Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 08:59
Static task
static1
Behavioral task
behavioral1
Sample
ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe
Resource
win10v2004-20230221-en
General
-
Target
ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe
-
Size
1.5MB
-
MD5
7e2b7b900ac9b38d9d8bdc7098508b06
-
SHA1
015a269069616f7f46d9f6256b49fe067b6854cb
-
SHA256
ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180
-
SHA512
d8ade0ccfaf1a515f6ecfa0e9f8d337d99b278a1a261d2380a9b21e158145460e564e08407bf5b93104ee689d948942fdf1e8116aa0b25db40797a14b8fa5bac
-
SSDEEP
24576:cywUin5Eo3Nl3ifgCj4AgRf2Jk9lS853c+h2H6GgRu6pEJ1BVsiupslv5gJdw:LwUin6GC7gRf2MlhTh2Ho1MVLIIan
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i98290231.exei48968505.exei63212516.exei24494922.exea87529677.exepid process 1140 i98290231.exe 472 i48968505.exe 672 i63212516.exe 1764 i24494922.exe 1484 a87529677.exe -
Loads dropped DLL 10 IoCs
Processes:
ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exei98290231.exei48968505.exei63212516.exei24494922.exea87529677.exepid process 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe 1140 i98290231.exe 1140 i98290231.exe 472 i48968505.exe 472 i48968505.exe 672 i63212516.exe 672 i63212516.exe 1764 i24494922.exe 1764 i24494922.exe 1484 a87529677.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exei98290231.exei48968505.exei24494922.exei63212516.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i98290231.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i48968505.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i24494922.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i98290231.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i48968505.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i63212516.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i63212516.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i24494922.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exei98290231.exei48968505.exei63212516.exei24494922.exedescription pid process target process PID 1324 wrote to memory of 1140 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe i98290231.exe PID 1324 wrote to memory of 1140 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe i98290231.exe PID 1324 wrote to memory of 1140 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe i98290231.exe PID 1324 wrote to memory of 1140 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe i98290231.exe PID 1324 wrote to memory of 1140 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe i98290231.exe PID 1324 wrote to memory of 1140 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe i98290231.exe PID 1324 wrote to memory of 1140 1324 ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe i98290231.exe PID 1140 wrote to memory of 472 1140 i98290231.exe i48968505.exe PID 1140 wrote to memory of 472 1140 i98290231.exe i48968505.exe PID 1140 wrote to memory of 472 1140 i98290231.exe i48968505.exe PID 1140 wrote to memory of 472 1140 i98290231.exe i48968505.exe PID 1140 wrote to memory of 472 1140 i98290231.exe i48968505.exe PID 1140 wrote to memory of 472 1140 i98290231.exe i48968505.exe PID 1140 wrote to memory of 472 1140 i98290231.exe i48968505.exe PID 472 wrote to memory of 672 472 i48968505.exe i63212516.exe PID 472 wrote to memory of 672 472 i48968505.exe i63212516.exe PID 472 wrote to memory of 672 472 i48968505.exe i63212516.exe PID 472 wrote to memory of 672 472 i48968505.exe i63212516.exe PID 472 wrote to memory of 672 472 i48968505.exe i63212516.exe PID 472 wrote to memory of 672 472 i48968505.exe i63212516.exe PID 472 wrote to memory of 672 472 i48968505.exe i63212516.exe PID 672 wrote to memory of 1764 672 i63212516.exe i24494922.exe PID 672 wrote to memory of 1764 672 i63212516.exe i24494922.exe PID 672 wrote to memory of 1764 672 i63212516.exe i24494922.exe PID 672 wrote to memory of 1764 672 i63212516.exe i24494922.exe PID 672 wrote to memory of 1764 672 i63212516.exe i24494922.exe PID 672 wrote to memory of 1764 672 i63212516.exe i24494922.exe PID 672 wrote to memory of 1764 672 i63212516.exe i24494922.exe PID 1764 wrote to memory of 1484 1764 i24494922.exe a87529677.exe PID 1764 wrote to memory of 1484 1764 i24494922.exe a87529677.exe PID 1764 wrote to memory of 1484 1764 i24494922.exe a87529677.exe PID 1764 wrote to memory of 1484 1764 i24494922.exe a87529677.exe PID 1764 wrote to memory of 1484 1764 i24494922.exe a87529677.exe PID 1764 wrote to memory of 1484 1764 i24494922.exe a87529677.exe PID 1764 wrote to memory of 1484 1764 i24494922.exe a87529677.