redline | 1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee

Analysis

max time kernel
300s
max time network
302s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/06/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe
Size

578KB
MD5

e832ba64b351a225f1d6d090935f9551
SHA1

f82b5e704fa34d3bbaba34b6d29355afa0254029
SHA256

1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee
SHA512

c4b73173b278eb1902110354ff63854eaa9879d6867b3252a0c0fd08f381596e1708a8a700a7a100e4ec25b055f4c7ca7a04b3130973aa5f0b74187ba5867ac4
SSDEEP

12288:gMray90qWeAQXZ+usIHJBEN3KmRYg49fqM5eX9ij2n9ru5NYxbjpf:Ky4oZ+usIHjEXsDHqpUYxbNf

Score

10^/10

redline dasa infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dasa

83.97.73.126:19048

Attributes

auth_value
7eca6ed540c2dcd359aed5b67c4eda07

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
936	x9680447.exe
568	x5426776.exe
432	f7305999.exe

Loads dropped DLL 6 IoCs

pid	Process
1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe
936	x9680447.exe
936	x9680447.exe
568	x5426776.exe
568	x5426776.exe
432	f7305999.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9680447.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5426776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5426776.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9680447.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 936	1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe	28
PID 1408 wrote to memory of 936	1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe	28
PID 1408 wrote to memory of 936	1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe	28
PID 1408 wrote to memory of 936	1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe	28
PID 1408 wrote to memory of 936	1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe	28
PID 1408 wrote to memory of 936	1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe	28
PID 1408 wrote to memory of 936	1408	1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe	28
PID 936 wrote to memory of 568	936	x9680447.exe	29
PID 936 wrote to memory of 568	936	x9680447.exe	29
PID 936 wrote to memory of 568	936	x9680447.exe	29
PID 936 wrote to memory of 568	936	x9680447.exe	29
PID 936 wrote to memory of 568	936	x9680447.exe	29
PID 936 wrote to memory of 568	936	x9680447.exe	29
PID 936 wrote to memory of 568	936	x9680447.exe	29
PID 568 wrote to memory of 432	568	x5426776.exe	30
PID 568 wrote to memory of 432	568	x5426776.exe	30
PID 568 wrote to memory of 432	568	x5426776.exe	30
PID 568 wrote to memory of 432	568	x5426776.exe	30
PID 568 wrote to memory of 432	568	x5426776.exe	30
PID 568 wrote to memory of 432	568	x5426776.exe	30
PID 568 wrote to memory of 432	568	x5426776.exe	30

C:\Users\Admin\AppData\Local\Temp\1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe
"C:\Users\Admin\AppData\Local\Temp\1cb8f7d875e858bd44810f77fa8001653d978b3d320708dd6b6b309bb284dbee.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9680447.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9680447.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5426776.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5426776.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7305999.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7305999.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9680447.exe

Filesize
377KB

MD5
509fff75d56676a3464181d17b56377a

SHA1
1c8a879230c81d226eef972d73aab54006468dfe

SHA256
5b25527c87b09ea5d0cb6f6794d8337772c92826b8711c445cb95b9ed9ce5e93

SHA512
c68be339bb603ec738787eb86a1e6732e3977e10c228a5b907ce4f6c605a9104791cddc9d10f9921816d02365987dedf02e6f94c8733a136d6e87fa4a5452ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9680447.exe

Filesize
377KB

MD5
509fff75d56676a3464181d17b56377a

SHA1
1c8a879230c81d226eef972d73aab54006468dfe

SHA256
5b25527c87b09ea5d0cb6f6794d8337772c92826b8711c445cb95b9ed9ce5e93

SHA512
c68be339bb603ec738787eb86a1e6732e3977e10c228a5b907ce4f6c605a9104791cddc9d10f9921816d02365987dedf02e6f94c8733a136d6e87fa4a5452ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5426776.exe

Filesize
206KB

MD5
64a03272a434e224dbcabd91f456cbd9

SHA1
26e1d161b3ba0c13983a608c41ba98d2f55f723d

SHA256
a04476205878a47396bc7cd6813ac581c0cbf41466475c0a354f827786a2e18c

SHA512
8328e18a18199a6acebfa787b0c3e7155991c1d64b045c6560e67d83af8d6ce6377eb076e60b2464af8b82bb3b83e4e10253aaf8e7d294893f9719f5927d0760

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5426776.exe

Filesize
206KB

MD5
64a03272a434e224dbcabd91f456cbd9

SHA1
26e1d161b3ba0c13983a608c41ba98d2f55f723d

SHA256
a04476205878a47396bc7cd6813ac581c0cbf41466475c0a354f827786a2e18c

SHA512
8328e18a18199a6acebfa787b0c3e7155991c1d64b045c6560e67d83af8d6ce6377eb076e60b2464af8b82bb3b83e4e10253aaf8e7d294893f9719f5927d0760

