6b96c728271c4e1c4ee81d3af7

SHA1
cfff4be28b6873004e89f7a44445ae53572f5ab6

SHA256
7750bc6294651cf8907344d6b2d2131106a85011031657f684506a42db6381fe

SHA512
c749f6878b8194c6e5f27635eceef9ed5768d9f7c47ec1c0960ab066a5554fc49c386913e9b84759e527d4677243d8621e275ea59b9843874a94840ba57ea42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exe
Filesize
169KB

MD5
c25c8b6b96c728271c4e1c4ee81d3af7

SHA1
cfff4be28b6873004e89f7a44445ae53572f5ab6

SHA256
7750bc6294651cf8907344d6b2d2131106a85011031657f684506a42db6381fe

SHA512
c749f6878b8194c6e5f27635eceef9ed5768d9f7c47ec1c0960ab066a5554fc49c386913e9b84759e527d4677243d8621e275ea59b9843874a94840ba57ea42b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exe
Filesize
1.3MB

MD5
3e6abf641867fa06a81980beff90e3a7

SHA1
d49d47a9b0ab47d7ee69ec72d4624b3fb5b921a8

SHA256
00dda400c4bfa5623e78f1660a436a03a3fbd1c17a8227ceef264a3024e28964

SHA512
c45ba1f74d18254a547ac7d0ccfc54379262d7d2d92dce4419f8455fe7d1c831bdb0e55e6b359a624a47e1848ccd6c0bc88b94e8ad5091a0b640891971cd9e72

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i41733190.exe
Filesize
1.3MB

MD5
3e6abf641867fa06a81980beff90e3a7

SHA1
d49d47a9b0ab47d7ee69ec72d4624b3fb5b921a8

SHA256
00dda400c4bfa5623e78f1660a436a03a3fbd1c17a8227ceef264a3024e28964

SHA512
c45ba1f74d18254a547ac7d0ccfc54379262d7d2d92dce4419f8455fe7d1c831bdb0e55e6b359a624a47e1848ccd6c0bc88b94e8ad5091a0b640891971cd9e72

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exe
Filesize
1014KB

MD5
4af0cae50c7a40bf423f5a3598963f0a

SHA1
fba8c4995e281a1d5c6d8150a4898e569cdfdd62

SHA256
4beca234c18bd275d3e9e1ef6b9582285272d91d1bb20b2e2d382e0ed08cec60

SHA512
309523ea3418854a21bf6320686684c76dd1bf1844075bccc23293951f6b6be44e4bc4dece65857e75290beaa8f46f222fc7e88c7660a9d67404c7199d7092d5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44010740.exe
Filesize
1014KB

MD5
4af0cae50c7a40bf423f5a3598963f0a

SHA1
fba8c4995e281a1d5c6d8150a4898e569cdfdd62

SHA256
4beca234c18bd275d3e9e1ef6b9582285272d91d1bb20b2e2d382e0ed08cec60

SHA512
309523ea3418854a21bf6320686684c76dd1bf1844075bccc23293951f6b6be44e4bc4dece65857e75290beaa8f46f222fc7e88c7660a9d67404c7199d7092d5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exe
Filesize
842KB

MD5
3ab63240985369b23718100b596275c8

SHA1
f7ce0c5202be8bf751098d265d47f98b29e8248c

SHA256
df72145e25a32cb15157b25d77b2257a80bef087a780d648c5e0e059f77bf7e5

SHA512
9218cf765dfd75b75000aa469adff05d8f94869db197e2e3f5dae15cc0fd91e0e09b52d8ca017077ead87c9ea9b0a359a1d5eb7d4bd346fd337326aaa0076177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45434198.exe
Filesize
842KB

MD5
3ab63240985369b23718100b596275c8

SHA1
f7ce0c5202be8bf751098d265d47f98b29e8248c

SHA256
df72145e25a32cb15157b25d77b2257a80bef087a780d648c5e0e059f77bf7e5

SHA512
9218cf765dfd75b75000aa469adff05d8f94869db197e2e3f5dae15cc0fd91e0e09b52d8ca017077ead87c9ea9b0a359a1d5eb7d4bd346fd337326aaa0076177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exe
Filesize
370KB

MD5
8274ec3f196c145f59b912a3d38e3c6d

SHA1
352ef45be6b8a8524870b9b5be4d5d6f47611dcc

SHA256
5e83ebdd6963b7d1186e25aeef5b60df50f12e876a3ae529e8870bbe6565bdf0

SHA512
d039afe4dab661ae51150a97fc2149eef77e4a0530062d28a86f08ebd57378c9d04d25e3a0ad5c939dd4565582f286309a60d5bcce696bc2f42054f9e6954555

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i96358631.exe
Filesize
370KB

MD5
8274ec3f196c145f59b912a3d38e3c6d

SHA1
352ef45be6b8a8524870b9b5be4d5d6f47611dcc

SHA256
5e83ebdd6963b7d1186e25aeef5b60df50f12e876a3ae529e8870bbe6565bdf0

SHA512
d039afe4dab661ae51150a97fc2149eef77e4a0530062d28a86f08ebd57378c9d04d25e3a0ad5c939dd4565582f286309a60d5bcce696bc2f42054f9e6954555

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exe
Filesize
169KB

MD5
c25c8b6b96c728271c4e1c4ee81d3af7

SHA1
cfff4be28b6873004e89f7a44445ae53572f5ab6

SHA256
7750bc6294651cf8907344d6b2d2131106a85011031657f684506a42db6381fe

SHA512
c749f6878b8194c6e5f27635eceef9ed5768d9f7c47ec1c0960ab066a5554fc49c386913e9b84759e527d4677243d8621e275ea59b9843874a94840ba57ea42b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a67267342.exe
Filesize
169KB

MD5
c25c8b6b96c728271c4e1c4ee81d3af7

SHA1
cfff4be28b6873004e89f7a44445ae53572f5ab6

SHA256
7750bc6294651cf8907344d6b2d2131106a85011031657f684506a42db6381fe

SHA512
c749f6878b8194c6e5f27635eceef9ed5768d9f7c47ec1c0960ab066a5554fc49c386913e9b84759e527d4677243d8621e275ea59b9843874a94840ba57ea42b

Download Submit
memory/1480-104-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/1480-105-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1480-106-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/1480-107-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download