redline | 78e79436b598b1afe0d6e69aab0a671afb9706836e2b93d35a04548dbf504440

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/06/2023, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e808da197cb294707a5ad9d65386a44.exe
Size

578KB
MD5

7e808da197cb294707a5ad9d65386a44
SHA1

699ce6566eb772774b285dc39e1fa1a242f2910f
SHA256

78e79436b598b1afe0d6e69aab0a671afb9706836e2b93d35a04548dbf504440
SHA512

667c0cfb3b39e177a46f2b43fb351757f0f69fbb854ee6e5e28f7c08cee14f1cfc0680b3435f8439ec843569a58851e470ca9fa7010a9c8754667a97fb3d87f1
SSDEEP

12288:2MrYy90MQ3WeMa934D+59BeCQvRy/b/gNP9b0r:ayg3WeM+JQ6b/gNlbq

Score

10^/10

redline doxa discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

doxa

83.97.73.129:19068

Attributes

auth_value
8cf5ba009458c73b014353d79d8422c6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1516	x3170736.exe
2032	x3254570.exe
1472	f6152220.exe

Loads dropped DLL 6 IoCs

pid	Process
1764	7e808da197cb294707a5ad9d65386a44.exe
1516	x3170736.exe
1516	x3170736.exe
2032	x3254570.exe
2032	x3254570.exe
1472	f6152220.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7e808da197cb294707a5ad9d65386a44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7e808da197cb294707a5ad9d65386a44.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3170736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3170736.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3254570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3254570.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe
1472	f6152220.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	f6152220.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1516	1764	7e808da197cb294707a5ad9d65386a44.exe	28
PID 1764 wrote to memory of 1516	1764	7e808da197cb294707a5ad9d65386a44.exe	28
PID 1764 wrote to memory of 1516	1764	7e808da197cb294707a5ad9d65386a44.exe	28
PID 1764 wrote to memory of 1516	1764	7e808da197cb294707a5ad9d65386a44.exe	28
PID 1764 wrote to memory of 1516	1764	7e808da197cb294707a5ad9d65386a44.exe	28
PID 1764 wrote to memory of 1516	1764	7e808da197cb294707a5ad9d65386a44.exe	28
PID 1764 wrote to memory of 1516	1764	7e808da197cb294707a5ad9d65386a44.exe	28
PID 1516 wrote to memory of 2032	1516	x3170736.exe	29
PID 1516 wrote to memory of 2032	1516	x3170736.exe	29
PID 1516 wrote to memory of 2032	1516	x3170736.exe	29
PID 1516 wrote to memory of 2032	1516	x3170736.exe	29
PID 1516 wrote to memory of 2032	1516	x3170736.exe	29
PID 1516 wrote to memory of 2032	1516	x3170736.exe	29
PID 1516 wrote to memory of 2032	1516	x3170736.exe	29
PID 2032 wrote to memory of 1472	2032	x3254570.exe	30
PID 2032 wrote to memory of 1472	2032	x3254570.exe	30
PID 2032 wrote to memory of 1472	2032	x3254570.exe	30
PID 2032 wrote to memory of 1472	2032	x3254570.exe	30
PID 2032 wrote to memory of 1472	2032	x3254570.exe	30
PID 2032 wrote to memory of 1472	2032	x3254570.exe	30
PID 2032 wrote to memory of 1472	2032	x3254570.exe	30

C:\Users\Admin\AppData\Local\Temp\7e808da197cb294707a5ad9d65386a44.exe
"C:\Users\Admin\AppData\Local\Temp\7e808da197cb294707a5ad9d65386a44.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3170736.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3170736.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3254570.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3254570.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6152220.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6152220.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3170736.exe

Filesize
377KB

MD5
017479c71429f4622995b6083b86f062

SHA1
8a63515cc3210e9c42534841ca2c21bc882f397a

SHA256
6333cf467f728e1c17cf61d48f2ae4193ea77e149caf67dc4a08afdc7b34260a

SHA512
7be1f9e58691e8ec3f79a22666860facf25b4874ea5391747c8558548b3291ce5dbccec78302ec28cdbfe5b79238134cd5c3e0a27e0e229a63d472a48dcaae5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3170736.exe

Filesize
377KB

MD5
017479c71429f4622995b6083b86f062

SHA1
8a63515cc3210e9c42534841ca2c21bc882f397a

SHA256
6333cf467f728e1c17cf61d48f2ae4193ea77e149caf67dc4a08afdc7b34260a

SHA512
7be1f9e58691e8ec3f79a22666860facf25b4874ea5391747c8558548b3291ce5dbccec78302ec28cdbfe5b79238134cd5c3e0a27e0e229a63d472a48dcaae5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3254570.exe

Filesize
206KB

MD5
df7cca585ee65bc9fa545a6905beca5f

SHA1
653bc03dcf593934956e3aa034b6c09e06dce290

SHA256
96e1fdf500a315bde556c85f7c18ba1056b51543568e39652fff0e60a2e88417

SHA512
9cba38148d054a123d3f2497035245cff0656d03dccffd1906565c2655d32ae2f4e1924b5818c586bc59a565ada852ee99780f617abdca1f1c7b2b3a4b1010e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3254570.exe

