Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 09:02
Static task
static1
Behavioral task
behavioral1
Sample
ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
Resource
win10v2004-20230220-en
General
-
Target
ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe
-
Size
1.5MB
-
MD5
2f500d17337e9e612d6673e05ad272d6
-
SHA1
cecba24029cff3333bbfc6ee1dc2eff8deffa086
-
SHA256
ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91
-
SHA512
e3680ed43050fc2f3c7f228a10e64c633f16971b56d92e5f28ba2964845ec855a0032b36d90185f40707334d9eedf0e93061cc0f489d5fc03b5e1deb71f0859c
-
SSDEEP
24576:hyFfCkL4o+fHTkGnYu7KNBvneXVjKgq8ozWIKcKXnI75gp2GW0wmqO8vulVFwDxP:U5Cftz9oBveljKgqZ/fdChW3yjFwVpdd
Malware Config
Extracted
redline
most
185.161.248.73:4164
-
auth_value
7da4dfa153f2919e617aa016f7c36008
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
Processes:
i17337301.exei03921348.exei52715888.exei70166531.exea17553422.exepid process 2000 i17337301.exe 1096 i03921348.exe 268 i52715888.exe 1332 i70166531.exe 1796 a17553422.exe -
Loads dropped DLL 10 IoCs
Processes:
ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exei17337301.exei03921348.exei52715888.exei70166531.exea17553422.exepid process 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe 2000 i17337301.exe 2000 i17337301.exe 1096 i03921348.exe 1096 i03921348.exe 268 i52715888.exe 268 i52715888.exe 1332 i70166531.exe 1332 i70166531.exe 1796 a17553422.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exei17337301.exei03921348.exei70166531.exei52715888.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i17337301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i17337301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i03921348.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i70166531.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i03921348.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce i52715888.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i52715888.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i70166531.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exei17337301.exei03921348.exei52715888.exei70166531.exedescription pid process target process PID 2024 wrote to memory of 2000 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe i17337301.exe PID 2024 wrote to memory of 2000 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe i17337301.exe PID 2024 wrote to memory of 2000 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe i17337301.exe PID 2024 wrote to memory of 2000 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe i17337301.exe PID 2024 wrote to memory of 2000 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe i17337301.exe PID 2024 wrote to memory of 2000 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe i17337301.exe PID 2024 wrote to memory of 2000 2024 ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe i17337301.exe PID 2000 wrote to memory of 1096 2000 i17337301.exe i03921348.exe PID 2000 wrote to memory of 1096 2000 i17337301.exe i03921348.exe PID 2000 wrote to memory of 1096 2000 i17337301.exe i03921348.exe PID 2000 wrote to memory of 1096 2000 i17337301.exe i03921348.exe PID 2000 wrote to memory of 1096 2000 i17337301.exe i03921348.exe PID 2000 wrote to memory of 1096 2000 i17337301.exe i03921348.exe PID 2000 wrote to memory of 1096 2000 i17337301.exe i03921348.exe PID 1096 wrote to memory of 268 1096 i03921348.exe i52715888.exe PID 1096 wrote to memory of 268 1096 i03921348.exe i52715888.exe PID 1096 wrote to memory of 268 1096 i03921348.exe i52715888.exe PID 1096 wrote to memory of 268 1096 i03921348.exe i52715888.exe PID 1096 wrote to memory of 268 1096 i03921348.exe i52715888.exe PID 1096 wrote to memory of 268 1096 i03921348.exe i52715888.exe PID 1096 wrote to memory of 268 1096 i03921348.exe i52715888.exe PID 268 wrote to memory of 1332 268 i52715888.exe i70166531.exe PID 268 wrote to memory of 1332 268 i52715888.exe i70166531.exe PID 268 wrote to memory of 1332 268 i52715888.exe i70166531.exe PID 268 wrote to memory of 1332 268 i52715888.exe i70166531.exe PID 268 wrote to memory of 1332 268 i52715888.exe i70166531.exe PID 268 wrote to memory of 1332 268 i52715888.exe i70166531.exe PID 268 wrote to memory of 1332 268 i52715888.exe i70166531.exe PID 1332 wrote to memory of 1796 1332 i70166531.exe a17553422.exe PID 1332 wrote to memory of 1796 1332 i70166531.exe a17553422.exe PID 1332 wrote to memory of 1796 1332 i70166531.exe a17553422.exe PID 1332 wrote to memory of 1796 1332 i70166531.exe a17553422.exe PID 1332 wrote to memory of 1796 1332 i70166531.exe a17553422.exe PID 1332 wrote to memory of 1796 1332 i70166531.exe a17553422.exe PID 1332 wrote to memory of 1796 1332 i70166531.exe a17553422.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe"C:\Users\Admin\AppData\Local\Temp\ffca1ddbff9f0e7f4644f987dff8916533aa56fb66d71ed4cb87c9cabd2f8e91.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exeFilesize
1.3MB
MD51484c1cfa9841cb05566f0e86208623c
SHA1b7b8af8387fc44a78485d02a97176a7c3f41bf90
SHA2560dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf
SHA512838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exeFilesize
1.3MB
MD51484c1cfa9841cb05566f0e86208623c
SHA1b7b8af8387fc44a78485d02a97176a7c3f41bf90
SHA2560dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf
SHA512838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exeFilesize
1015KB
MD51349d4373e71d1c13c3b00c728a14153
SHA1e7143f988ab19486448f339e9078fe678336b719
SHA256f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf
SHA512048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exeFilesize
1015KB
MD51349d4373e71d1c13c3b00c728a14153
SHA1e7143f988ab19486448f339e9078fe678336b719
SHA256f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf
SHA512048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exeFilesize
843KB
MD5b0fd3d85dcb3f451eedec5d688d970cd
SHA12ab9d71bd64732c37019771a5e43ba8edb2bb67d
SHA2568e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593
SHA5125af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exeFilesize
843KB
MD5b0fd3d85dcb3f451eedec5d688d970cd
SHA12ab9d71bd64732c37019771a5e43ba8edb2bb67d
SHA2568e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593
SHA5125af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exeFilesize
371KB
MD5766853a43b90868d88a06baf36eb60bd
SHA1159ccf2a099974b31c2c92c71295b3c3b7d94651
SHA256a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d
SHA512e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exeFilesize
371KB
MD5766853a43b90868d88a06baf36eb60bd
SHA1159ccf2a099974b31c2c92c71295b3c3b7d94651
SHA256a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d
SHA512e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exeFilesize
169KB
MD5fe3e0a8ac53a91f9992c283f5828209b
SHA1c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f
SHA256942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3
SHA512ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exeFilesize
169KB
MD5fe3e0a8ac53a91f9992c283f5828209b
SHA1c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f
SHA256942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3
SHA512ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exeFilesize
1.3MB
MD51484c1cfa9841cb05566f0e86208623c
SHA1b7b8af8387fc44a78485d02a97176a7c3f41bf90
SHA2560dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf
SHA512838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i17337301.exeFilesize
1.3MB
MD51484c1cfa9841cb05566f0e86208623c
SHA1b7b8af8387fc44a78485d02a97176a7c3f41bf90
SHA2560dff9def885869609d0d35ec5776eaf891576a63ab929d7018d5f5a7bc390fdf
SHA512838c27c7288e6be3f0d0aabffebe81e002cfdb9e80cc94c760e0214dd7a08a33a70140b24277dceb813f60c30908ebdeccf33af9ccd331c57509d792550bcb31
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exeFilesize
1015KB
MD51349d4373e71d1c13c3b00c728a14153
SHA1e7143f988ab19486448f339e9078fe678336b719
SHA256f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf
SHA512048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i03921348.exeFilesize
1015KB
MD51349d4373e71d1c13c3b00c728a14153
SHA1e7143f988ab19486448f339e9078fe678336b719
SHA256f927cc8ae71fd8b2fd1985f5ebeee653964c4cf2a0f36b43cf82b5f2534472cf
SHA512048deb54e4c53af5720b9693b76175e5b939a069447b22c7df83eb591cec1af7907cca307c90610c25ec0f4c25c36674c2e3831f1bcf9af80a9093e281141f0c
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exeFilesize
843KB
MD5b0fd3d85dcb3f451eedec5d688d970cd
SHA12ab9d71bd64732c37019771a5e43ba8edb2bb67d
SHA2568e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593
SHA5125af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f
-
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52715888.exeFilesize
843KB
MD5b0fd3d85dcb3f451eedec5d688d970cd
SHA12ab9d71bd64732c37019771a5e43ba8edb2bb67d
SHA2568e055a2ccb9e52aab68d1791a5c98ecaee330877741009ed0c0f15ec81870593
SHA5125af7eaebcea0df43e171750284df00fbd92e9e64dea54762ef702520c6a57f8bab62a0f7e6bc23deeade4d84e62e144998ec9933c1f62c1760f5d9ab9cea6d3f
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exeFilesize
371KB
MD5766853a43b90868d88a06baf36eb60bd
SHA1159ccf2a099974b31c2c92c71295b3c3b7d94651
SHA256a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d
SHA512e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623
-
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i70166531.exeFilesize
371KB
MD5766853a43b90868d88a06baf36eb60bd
SHA1159ccf2a099974b31c2c92c71295b3c3b7d94651
SHA256a30ae3667cf05de6b5896f5fee47a761c760e80e2971dba32bc688e37f0ca07d
SHA512e9648bab8d1f06142c32e6f9d9885b80be3b60d70cd807d4e612bf98aed95a776c20908981310cc9b6b5145dd3e094b16940f34f4a5878da2309ad213bb54623
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exeFilesize
169KB
MD5fe3e0a8ac53a91f9992c283f5828209b
SHA1c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f
SHA256942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3
SHA512ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a
-
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a17553422.exeFilesize
169KB
MD5fe3e0a8ac53a91f9992c283f5828209b
SHA1c08ddcc66b8533ba9d1b1adeda5e52363dd45b4f
SHA256942c6f5c242fa3aab2531b87e8e9e4dc9bdb206d71fa5e23976b09cc7b494ef3
SHA512ac7e14a956c6fcfe1a9566f9ff8be1271ece34c7bb71cdd79215a4123ebb844afba965f613548be6fa392646dfe27071bc2a4c21cefe15f27fa6a2c160029a8a
-
memory/1796-104-0x0000000000D30000-0x0000000000D60000-memory.dmpFilesize
192KB
-
memory/1796-105-0x0000000000330000-0x0000000000336000-memory.dmpFilesize
24KB
-
memory/1796-106-0x0000000000AA0000-0x0000000000AE0000-memory.dmpFilesize
256KB
-
memory/1796-107-0x0000000000AA0000-0x0000000000AE0000-memory.dmpFilesize
256KB