redline | 8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795

Analysis

max time kernel
294s
max time network
298s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/05/2023, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Size

760KB
MD5

13e20284ca88bd97247c9f9c7c669c29
SHA1

1b28f7a71df60402fe9fc6a49f38b17dc8501700
SHA256

8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795
SHA512

125fbb6a0d246bcaa1db02bf0943d2459f974635a8861fa8eabed9cd8c3da85377dc90be5e3b689bb42dac760ec9103d16c62a8fdd517e8712b7b907f3fb80da
SSDEEP

12288:vMrIy90pyJ0Y+YVY+ZZOR0fUBN542JHL6aQQ3n/7j3w0QKmzgboGyiM8rt3TQEN:PyoY7Zc1O2JHLp/nP3w0QKmzg5JyEN

Score

10^/10

redline dura infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dura

83.97.73.127:19062

Attributes

auth_value
44b7d6fb9572dea0d64d018139c3d208

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
916	x7050235.exe
1484	x8170986.exe
768	f0845043.exe

Loads dropped DLL 6 IoCs

pid	Process
1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
916	x7050235.exe
916	x7050235.exe
1484	x8170986.exe
1484	x8170986.exe
768	f0845043.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7050235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7050235.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8170986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8170986.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 916	1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	28
PID 1232 wrote to memory of 916	1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	28
PID 1232 wrote to memory of 916	1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	28
PID 1232 wrote to memory of 916	1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	28
PID 1232 wrote to memory of 916	1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	28
PID 1232 wrote to memory of 916	1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	28
PID 1232 wrote to memory of 916	1232	8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe	28
PID 916 wrote to memory of 1484	916	x7050235.exe	29
PID 916 wrote to memory of 1484	916	x7050235.exe	29
PID 916 wrote to memory of 1484	916	x7050235.exe	29
PID 916 wrote to memory of 1484	916	x7050235.exe	29
PID 916 wrote to memory of 1484	916	x7050235.exe	29
PID 916 wrote to memory of 1484	916	x7050235.exe	29
PID 916 wrote to memory of 1484	916	x7050235.exe	29
PID 1484 wrote to memory of 768	1484	x8170986.exe	30
PID 1484 wrote to memory of 768	1484	x8170986.exe	30
PID 1484 wrote to memory of 768	1484	x8170986.exe	30
PID 1484 wrote to memory of 768	1484	x8170986.exe	30
PID 1484 wrote to memory of 768	1484	x8170986.exe	30
PID 1484 wrote to memory of 768	1484	x8170986.exe	30
PID 1484 wrote to memory of 768	1484	x8170986.exe	30

C:\Users\Admin\AppData\Local\Temp\8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe
"C:\Users\Admin\AppData\Local\Temp\8ab5674fcc3c9b4a0d509c4c14c231f581ef308a8af2dcf373ba492ba0639795.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe

Filesize
445KB

MD5
dfb11b06e6627ebf02aff75abbb0363a

SHA1
b128c31ba451b968ceb14cabc6f646158f1b2279

SHA256
f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e

SHA512
cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe

Filesize
445KB

MD5
dfb11b06e6627ebf02aff75abbb0363a

SHA1
b128c31ba451b968ceb14cabc6f646158f1b2279

SHA256
f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e

SHA512
cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe

Filesize
274KB

MD5
dc2c7aa2ec3c34956b500b4aefe42f05

SHA1
e922cd78240e346e120941bdc0ec5c2dd44242cc

SHA256
9a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117

SHA512
75af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe

Filesize
274KB

MD5
dc2c7aa2ec3c34956b500b4aefe42f05

SHA1
e922cd78240e346e120941bdc0ec5c2dd44242cc

SHA256
9a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117

SHA512
75af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe

Filesize
145KB

MD5
7afca2ca9835921bf38a27cb798befef

SHA1
5e68110bdbff8fc5eefaa1810d89c7e485bb90a4

SHA256
f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f

SHA512
2f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe

Filesize
145KB

MD5
7afca2ca9835921bf38a27cb798befef

SHA1
5e68110bdbff8fc5eefaa1810d89c7e485bb90a4

SHA256
f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f

SHA512
2f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe

Filesize
445KB

MD5
dfb11b06e6627ebf02aff75abbb0363a

SHA1
b128c31ba451b968ceb14cabc6f646158f1b2279

SHA256
f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e

SHA512
cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7050235.exe

Filesize
445KB

MD5
dfb11b06e6627ebf02aff75abbb0363a

SHA1
b128c31ba451b968ceb14cabc6f646158f1b2279

SHA256
f99e1d5a31cf2dff9f47423cb89c87bd43c5194ddb8e84bf257ccf425526e81e

SHA512
cab5446c5e7740235aa4a474b83f749726ba93bda634287eb20cd7c1954a4b8c15755c8d54148b217127a4135002ba0d4526e240923fa14ff063e8bc85434102

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe

Filesize
274KB

MD5
dc2c7aa2ec3c34956b500b4aefe42f05

SHA1
e922cd78240e346e120941bdc0ec5c2dd44242cc

SHA256
9a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117

SHA512
75af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8170986.exe

Filesize
274KB

MD5
dc2c7aa2ec3c34956b500b4aefe42f05

SHA1
e922cd78240e346e120941bdc0ec5c2dd44242cc

SHA256
9a199c84d052c9f04733f41de2031f98140a649db8d7a8547fcef3ca9545f117

SHA512
75af21b1b126943443c86c9d6802b9183dc310ca126ca31e529acc7c921c38aa495fe4788fa50b73944be77e9cd8cf67e9a57e509d8921651529fa7900e4fd35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe

Filesize
145KB

MD5
7afca2ca9835921bf38a27cb798befef

SHA1
5e68110bdbff8fc5eefaa1810d89c7e485bb90a4

SHA256
f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f

SHA512
2f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0845043.exe

Filesize
145KB

MD5
7afca2ca9835921bf38a27cb798befef

SHA1
5e68110bdbff8fc5eefaa1810d89c7e485bb90a4

SHA256
f0ca17800e5cb039dbaf698e81c0027576fd7482ac459ff6f02b1f3f843a6c2f

SHA512
2f1cd6dcaff93be80b3f66d9ffec3ff5083c9089ccab931f8a5b9cf2e6941ce5d20f7bf720903a7da9a018a431568899783da84499c3f9c8dd660d8fff3c2b5a

Download Submit
memory/768-84-0x0000000000DE0000-0x0000000000E0A000-memory.dmp

Filesize
168KB

Download
memory/768-85-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download