Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 09:01
Static task
static1
Behavioral task
behavioral1
Sample
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
Resource
win10v2004-20230220-en
General
-
Target
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
-
Size
1.5MB
-
MD5
2a2216b605e12dcd36c580688eaa81e7
-
SHA1
35bf6a2abf0410f0b21ed318f7268cf0f4f57ced
-
SHA256
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155
-
SHA512
442d967593ce0ea07b91d723b082851707dac15433c9e93715b72d08caed0c0ed4613eba8c46c862725907aa34afda2c822235d65ba73056a92bf758b24679c2
-
SSDEEP
24576:syt4JIJoKJsJ+PMz+eI7i8hEr6YhS/x3Xs77GhHoqLsKaKW+i3QtWMMLlpaqJK9z:btYko8PMVCih2n/xns7CBraCigtyLlpd
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i15915063.exei01671203.exei50561024.exei85282792.exea28836202.exepid process 876 i15915063.exe 1920 i01671203.exe 1156 i50561024.exe 1104 i85282792.exe 1560 a28836202.exe -
Loads dropped DLL 10 IoCs
Processes:
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exei15915063.exei01671203.exei50561024.exei85282792.exea28836202.exepid process 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe 876 i15915063.exe 876 i15915063.exe 1920 i01671203.exe 1920 i01671203.exe 1156 i50561024.exe 1156 i50561024.exe 1104 i85282792.exe 1104 i85282792.exe 1560 a28836202.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exei01671203.exei50561024.exei85282792.exei15915063.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i01671203.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i01671203.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i50561024.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i85282792.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i85282792.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i15915063.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i15915063.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i50561024.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exei15915063.exei01671203.exei50561024.exei85282792.exedescription pid process target process PID 928 wrote to memory of 876 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 928 wrote to memory of 876 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 928 wrote to memory of 876 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 928 wrote to memory of 876 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 928 wrote to memory of 876 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 928 wrote to memory of 876 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 928 wrote to memory of 876 928 ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe i15915063.exe PID 876 wrote to memory of 1920 876 i15915063.exe i01671203.exe PID 876 wrote to memory of 1920 876 i15915063.exe i01671203.exe PID 876 wrote to memory of 1920 876 i15915063.exe i01671203.exe PID 876 wrote to memory of 1920 876 i15915063.exe i01671203.exe PID 876 wrote to memory of 1920 876 i15915063.exe i01671203.exe PID 876 wrote to memory of 1920 876 i15915063.exe i01671203.exe PID 876 wrote to memory of 1920 876 i15915063.exe i01671203.exe PID 1920 wrote to memory of 1156 1920 i01671203.exe i50561024.exe PID 1920 wrote to memory of 1156 1920 i01671203.exe i50561024.exe PID 1920 wrote to memory of 1156 1920 i01671203.exe i50561024.exe PID 1920 wrote to memory of 1156 1920 i01671203.exe i50561024.exe PID 1920 wrote to memory of 1156 1920 i01671203.exe i50561024.exe PID 1920 wrote to memory of 1156 1920 i01671203.exe i50561024.exe PID 1920 wrote to memory of 1156 1920 i01671203.exe i50561024.exe PID 1156 wrote to memory of 1104 1156 i50561024.exe i85282792.exe PID 1156 wrote to memory of 1104 1156 i50561024.exe i85282792.exe PID 1156 wrote to memory of 1104 1156 i50561024.exe i85282792.exe PID 1156 wrote to memory of 1104 1156 i50561024.exe i85282792.exe PID 1156 wrote to memory of 1104 1156 i50561024.exe i85282792.exe PID 1156 wrote to memory of 1104 1156 i50561024.exe i85282792.exe PID 1156 wrote to memory of 1104 1156 i50561024.exe i85282792.exe PID 1104 wrote to memory of 1560 1104 i85282792.exe a28836202.exe PID 1104 wrote to memory of 1560 1104 i85282792.exe a28836202.exe PID 1104 wrote to memory of 1560 1104 i85282792.exe a28836202.exe PID 1104 wrote to memory of 1560 1104 i85282792.exe a28836202.exe PID 1104 wrote to memory of 1560 1104 i85282792.exe a28836202.exe PID 1104 wrote to memory of 1560 1104 i85282792.exe a28836202.exe PID 1104 wrote to memory of 1560 1104 i85282792.exe a28836202.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe"C:\Users\Admin\AppData\Local\Temp\ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeFilesize
1.3MB
MD56f9516919aa643cad0b8d6d607fc2560