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe"C:\Users\Admin\AppData\Local\Temp\ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exeFilesize
1.3MB
MD556107feddcf8add915ae2daacc34d26d
SHA1d62868f3d8628c16cf3ade302fed4e5d0dac0793
SHA25604053357fe848286a6a36b46cdb02ff33f2f8bf24e276414c5848d97a2de6c5c
SHA512c2f5747f529f81fface9dc16e54fdd7fafad23c94f01f41dc5b64f30aa19943566487765f6219363299ff28eb09e612fd1a78e84cf7e05c874a07a27d8804c77
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exeFilesize
1.3MB
MD556107feddcf8add915ae2daacc34d26d
SHA1d62868f3d8628c16cf3ade302fed4e5d0dac0793
SHA25604053357fe848286a6a36b46cdb02ff33f2f8bf24e276414c5848d97a2de6c5c
SHA512c2f5747f529f81fface9dc16e54fdd7fafad23c94f01f41dc5b64f30aa19943566487765f6219363299ff28eb09e612fd1a78e84cf7e05c874a07a27d8804c77
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exeFilesize
1022KB
MD55ad40f98343d381c8d8fc4c5953e23ff
SHA1fba0aca40319ef3d67109051ba7f370ade4731db
SHA256f3f0e156763a8384894dbc4266598537dc7d4c9ed70aa9d8490d6adc0dd9ac0d
SHA512140df349baf168c426f684ef6a22b21e0483f9442b622e00943ebbba48fb55b4311fffe8ced1e11ab658b7eb19bffccaeb5c94cb06ffcff883c1fa7b136e3a4c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exeFilesize
1022KB
MD55ad40f98343d381c8d8fc4c5953e23ff
SHA1fba0aca40319ef3d67109051ba7f370ade4731db
SHA256f3f0e156763a8384894dbc4266598537dc7d4c9ed70aa9d8490d6adc0dd9ac0d
SHA512140df349baf168c426f684ef6a22b21e0483f9442b622e00943ebbba48fb55b4311fffe8ced1e11ab658b7eb19bffccaeb5c94cb06ffcff883c1fa7b136e3a4c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exeFilesize
851KB
MD5ff517560b07a482c46b0bf24f7764e2a
SHA1ef2ff861b33c0596e36ec9b1681e524a36b466bd
SHA25633dd5ac3c3ca5ecacf6c865def4ba33ab0556badb8fe1eb369ae3fedd38be65a
SHA51294cbe1705f0290f917f5b407bc21efdf72b44cf19caa978b346ff507704645b3ca304e8c3f00ced7dc454c6ddcca5c13842b09c02694842c5392233d3edaf28d
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exeFilesize
851KB
MD5ff517560b07a482c46b0bf24f7764e2a
SHA1ef2ff861b33c0596e36ec9b1681e524a36b466bd
SHA25633dd5ac3c3ca5ecacf6c865def4ba33ab0556badb8fe1eb369ae3fedd38be65a
SHA51294cbe1705f0290f917f5b407bc21efdf72b44cf19caa978b346ff507704645b3ca304e8c3f00ced7dc454c6ddcca5c13842b09c02694842c5392233d3edaf28d
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exeFilesize
374KB
MD5eff83950d51f3ed7328dd922ef98dc4b
SHA11e858a61b5dd65d56d7550825e11f80d50093a74
SHA2568cdc63d47bc863ecb0b7a07b441d3c9b2fe922302dbab958620198f83ecd249b
SHA51267c89c8fecbd511d4297e7f5cdf51da84ba08580a2faaf1bdd6e34c560ec1a37f11fa6d8d1ce4583ccc451e89f45e3d8368693b98fdf6c2d1038ec8c7fb553a1
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exeFilesize
374KB
MD5eff83950d51f3ed7328dd922ef98dc4b
SHA11e858a61b5dd65d56d7550825e11f80d50093a74
SHA2568cdc63d47bc863ecb0b7a07b441d3c9b2fe922302dbab958620198f83ecd249b
SHA51267c89c8fecbd511d4297e7f5cdf51da84ba08580a2faaf1bdd6e34c560ec1a37f11fa6d8d1ce4583ccc451e89f45e3d8368693b98fdf6c2d1038ec8c7fb553a1
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exeFilesize
169KB
MD52ce696a18a92f6b4bfc9f11badd5850b
SHA1d59c17a2c4eac19fa1c3ea54d89f226f6cd757b1
SHA2560bb8e9c09b8d5d4d149e9f844f2e5fd62633323c5b88196e0428fe75a440159d
SHA512e485e013385fcce3730aa65bf12229c1b354878796b47d2ec19e0026e6f78bc22146b9b92527f73fc0987584cb64726ceb3a3129782384007869b4e7836efb13
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exeFilesize
169KB
MD52ce696a18a92f6b4bfc9f11badd5850b
SHA1d59c17a2c4eac19fa1c3ea54d89f226f6cd757b1
SHA2560bb8e9c09b8d5d4d149e9f844f2e5fd62633323c5b88196e0428fe75a440159d
