redline | 0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef

Analysis

max time kernel
126s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe
Size

1.1MB
MD5

540d13527238f444eafe19b39ebba972
SHA1

c08f66cb8d4890250a3565f176f022533db626e3
SHA256

0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef
SHA512

907cee6afd970cecfb6f2756932c353c4f889e045fb0ebaf448a6888675dcfb72a3a50338939fe62e0f0aa8196aaf0cecbd9f33a1ffd771aa250908ba94319b8
SSDEEP

24576:ayNGNvIKIcX8X3B8S6wpYKtJCicwAKQT46Nx9pJ:hawYsX3uCYKt5cKv+zp

Score

10^/10

redline desto infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

desto

185.161.248.75:4132

Attributes

auth_value
9170d4ae7d11eaa24684a71b73bf9c86

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1036	x1137707.exe
1896	x7129494.exe
1672	f8994510.exe

Loads dropped DLL 6 IoCs

pid	Process
1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe
1036	x1137707.exe
1036	x1137707.exe
1896	x7129494.exe
1896	x7129494.exe
1672	f8994510.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1137707.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1137707.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7129494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7129494.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1036	1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	26
PID 1704 wrote to memory of 1036	1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	26
PID 1704 wrote to memory of 1036	1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	26
PID 1704 wrote to memory of 1036	1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	26
PID 1704 wrote to memory of 1036	1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	26
PID 1704 wrote to memory of 1036	1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	26
PID 1704 wrote to memory of 1036	1704	0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe	26
PID 1036 wrote to memory of 1896	1036	x1137707.exe	27
PID 1036 wrote to memory of 1896	1036	x1137707.exe	27
PID 1036 wrote to memory of 1896	1036	x1137707.exe	27
PID 1036 wrote to memory of 1896	1036	x1137707.exe	27
PID 1036 wrote to memory of 1896	1036	x1137707.exe	27
PID 1036 wrote to memory of 1896	1036	x1137707.exe	27
PID 1036 wrote to memory of 1896	1036	x1137707.exe	27
PID 1896 wrote to memory of 1672	1896	x7129494.exe	28
PID 1896 wrote to memory of 1672	1896	x7129494.exe	28
PID 1896 wrote to memory of 1672	1896	x7129494.exe	28
PID 1896 wrote to memory of 1672	1896	x7129494.exe	28
PID 1896 wrote to memory of 1672	1896	x7129494.exe	28
PID 1896 wrote to memory of 1672	1896	x7129494.exe	28
PID 1896 wrote to memory of 1672	1896	x7129494.exe	28

C:\Users\Admin\AppData\Local\Temp\0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe
"C:\Users\Admin\AppData\Local\Temp\0602b484bdcc0ae74012137ba3833201402c094f600d6a3cdabe47c9c9e107ef.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe

Filesize
749KB

MD5
f0455a9162620817936ce66c5bb9d2f6

SHA1
13f2465faaf837db89d4784065c6fa5b0ab009e7

SHA256
8c92c056562d9a9c7c777b8f8b11e205ee818979bb05c835c9a9d4ca2e659325

SHA512
737c4f630241665310be2f50dd06b4e732cef78211c9a56ecfb09671611aaf1789b32903e6e2a72f8800da58450db719732fd935ae8f544e97f96fff814e95a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe

Filesize
749KB

MD5
f0455a9162620817936ce66c5bb9d2f6

SHA1
13f2465faaf837db89d4784065c6fa5b0ab009e7

SHA256
8c92c056562d9a9c7c777b8f8b11e205ee818979bb05c835c9a9d4ca2e659325

SHA512
737c4f630241665310be2f50dd06b4e732cef78211c9a56ecfb09671611aaf1789b32903e6e2a72f8800da58450db719732fd935ae8f544e97f96fff814e95a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe

Filesize
305KB

MD5
bdc26ad934a32d9072681548e97c86e9

SHA1
3d8699e0e04461fa2e1d0a17ba0b60f4ec2ae78a

SHA256
e6cc2d8bd8006a9495b868918e2d09c7b52933b9ea6328d2e1ddafdb6dccf849

SHA512
4c20fead08a3137a17dedca9019dd24cf04ec76ba8f1799c1aaf9913932529f9e474959616998405868f258b734b15684e90e7b3c88241f81a5b53deaf1dfb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe

Filesize
305KB

MD5
bdc26ad934a32d9072681548e97c86e9

SHA1
3d8699e0e04461fa2e1d0a17ba0b60f4ec2ae78a

SHA256
e6cc2d8bd8006a9495b868918e2d09c7b52933b9ea6328d2e1ddafdb6dccf849

SHA512
4c20fead08a3137a17dedca9019dd24cf04ec76ba8f1799c1aaf9913932529f9e474959616998405868f258b734b15684e90e7b3c88241f81a5b53deaf1dfb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe

Filesize
145KB

MD5
802d402f939fa8d10ae65127fcb1f931

SHA1
bfa5578a764f69674a27e21fd170f68b7fe42f82

SHA256
17c9c5bde303138e55c1f2dbf2a7d20dfb22470dfa4b78684ff395469099442b

SHA512
fb05c532dd57933d8c5d86208bcc0e9273b79dc50d17a1398717f71bd4b3a86f574e653e2a88d532baffa13588f35282e858f4f5a5f0322aaa06e49fb0529e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe

Filesize
145KB

MD5
802d402f939fa8d10ae65127fcb1f931

SHA1
bfa5578a764f69674a27e21fd170f68b7fe42f82

SHA256
17c9c5bde303138e55c1f2dbf2a7d20dfb22470dfa4b78684ff395469099442b

SHA512
fb05c532dd57933d8c5d86208bcc0e9273b79dc50d17a1398717f71bd4b3a86f574e653e2a88d532baffa13588f35282e858f4f5a5f0322aaa06e49fb0529e14

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe

Filesize
749KB

MD5
f0455a9162620817936ce66c5bb9d2f6

SHA1
13f2465faaf837db89d4784065c6fa5b0ab009e7

SHA256
8c92c056562d9a9c7c777b8f8b11e205ee818979bb05c835c9a9d4ca2e659325

SHA512
737c4f630241665310be2f50dd06b4e732cef78211c9a56ecfb09671611aaf1789b32903e6e2a72f8800da58450db719732fd935ae8f544e97f96fff814e95a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1137707.exe

Filesize
749KB

MD5
f0455a9162620817936ce66c5bb9d2f6

SHA1
13f2465faaf837db89d4784065c6fa5b0ab009e7

SHA256
8c92c056562d9a9c7c777b8f8b11e205ee818979bb05c835c9a9d4ca2e659325

SHA512
737c4f630241665310be2f50dd06b4e732cef78211c9a56ecfb09671611aaf1789b32903e6e2a72f8800da58450db719732fd935ae8f544e97f96fff814e95a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe

Filesize
305KB

MD5
bdc26ad934a32d9072681548e97c86e9

SHA1
3d8699e0e04461fa2e1d0a17ba0b60f4ec2ae78a

SHA256
e6cc2d8bd8006a9495b868918e2d09c7b52933b9ea6328d2e1ddafdb6dccf849

SHA512
4c20fead08a3137a17dedca9019dd24cf04ec76ba8f1799c1aaf9913932529f9e474959616998405868f258b734b15684e90e7b3c88241f81a5b53deaf1dfb7e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7129494.exe

Filesize
305KB

MD5
bdc26ad934a32d9072681548e97c86e9

SHA1
3d8699e0e04461fa2e1d0a17ba0b60f4ec2ae78a

SHA256
e6cc2d8bd8006a9495b868918e2d09c7b52933b9ea6328d2e1ddafdb6dccf849

SHA512
4c20fead08a3137a17dedca9019dd24cf04ec76ba8f1799c1aaf9913932529f9e474959616998405868f258b734b15684e90e7b3c88241f81a5b53deaf1dfb7e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe

Filesize
145KB

MD5
802d402f939fa8d10ae65127fcb1f931

SHA1
bfa5578a764f69674a27e21fd170f68b7fe42f82

SHA256
17c9c5bde303138e55c1f2dbf2a7d20dfb22470dfa4b78684ff395469099442b

SHA512
fb05c532dd57933d8c5d86208bcc0e9273b79dc50d17a1398717f71bd4b3a86f574e653e2a88d532baffa13588f35282e858f4f5a5f0322aaa06e49fb0529e14

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8994510.exe

Filesize
145KB

MD5
802d402f939fa8d10ae65127fcb1f931

SHA1
bfa5578a764f69674a27e21fd170f68b7fe42f82

SHA256
17c9c5bde303138e55c1f2dbf2a7d20dfb22470dfa4b78684ff395469099442b

SHA512
fb05c532dd57933d8c5d86208bcc0e9273b79dc50d17a1398717f71bd4b3a86f574e653e2a88d532baffa13588f35282e858f4f5a5f0322aaa06e49fb0529e14

Download Submit
memory/1672-84-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/1672-85-0x0000000004F20000-0x0000000004F60000-memory.dmp

Filesize
256KB

Download
memory/1672-86-0x0000000004F20000-0x0000000004F60000-memory.dmp

Filesize
256KB

Download