redline | c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3

Analysis

max time kernel
211s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe
Size

991KB
MD5

534789bb0bb883fc496e0cccc62ca3ac
SHA1

80dd56d076200408cc50560e21d17715c5992cfa
SHA256

c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3
SHA512

abad34cfaf96290ecedf6bb31083b9f16a3303cb0a662f3e2ba8884d8c48aedabbe3629d711b7bec11fbde0877bb2a91d072125ad70809667570875c1319f864
SSDEEP

24576:1ytScebqMN9p7gWZOX+Se2d1FWGm7M/nw1aH18s/Gp/:QtRcqE9eWZOXpe2bdFnem1VO

Score

10^/10

redline mixer infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

mixer

185.161.248.75:4132

Attributes

auth_value
3668eba4f0cb1021a9e9ed55e76ed85e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4868	v8326181.exe
2188	v7327914.exe
2336	a6027330.exe
264	a6027330.exe
1820	b3380569.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7327914.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8326181.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8326181.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7327914.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 264	2336	a6027330.exe	82

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
264	a6027330.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	a6027330.exe
Token: SeDebugPrivilege	264	a6027330.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4868	380	c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe	79
PID 380 wrote to memory of 4868	380	c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe	79
PID 380 wrote to memory of 4868	380	c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe	79
PID 4868 wrote to memory of 2188	4868	v8326181.exe	80
PID 4868 wrote to memory of 2188	4868	v8326181.exe	80
PID 4868 wrote to memory of 2188	4868	v8326181.exe	80
PID 2188 wrote to memory of 2336	2188	v7327914.exe	81
PID 2188 wrote to memory of 2336	2188	v7327914.exe	81
PID 2188 wrote to memory of 2336	2188	v7327914.exe	81
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2336 wrote to memory of 264	2336	a6027330.exe	82
PID 2188 wrote to memory of 1820	2188	v7327914.exe	83
PID 2188 wrote to memory of 1820	2188	v7327914.exe	83
PID 2188 wrote to memory of 1820	2188	v7327914.exe	83

C:\Users\Admin\AppData\Local\Temp\c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe
"C:\Users\Admin\AppData\Local\Temp\c1d3a8ce4e3ddce5640ce080b549646fdd08f1dac3ed6f70686a47d961f379b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8326181.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8326181.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7327914.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7327914.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6027330.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6027330.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6027330.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6027330.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3380569.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3380569.exe
      4⤵
      Executes dropped EXE
      PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a6027330.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8326181.exe

Filesize
595KB

MD5
36778adc7c8911e86b7e1a943fc9ed4e

SHA1
d5bc3281ca9e80b60b464f8380d5fe2fbec5fcf3

SHA256
8056375df52389fc246b05ae728cd48bafc5d199b9f3068f4e16516140f39f1b

SHA512
b48df4d6e685a33cda2107df7b390255190205a833669b229bad2b3c96539305a5ed1d783b3c55eb683dfec59fe32c349379dc801a7ff0616765ab18c5470f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8326181.exe

Filesize
595KB

MD5
36778adc7c8911e86b7e1a943fc9ed4e

SHA1
d5bc3281ca9e80b60b464f8380d5fe2fbec5fcf3

SHA256
8056375df52389fc246b05ae728cd48bafc5d199b9f3068f4e16516140f39f1b

SHA512
b48df4d6e685a33cda2107df7b390255190205a833669b229bad2b3c96539305a5ed1d783b3c55eb683dfec59fe32c349379dc801a7ff0616765ab18c5470f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7327914.exe

Filesize
424KB

MD5
e7f88fcd98b4a688fb4d7b5718442f12

SHA1
e1a354c5705dd27b561cc5c66e6cba2e9437b386

SHA256
d3ea5d3d44c9d70036d7d5090ceef78ca7c6304211e729c430496d07d5bb505a

SHA512
9fadc3dc5f3ca0937eaff844eac364a1c1ab7f31380ba7a323de369ca6d9af12d18fb70c76cbe4f5ea81dacca1c189d4b390900bf6ad587c6d2cfb1dec612f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7327914.exe