SHA135be3d81998333d6f47087c9530e8bc1cdc3b76d
SHA256ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2
SHA5125bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeFilesize
1.3MB
MD56f9516919aa643cad0b8d6d607fc2560
SHA135be3d81998333d6f47087c9530e8bc1cdc3b76d
SHA256ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2
SHA5125bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeFilesize
1023KB
MD5cbe4e6b9c1192bb27422585d478c7513
SHA110a6c270eae40808d49c6bf6fecad25b4fc6cbf3
SHA256f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5
SHA51209f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeFilesize
1023KB
MD5cbe4e6b9c1192bb27422585d478c7513
SHA110a6c270eae40808d49c6bf6fecad25b4fc6cbf3
SHA256f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5
SHA51209f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeFilesize
852KB
MD5e65a78ee22410808a42bb138234e7b57
SHA1d96556f8d7f603bfecf69d22f7d9cb13b737647c
SHA256f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041
SHA512cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeFilesize
852KB
MD5e65a78ee22410808a42bb138234e7b57
SHA1d96556f8d7f603bfecf69d22f7d9cb13b737647c
SHA256f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041
SHA512cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeFilesize
375KB
MD52ad4946b18bf5c8017a3c96c675ce46d
SHA1a5525f06bedd6b39832e0391b803b00aaae9a51f
SHA256f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e
SHA5125dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeFilesize
375KB
MD52ad4946b18bf5c8017a3c96c675ce46d
SHA1a5525f06bedd6b39832e0391b803b00aaae9a51f
SHA256f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e
SHA5125dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeFilesize
169KB
MD5d99d8df158eaa69d84edd709623c9f5f
SHA170bf9d02e8778f894c5ea343ffab716064d1efa2
SHA25671fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db
SHA51295d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeFilesize
169KB
MD5d99d8df158eaa69d84edd709623c9f5f
SHA170bf9d02e8778f894c5ea343ffab716064d1efa2
SHA25671fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db
SHA51295d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeFilesize
1.3MB
MD56f9516919aa643cad0b8d6d607fc2560
SHA135be3d81998333d6f47087c9530e8bc1cdc3b76d
SHA256ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2
SHA5125bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exeFilesize
1.3MB
MD56f9516919aa643cad0b8d6d607fc2560
SHA135be3d81998333d6f47087c9530e8bc1cdc3b76d
SHA256ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2
SHA5125bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeFilesize
1023KB
MD5cbe4e6b9c1192bb27422585d478c7513
SHA110a6c270eae40808d49c6bf6fecad25b4fc6cbf3
SHA256f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5
SHA51209f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exeFilesize
1023KB
MD5cbe4e6b9c1192bb27422585d478c7513
SHA110a6c270eae40808d49c6bf6fecad25b4fc6cbf3
SHA256f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5
SHA51209f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeFilesize
852KB
MD5e65a78ee22410808a42bb138234e7b57
SHA1d96556f8d7f603bfecf69d22f7d9cb13b737647c
SHA256f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041
SHA512cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exeFilesize
852KB
MD5e65a78ee22410808a42bb138234e7b57
SHA1d96556f8d7f603bfecf69d22f7d9cb13b737647c
SHA256f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041
SHA512cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeFilesize
375KB
MD52ad4946b18bf5c8017a3c96c675ce46d
SHA1a5525f06bedd6b39832e0391b803b00aaae9a51f
SHA256f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e
SHA5125dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exeFilesize
375KB
MD52ad4946b18bf5c8017a3c96c675ce46d
SHA1a5525f06bedd6b39832e0391b803b00aaae9a51f
SHA256f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e
SHA5125dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeFilesize
169KB
MD5d99d8df158eaa69d84edd709623c9f5f
SHA170bf9d02e8778f894c5ea343ffab716064d1efa2
SHA25671fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db
SHA51295d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exeFilesize
169KB
MD5d99d8df158eaa69d84edd709623c9f5f
SHA170bf9d02e8778f894c5ea343ffab716064d1efa2
SHA25671fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db
SHA51295d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7
-
memory/1560-104-0x0000000000F90000-0x0000000000FC0000-memory.dmpFilesize
192KB
-
memory/1560-105-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/1560-106-0x0000000004C30000-0x0000000004C70000-memory.dmpFilesize
256KB
-
memory/1560-107-0x0000000004C30000-0x0000000004C70000-memory.dmpFilesize
256KB