redline | ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a

Analysis

max time kernel
299s
max time network
302s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/05/2023, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe
Size

767KB
MD5

b1e5a84e6ef60ceb6a69f8adb8fd445a
SHA1

3d57040bf0bd343223aea1c31084880f82d68bf0
SHA256

ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a
SHA512

ed74cc51427cc613e2566fbea06bc7b678566c60af0b58a7daaeccc5be336c3024cbcba506f9f7607d7b6311a9230b3155c7365ca8bb03eda0b7ba26e78ef2a9
SSDEEP

12288:1MrRy90TIrpHnL3CNKfYZrNI9IXgTe03nwsD1RR/CFNyz3evGkBGInM8tIW+4EnM:cyFtH8RZrG+gTeY17RCF23eukoIM81+m

Score

10^/10

redline dina infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dina

83.97.73.122:19062

Attributes

auth_value
4f77073adc624269de1bff760b9bc471

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2020	x4272460.exe
988	x5946289.exe
864	f2162454.exe

Loads dropped DLL 6 IoCs

pid	Process
1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe
2020	x4272460.exe
2020	x4272460.exe
988	x5946289.exe
988	x5946289.exe
864	f2162454.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4272460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4272460.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5946289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5946289.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2020	1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe	27
PID 1204 wrote to memory of 2020	1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe	27
PID 1204 wrote to memory of 2020	1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe	27
PID 1204 wrote to memory of 2020	1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe	27
PID 1204 wrote to memory of 2020	1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe	27
PID 1204 wrote to memory of 2020	1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe	27
PID 1204 wrote to memory of 2020	1204	ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe	27
PID 2020 wrote to memory of 988	2020	x4272460.exe	28
PID 2020 wrote to memory of 988	2020	x4272460.exe	28
PID 2020 wrote to memory of 988	2020	x4272460.exe	28
PID 2020 wrote to memory of 988	2020	x4272460.exe	28
PID 2020 wrote to memory of 988	2020	x4272460.exe	28
PID 2020 wrote to memory of 988	2020	x4272460.exe	28
PID 2020 wrote to memory of 988	2020	x4272460.exe	28
PID 988 wrote to memory of 864	988	x5946289.exe	29
PID 988 wrote to memory of 864	988	x5946289.exe	29
PID 988 wrote to memory of 864	988	x5946289.exe	29
PID 988 wrote to memory of 864	988	x5946289.exe	29
PID 988 wrote to memory of 864	988	x5946289.exe	29
PID 988 wrote to memory of 864	988	x5946289.exe	29
PID 988 wrote to memory of 864	988	x5946289.exe	29

C:\Users\Admin\AppData\Local\Temp\ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe
"C:\Users\Admin\AppData\Local\Temp\ded37aa507056d90841c0d326d36803e70dc2fc8d006246088eb0507f10f125a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4272460.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4272460.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5946289.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5946289.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2162454.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2162454.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4272460.exe

Filesize
448KB

MD5
80573fe2ca87b5e36689624911454213

SHA1
092664b78e3520fce3953ca30b6c3028d1905985

SHA256
2df0928ddd59c55bd2f5058195b5d8041d4252f285e40edd3aeb6243d121e4f7

SHA512
b595059b1bbaf33d90d611a4b699c84ac2c1dfbb18f9d6558b72ccd2ae5cb9bb9bca9c6b02dbdf29dfa18ac6af593a91cf1b9bf6ae30ac6d96bbc2c84e546349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4272460.exe

Filesize
448KB

MD5
80573fe2ca87b5e36689624911454213

SHA1
092664b78e3520fce3953ca30b6c3028d1905985

SHA256
2df0928ddd59c55bd2f5058195b5d8041d4252f285e40edd3aeb6243d121e4f7

SHA512
b595059b1bbaf33d90d611a4b699c84ac2c1dfbb18f9d6558b72ccd2ae5cb9bb9bca9c6b02dbdf29dfa18ac6af593a91cf1b9bf6ae30ac6d96bbc2c84e546349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5946289.exe

Filesize
277KB

MD5
1745a31d97da754d21981853f9eaed61

SHA1
e52685baa235242c512f4ae95b391ba7c34735e3

SHA256
c525445ec5aa927352296174dadbce13064f90ac91dd0c41a35bd137356021aa

SHA512
41d4efede18d3eca6d9185a086f1d3a00900710a3ae782525212e41527f92929bfe9f65855361aeb5ddc681ee4886baf09d407e5e304e19b665637f282bbb4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5946289.exe

Filesize
277KB

MD5
1745a31d97da754d21981853f9eaed61

SHA1
e52685baa235242c512f4ae95b391ba7c34735e3

SHA256
c525445ec5aa927352296174dadbce13064f90ac91dd0c41a35bd137356021aa

SHA512
41d4efede18d3eca6d9185a086f1d3a00900710a3ae782525212e41527f92929bfe9f65855361aeb5ddc681ee4886baf09d407e5e304e19b665637f282bbb4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2162454.exe