SHA512e485e013385fcce3730aa65bf12229c1b354878796b47d2ec19e0026e6f78bc22146b9b92527f73fc0987584cb64726ceb3a3129782384007869b4e7836efb13
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exeFilesize
1.3MB
MD556107feddcf8add915ae2daacc34d26d
SHA1d62868f3d8628c16cf3ade302fed4e5d0dac0793
SHA25604053357fe848286a6a36b46cdb02ff33f2f8bf24e276414c5848d97a2de6c5c
SHA512c2f5747f529f81fface9dc16e54fdd7fafad23c94f01f41dc5b64f30aa19943566487765f6219363299ff28eb09e612fd1a78e84cf7e05c874a07a27d8804c77
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exeFilesize
1.3MB
MD556107feddcf8add915ae2daacc34d26d
SHA1d62868f3d8628c16cf3ade302fed4e5d0dac0793
SHA25604053357fe848286a6a36b46cdb02ff33f2f8bf24e276414c5848d97a2de6c5c
SHA512c2f5747f529f81fface9dc16e54fdd7fafad23c94f01f41dc5b64f30aa19943566487765f6219363299ff28eb09e612fd1a78e84cf7e05c874a07a27d8804c77
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exeFilesize
1022KB
MD55ad40f98343d381c8d8fc4c5953e23ff
SHA1fba0aca40319ef3d67109051ba7f370ade4731db
SHA256f3f0e156763a8384894dbc4266598537dc7d4c9ed70aa9d8490d6adc0dd9ac0d
SHA512140df349baf168c426f684ef6a22b21e0483f9442b622e00943ebbba48fb55b4311fffe8ced1e11ab658b7eb19bffccaeb5c94cb06ffcff883c1fa7b136e3a4c
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exeFilesize
1022KB
MD55ad40f98343d381c8d8fc4c5953e23ff
SHA1fba0aca40319ef3d67109051ba7f370ade4731db
SHA256f3f0e156763a8384894dbc4266598537dc7d4c9ed70aa9d8490d6adc0dd9ac0d
SHA512140df349baf168c426f684ef6a22b21e0483f9442b622e00943ebbba48fb55b4311fffe8ced1e11ab658b7eb19bffccaeb5c94cb06ffcff883c1fa7b136e3a4c
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exeFilesize
851KB
MD5ff517560b07a482c46b0bf24f7764e2a
SHA1ef2ff861b33c0596e36ec9b1681e524a36b466bd
SHA25633dd5ac3c3ca5ecacf6c865def4ba33ab0556badb8fe1eb369ae3fedd38be65a
SHA51294cbe1705f0290f917f5b407bc21efdf72b44cf19caa978b346ff507704645b3ca304e8c3f00ced7dc454c6ddcca5c13842b09c02694842c5392233d3edaf28d
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exeFilesize
851KB
MD5ff517560b07a482c46b0bf24f7764e2a
SHA1ef2ff861b33c0596e36ec9b1681e524a36b466bd
SHA25633dd5ac3c3ca5ecacf6c865def4ba33ab0556badb8fe1eb369ae3fedd38be65a
SHA51294cbe1705f0290f917f5b407bc21efdf72b44cf19caa978b346ff507704645b3ca304e8c3f00ced7dc454c6ddcca5c13842b09c02694842c5392233d3edaf28d
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exeFilesize
374KB
MD5eff83950d51f3ed7328dd922ef98dc4b
SHA11e858a61b5dd65d56d7550825e11f80d50093a74
SHA2568cdc63d47bc863ecb0b7a07b441d3c9b2fe922302dbab958620198f83ecd249b
SHA51267c89c8fecbd511d4297e7f5cdf51da84ba08580a2faaf1bdd6e34c560ec1a37f11fa6d8d1ce4583ccc451e89f45e3d8368693b98fdf6c2d1038ec8c7fb553a1
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exeFilesize
374KB
MD5eff83950d51f3ed7328dd922ef98dc4b
SHA11e858a61b5dd65d56d7550825e11f80d50093a74
SHA2568cdc63d47bc863ecb0b7a07b441d3c9b2fe922302dbab958620198f83ecd249b
SHA51267c89c8fecbd511d4297e7f5cdf51da84ba08580a2faaf1bdd6e34c560ec1a37f11fa6d8d1ce4583ccc451e89f45e3d8368693b98fdf6c2d1038ec8c7fb553a1
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exeFilesize
169KB
MD52ce696a18a92f6b4bfc9f11badd5850b
SHA1d59c17a2c4eac19fa1c3ea54d89f226f6cd757b1
SHA2560bb8e9c09b8d5d4d149e9f844f2e5fd62633323c5b88196e0428fe75a440159d
SHA512e485e013385fcce3730aa65bf12229c1b354878796b47d2ec19e0026e6f78bc22146b9b92527f73fc0987584cb64726ceb3a3129782384007869b4e7836efb13
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exeFilesize
169KB
MD52ce696a18a92f6b4bfc9f11badd5850b
SHA1d59c17a2c4eac19fa1c3ea54d89f226f6cd757b1
SHA2560bb8e9c09b8d5d4d149e9f844f2e5fd62633323c5b88196e0428fe75a440159d
SHA512e485e013385fcce3730aa65bf12229c1b354878796b47d2ec19e0026e6f78bc22146b9b92527f73fc0987584cb64726ceb3a3129782384007869b4e7836efb13
-
memory/1484-104-0x0000000000B70000-0x0000000000BA0000-memory.dmpFilesize
192KB
-
memory/1484-105-0x0000000000270000-0x0000000000276000-memory.dmpFilesize
24KB
-
memory/1484-106-0x0000000004C60000-0x0000000004CA0000-memory.dmpFilesize
256KB
-
memory/1484-107-0x0000000004C60000-0x0000000004CA0000-memory.dmpFilesize
256KB