Filesize
206KB

MD5
df7cca585ee65bc9fa545a6905beca5f

SHA1
653bc03dcf593934956e3aa034b6c09e06dce290

SHA256
96e1fdf500a315bde556c85f7c18ba1056b51543568e39652fff0e60a2e88417

SHA512
9cba38148d054a123d3f2497035245cff0656d03dccffd1906565c2655d32ae2f4e1924b5818c586bc59a565ada852ee99780f617abdca1f1c7b2b3a4b1010e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6152220.exe

Filesize
172KB

MD5
842800c0fcc3d6aa6d1f666d9fae384f

SHA1
e9b3a93ecb1ebd17d85db90ef33ec6e8a2d9bcb5

SHA256
d9e14ffabd2fd29671f1e90711a7130b98b8288de30f276b802d3dcf3e2b66a5

SHA512
f3722a5f16c8c6f93f6c7067cd84140beb1ef8b1408db4f97cac161d8825e4ff7bb8f4cb9049c79c63451a56813d0781c630ca749bc7bb42b1262cb89abd0e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6152220.exe

Filesize
172KB

MD5
842800c0fcc3d6aa6d1f666d9fae384f

SHA1
e9b3a93ecb1ebd17d85db90ef33ec6e8a2d9bcb5

SHA256
d9e14ffabd2fd29671f1e90711a7130b98b8288de30f276b802d3dcf3e2b66a5

SHA512
f3722a5f16c8c6f93f6c7067cd84140beb1ef8b1408db4f97cac161d8825e4ff7bb8f4cb9049c79c63451a56813d0781c630ca749bc7bb42b1262cb89abd0e19

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3170736.exe

Filesize
377KB

MD5
017479c71429f4622995b6083b86f062

SHA1
8a63515cc3210e9c42534841ca2c21bc882f397a

SHA256
6333cf467f728e1c17cf61d48f2ae4193ea77e149caf67dc4a08afdc7b34260a

SHA512
7be1f9e58691e8ec3f79a22666860facf25b4874ea5391747c8558548b3291ce5dbccec78302ec28cdbfe5b79238134cd5c3e0a27e0e229a63d472a48dcaae5f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3170736.exe

Filesize
377KB

MD5
017479c71429f4622995b6083b86f062

SHA1
8a63515cc3210e9c42534841ca2c21bc882f397a

SHA256
6333cf467f728e1c17cf61d48f2ae4193ea77e149caf67dc4a08afdc7b34260a

SHA512
7be1f9e58691e8ec3f79a22666860facf25b4874ea5391747c8558548b3291ce5dbccec78302ec28cdbfe5b79238134cd5c3e0a27e0e229a63d472a48dcaae5f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3254570.exe

Filesize
206KB

MD5
df7cca585ee65bc9fa545a6905beca5f

SHA1
653bc03dcf593934956e3aa034b6c09e06dce290

SHA256
96e1fdf500a315bde556c85f7c18ba1056b51543568e39652fff0e60a2e88417

SHA512
9cba38148d054a123d3f2497035245cff0656d03dccffd1906565c2655d32ae2f4e1924b5818c586bc59a565ada852ee99780f617abdca1f1c7b2b3a4b1010e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3254570.exe

Filesize
206KB

MD5
df7cca585ee65bc9fa545a6905beca5f

SHA1
653bc03dcf593934956e3aa034b6c09e06dce290

SHA256
96e1fdf500a315bde556c85f7c18ba1056b51543568e39652fff0e60a2e88417

SHA512
9cba38148d054a123d3f2497035245cff0656d03dccffd1906565c2655d32ae2f4e1924b5818c586bc59a565ada852ee99780f617abdca1f1c7b2b3a4b1010e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6152220.exe

Filesize
172KB

MD5
842800c0fcc3d6aa6d1f666d9fae384f

SHA1
e9b3a93ecb1ebd17d85db90ef33ec6e8a2d9bcb5

SHA256
d9e14ffabd2fd29671f1e90711a7130b98b8288de30f276b802d3dcf3e2b66a5

SHA512
f3722a5f16c8c6f93f6c7067cd84140beb1ef8b1408db4f97cac161d8825e4ff7bb8f4cb9049c79c63451a56813d0781c630ca749bc7bb42b1262cb89abd0e19

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6152220.exe

Filesize
172KB

MD5
842800c0fcc3d6aa6d1f666d9fae384f

SHA1
e9b3a93ecb1ebd17d85db90ef33ec6e8a2d9bcb5

SHA256
d9e14ffabd2fd29671f1e90711a7130b98b8288de30f276b802d3dcf3e2b66a5

SHA512
f3722a5f16c8c6f93f6c7067cd84140beb1ef8b1408db4f97cac161d8825e4ff7bb8f4cb9049c79c63451a56813d0781c630ca749bc7bb42b1262cb89abd0e19

Download Submit
memory/1472-84-0x0000000000C70000-0x0000000000CA0000-memory.dmp

Filesize
192KB

Download
memory/1472-85-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1472-86-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download