Filesize
424KB

MD5
e7f88fcd98b4a688fb4d7b5718442f12

SHA1
e1a354c5705dd27b561cc5c66e6cba2e9437b386

SHA256
d3ea5d3d44c9d70036d7d5090ceef78ca7c6304211e729c430496d07d5bb505a

SHA512
9fadc3dc5f3ca0937eaff844eac364a1c1ab7f31380ba7a323de369ca6d9af12d18fb70c76cbe4f5ea81dacca1c189d4b390900bf6ad587c6d2cfb1dec612f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6027330.exe

Filesize
769KB

MD5
a363ae17ecfeb7945f5e02e2ce05035f

SHA1
50cb18976135aaa05d30229f6ad8f3a931a351aa

SHA256
118af2345d42c51b477cb4c5a359cda3c547ec08a8907204ec13ac47e59033ba

SHA512
533aa7ca169bca67d6f40b7388c99318cc403a1f6e966ebde770c2a7e2c9d5272a9786f5064252358aea787396dfe0deea469399acfaed81672b20bd97b0fd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6027330.exe

Filesize
769KB

MD5
a363ae17ecfeb7945f5e02e2ce05035f

SHA1
50cb18976135aaa05d30229f6ad8f3a931a351aa

SHA256
118af2345d42c51b477cb4c5a359cda3c547ec08a8907204ec13ac47e59033ba

SHA512
533aa7ca169bca67d6f40b7388c99318cc403a1f6e966ebde770c2a7e2c9d5272a9786f5064252358aea787396dfe0deea469399acfaed81672b20bd97b0fd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6027330.exe

Filesize
769KB

MD5
a363ae17ecfeb7945f5e02e2ce05035f

SHA1
50cb18976135aaa05d30229f6ad8f3a931a351aa

SHA256
118af2345d42c51b477cb4c5a359cda3c547ec08a8907204ec13ac47e59033ba

SHA512
533aa7ca169bca67d6f40b7388c99318cc403a1f6e966ebde770c2a7e2c9d5272a9786f5064252358aea787396dfe0deea469399acfaed81672b20bd97b0fd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3380569.exe

Filesize
145KB

MD5
3bfc438d15a9f957baaffb6dad7b8ceb

SHA1
86a167cd19216126716b3b1582cb127c648eae9f

SHA256
2dc5d7276b95b3718a0dbbb753521aa5f214734946630444499ecf7298d530f6

SHA512
fa1a3e1316b4734fddc5ab9f791ab9c26256913bf9cc883713ff4792d5c2a18f13f19f69452e61d12c82a9178ce7bd9b5862d1d627a45895b34404f020694a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3380569.exe

Filesize
145KB

MD5
3bfc438d15a9f957baaffb6dad7b8ceb

SHA1
86a167cd19216126716b3b1582cb127c648eae9f

SHA256
2dc5d7276b95b3718a0dbbb753521aa5f214734946630444499ecf7298d530f6

SHA512
fa1a3e1316b4734fddc5ab9f791ab9c26256913bf9cc883713ff4792d5c2a18f13f19f69452e61d12c82a9178ce7bd9b5862d1d627a45895b34404f020694a1c

Download Submit
memory/264-156-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1820-168-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1820-171-0x0000000006260000-0x00000000062F2000-memory.dmp

Filesize
584KB

Download
memory/1820-163-0x0000000005930000-0x0000000005F48000-memory.dmp

Filesize
6.1MB

Download
memory/1820-164-0x0000000005480000-0x000000000558A000-memory.dmp

Filesize
1.0MB

Download
memory/1820-165-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/1820-166-0x0000000005430000-0x000000000546C000-memory.dmp

Filesize
240KB

Download
memory/1820-174-0x00000000074D0000-0x00000000079FC000-memory.dmp

Filesize
5.2MB

Download
memory/1820-173-0x0000000006DD0000-0x0000000006F92000-memory.dmp

Filesize
1.8MB

Download
memory/1820-169-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1820-170-0x0000000006650000-0x0000000006BF4000-memory.dmp

Filesize
5.6MB

Download
memory/1820-162-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/1820-172-0x0000000006370000-0x00000000063D6000-memory.dmp

Filesize
408KB

Download
memory/2336-154-0x0000000000CC0000-0x0000000000D86000-memory.dmp

Filesize
792KB

Download
memory/2336-155-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download