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7305999.exe

Filesize
172KB

MD5
5bbf47af705e7358db3499ad0d919d8f

SHA1
4d24e97b600825af763082074c35c88067021152

SHA256
5abe465be6e8aa968eb42a112a734065775aa68faa43b0dbd0124581d6288003

SHA512
2a73ce95ec8ce1dd849e5fe902f666a15ee84f3e5cc90a76fb03f719544d98a71677f7b3a9a9662beb2ae9f900e07ef25084175a4c35e172d7a8f5302700044b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7305999.exe

Filesize
172KB

MD5
5bbf47af705e7358db3499ad0d919d8f

SHA1
4d24e97b600825af763082074c35c88067021152

SHA256
5abe465be6e8aa968eb42a112a734065775aa68faa43b0dbd0124581d6288003

SHA512
2a73ce95ec8ce1dd849e5fe902f666a15ee84f3e5cc90a76fb03f719544d98a71677f7b3a9a9662beb2ae9f900e07ef25084175a4c35e172d7a8f5302700044b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9680447.exe

Filesize
377KB

MD5
509fff75d56676a3464181d17b56377a

SHA1
1c8a879230c81d226eef972d73aab54006468dfe

SHA256
5b25527c87b09ea5d0cb6f6794d8337772c92826b8711c445cb95b9ed9ce5e93

SHA512
c68be339bb603ec738787eb86a1e6732e3977e10c228a5b907ce4f6c605a9104791cddc9d10f9921816d02365987dedf02e6f94c8733a136d6e87fa4a5452ab3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9680447.exe

Filesize
377KB

MD5
509fff75d56676a3464181d17b56377a

SHA1
1c8a879230c81d226eef972d73aab54006468dfe

SHA256
5b25527c87b09ea5d0cb6f6794d8337772c92826b8711c445cb95b9ed9ce5e93

SHA512
c68be339bb603ec738787eb86a1e6732e3977e10c228a5b907ce4f6c605a9104791cddc9d10f9921816d02365987dedf02e6f94c8733a136d6e87fa4a5452ab3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5426776.exe

Filesize
206KB

MD5
64a03272a434e224dbcabd91f456cbd9

SHA1
26e1d161b3ba0c13983a608c41ba98d2f55f723d

SHA256
a04476205878a47396bc7cd6813ac581c0cbf41466475c0a354f827786a2e18c

SHA512
8328e18a18199a6acebfa787b0c3e7155991c1d64b045c6560e67d83af8d6ce6377eb076e60b2464af8b82bb3b83e4e10253aaf8e7d294893f9719f5927d0760

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5426776.exe

Filesize
206KB

MD5
64a03272a434e224dbcabd91f456cbd9

SHA1
26e1d161b3ba0c13983a608c41ba98d2f55f723d

SHA256
a04476205878a47396bc7cd6813ac581c0cbf41466475c0a354f827786a2e18c

SHA512
8328e18a18199a6acebfa787b0c3e7155991c1d64b045c6560e67d83af8d6ce6377eb076e60b2464af8b82bb3b83e4e10253aaf8e7d294893f9719f5927d0760

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7305999.exe

Filesize
172KB

MD5
5bbf47af705e7358db3499ad0d919d8f

SHA1
4d24e97b600825af763082074c35c88067021152

SHA256
5abe465be6e8aa968eb42a112a734065775aa68faa43b0dbd0124581d6288003

SHA512
2a73ce95ec8ce1dd849e5fe902f666a15ee84f3e5cc90a76fb03f719544d98a71677f7b3a9a9662beb2ae9f900e07ef25084175a4c35e172d7a8f5302700044b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f7305999.exe

Filesize
172KB

MD5
5bbf47af705e7358db3499ad0d919d8f

SHA1
4d24e97b600825af763082074c35c88067021152

SHA256
5abe465be6e8aa968eb42a112a734065775aa68faa43b0dbd0124581d6288003

SHA512
2a73ce95ec8ce1dd849e5fe902f666a15ee84f3e5cc90a76fb03f719544d98a71677f7b3a9a9662beb2ae9f900e07ef25084175a4c35e172d7a8f5302700044b

Download Submit
memory/432-84-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/432-85-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/432-86-0x0000000000DA0000-0x0000000000DE0000-memory.dmp

Filesize
256KB

Download
memory/432-87-0x0000000000DA0000-0x0000000000DE0000-memory.dmp

Filesize
256KB

Download