Filesize
145KB

MD5
63bfdd738fe52bb9d803d60df884ec25

SHA1
9fd801bc486e8c9dd7ce056b83f64113087ab9cc

SHA256
d49e449839d29ece29272b8e2b0ec0d0eac9d7f951b94471398d51d9c6e5fa02

SHA512
47c782da436122d7cdcda4207357bc14f48c5a8ebd4c25ebe344be6ed0b44f9edf56bd91fabbf399a67b7e3d365adb5821de60edce17556e35336c16ccfa4fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2162454.exe

Filesize
145KB

MD5
63bfdd738fe52bb9d803d60df884ec25

SHA1
9fd801bc486e8c9dd7ce056b83f64113087ab9cc

SHA256
d49e449839d29ece29272b8e2b0ec0d0eac9d7f951b94471398d51d9c6e5fa02

SHA512
47c782da436122d7cdcda4207357bc14f48c5a8ebd4c25ebe344be6ed0b44f9edf56bd91fabbf399a67b7e3d365adb5821de60edce17556e35336c16ccfa4fdd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4272460.exe

Filesize
448KB

MD5
80573fe2ca87b5e36689624911454213

SHA1
092664b78e3520fce3953ca30b6c3028d1905985

SHA256
2df0928ddd59c55bd2f5058195b5d8041d4252f285e40edd3aeb6243d121e4f7

SHA512
b595059b1bbaf33d90d611a4b699c84ac2c1dfbb18f9d6558b72ccd2ae5cb9bb9bca9c6b02dbdf29dfa18ac6af593a91cf1b9bf6ae30ac6d96bbc2c84e546349

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4272460.exe

Filesize
448KB

MD5
80573fe2ca87b5e36689624911454213

SHA1
092664b78e3520fce3953ca30b6c3028d1905985

SHA256
2df0928ddd59c55bd2f5058195b5d8041d4252f285e40edd3aeb6243d121e4f7

SHA512
b595059b1bbaf33d90d611a4b699c84ac2c1dfbb18f9d6558b72ccd2ae5cb9bb9bca9c6b02dbdf29dfa18ac6af593a91cf1b9bf6ae30ac6d96bbc2c84e546349

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5946289.exe

Filesize
277KB

MD5
1745a31d97da754d21981853f9eaed61

SHA1
e52685baa235242c512f4ae95b391ba7c34735e3

SHA256
c525445ec5aa927352296174dadbce13064f90ac91dd0c41a35bd137356021aa

SHA512
41d4efede18d3eca6d9185a086f1d3a00900710a3ae782525212e41527f92929bfe9f65855361aeb5ddc681ee4886baf09d407e5e304e19b665637f282bbb4af

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5946289.exe

Filesize
277KB

MD5
1745a31d97da754d21981853f9eaed61

SHA1
e52685baa235242c512f4ae95b391ba7c34735e3

SHA256
c525445ec5aa927352296174dadbce13064f90ac91dd0c41a35bd137356021aa

SHA512
41d4efede18d3eca6d9185a086f1d3a00900710a3ae782525212e41527f92929bfe9f65855361aeb5ddc681ee4886baf09d407e5e304e19b665637f282bbb4af

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2162454.exe

Filesize
145KB

MD5
63bfdd738fe52bb9d803d60df884ec25

SHA1
9fd801bc486e8c9dd7ce056b83f64113087ab9cc

SHA256
d49e449839d29ece29272b8e2b0ec0d0eac9d7f951b94471398d51d9c6e5fa02

SHA512
47c782da436122d7cdcda4207357bc14f48c5a8ebd4c25ebe344be6ed0b44f9edf56bd91fabbf399a67b7e3d365adb5821de60edce17556e35336c16ccfa4fdd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2162454.exe

Filesize
145KB

MD5
63bfdd738fe52bb9d803d60df884ec25

SHA1
9fd801bc486e8c9dd7ce056b83f64113087ab9cc

SHA256
d49e449839d29ece29272b8e2b0ec0d0eac9d7f951b94471398d51d9c6e5fa02

SHA512
47c782da436122d7cdcda4207357bc14f48c5a8ebd4c25ebe344be6ed0b44f9edf56bd91fabbf399a67b7e3d365adb5821de60edce17556e35336c16ccfa4fdd

Download Submit
memory/864-84-0x00000000000B0000-0x00000000000DA000-memory.dmp

Filesize
168KB

Download
memory/864-85-0x0000000005060000-0x00000000050A0000-memory.dmp

Filesize
256KB

Download
memory/864-86-0x0000000005060000-0x00000000050A0000-memory.dmp

Filesize
256KB

Download