Analysis
-
max time kernel
294s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29/05/2023, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Resource
win10-20230220-en
General
-
Target
8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
-
Size
760KB
-
MD5
13e20284ca88bd97247c9f9c7c669c29
-
SHA1
1b28f7a71df60402fe9fc6a49f38b17dc8501700
-
SHA256
8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795
-
SHA512
125fbb6a0d246bcaa1db02bf0943d2459f974635a8861fa8eabed9cd8c3da85377dc90be5e3b689bb42dac760ec9103d16c62a8fdd517e8712b7b907f3fb80da
-
SSDEEP
12288:vMrIy90pyJ0Y+YVY+ZZOR0fUBN542JHL6aQQ3n/7j3w0QKmzgboGyiM8rt3TQEN:PyoY7Zc1O2JHLp/nP3w0QKmzg5JyEN
Malware Config
Extracted
redline
dura
83.97.73.127:19062
-
auth_value
44b7d6fb9572dea0d64d018139c3d208
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 916 x7050235.exe 1484 x8170986.exe 768 f0845043.exe -
Loads dropped DLL 6 IoCs
pid Process 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 916 x7050235.exe 916 x7050235.exe 1484 x8170986.exe 1484 x8170986.exe 768 f0845043.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce x7050235.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7050235.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce x8170986.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8170986.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1232 wrote to memory of 916 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 28 PID 1232 wrote to memory of 916 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 28 PID 1232 wrote to memory of 916 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 28 PID 1232 wrote to memory of 916 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 28 PID 1232 wrote to memory of 916 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 28 PID 1232 wrote to memory of 916 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 28 PID 1232 wrote to memory of 916 1232 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe 28 PID 916 wrote to memory of 1484 916 x7050235.exe 29 PID 916 wrote to memory of 1484 916 x7050235.exe 29 PID 916 wrote to memory of 1484 916 x7050235.exe 29 PID 916 wrote to memory of 1484 916 x7050235.exe 29 PID 916 wrote to memory of 1484 916 x7050235.exe 29 PID 916 wrote to memory of 1484 916 x7050235.exe 29 PID 916 wrote to memory of 1484 916 x7050235.exe 29 PID 1484 wrote to memory of 768 1484 x8170986.exe 30 PID 1484 wrote to memory of 768 1484 x8170986.exe 30 PID 1484 wrote to memory of 768 1484 x8170986.exe 30 PID 1484 wrote to memory of 768 1484 x8170986.exe 30 PID 1484 wrote to memory of 768 1484 x8170986.exe 30 PID 1484 wrote to memory of 768 1484 x8170986.exe 30 PID 1484 wrote to memory of 768 1484 x8170986.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe"C:\Users\Admin\AppData\Local\Temp\8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
445KB
MD5dfb11b06e6627ebf02aff75abbb0363a
SHA1b128c31ba451b968ceb14cabc6f646158f1b2279
SHA256f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e
SHA512cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102
-
Filesize
445KB
MD5dfb11b06e6627ebf02aff75abbb0363a
SHA1b128c31ba451b968ceb14cabc6f646158f1b2279
SHA256f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e
SHA512cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102
-
Filesize
274KB
MD5dc2c7aa2ec3c34956b500b4aefe42f05
SHA1e922cd78240e346e120941bdc0ec5c2dd44242cc
SHA2569a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117
SHA51275af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35
-
Filesize
274KB
MD5dc2c7aa2ec3c34956b500b4aefe42f05
SHA1e922cd78240e346e120941bdc0ec5c2dd44242cc
SHA2569a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117
SHA51275af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35
-
Filesize
145KB
MD57afca2ca9835921bf38a27cb798befef
SHA15e68110bdbff8fc5eefaa1810d89c7e485bb90a4
SHA256f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f
SHA5122f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a
-
Filesize
145KB
MD57afca2ca9835921bf38a27cb798befef
SHA15e68110bdbff8fc5eefaa1810d89c7e485bb90a4
SHA256f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f
SHA5122f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a
-
Filesize
445KB
MD5dfb11b06e6627ebf02aff75abbb0363a
SHA1b128c31ba451b968ceb14cabc6f646158f1b2279
SHA256f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e
SHA512cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102
-
Filesize
445KB
MD5dfb11b06e6627ebf02aff75abbb0363a
SHA1b128c31ba451b968ceb14cabc6f646158f1b2279
SHA256f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e
SHA512cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102
-
Filesize
274KB
MD5dc2c7aa2ec3c34956b500b4aefe42f05
SHA1e922cd78240e346e120941bdc0ec5c2dd44242cc
SHA2569a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117
SHA51275af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35
-
Filesize
274KB
MD5dc2c7aa2ec3c34956b500b4aefe42f05
SHA1e922cd78240e346e120941bdc0ec5c2dd44242cc
SHA2569a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117
SHA51275af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35
-
Filesize
145KB
MD57afca2ca9835921bf38a27cb798befef
SHA15e68110bdbff8fc5eefaa1810d89c7e485bb90a4
SHA256f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f
SHA5122f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a
-
Filesize
145KB
MD57afca2ca9835921bf38a27cb798befef
SHA15e68110bdbff8fc5eefaa1810d89c7e485bb90a4
SHA256f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f
SHA5122f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a