redline | 3de6feab0f88fea9cf115ca6d02d0a0194f7f5bd744ddb7645f0510404d86306

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe
Size

575KB
MD5

09b8353ba30da7abd836ea8b2bce535e
SHA1

ee3a106546f8e19477b91463685b75a4c161de56
SHA256

4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f
SHA512

82fbe09471c47202062ecc3c1a746612fbea5b6f6ab9a07273812bfff5839fb1d008f2f08d42731710f6045981834e5297099804df684c24cce99a294fe3bc58
SSDEEP

12288:SMrUy905YmSPZYR0J0UkAswi8fOm1UrEBIITGxwbT5tC5QG4W:Syj7xgI0U5hWu2E/TGk3ha

Score

10^/10

redline doro infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doro

83.97.73.129:19068

Attributes

auth_value
03f411441fb3fa233179c2cc8ffbce27

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

x7997052.exex2775179.exef4448096.exe

pid process

1180 x7997052.exe
1108 x2775179.exe
972 f4448096.exe

pid	process
1180	x7997052.exe
1108	x2775179.exe
972	f4448096.exe

Loads dropped DLL 6 IoCs

Processes:

4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exex7997052.exex2775179.exef4448096.exe

pid	process
1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe
1180	x7997052.exe
1180	x7997052.exe
1108	x2775179.exe
1108	x2775179.exe
972	f4448096.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x7997052.exex2775179.exe4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7997052.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2775179.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2775179.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7997052.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exex7997052.exex2775179.exe

description	pid	process	target process
PID 1416 wrote to memory of 1180	1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe	x7997052.exe
PID 1416 wrote to memory of 1180	1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe	x7997052.exe
PID 1416 wrote to memory of 1180	1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe	x7997052.exe
PID 1416 wrote to memory of 1180	1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe	x7997052.exe
PID 1416 wrote to memory of 1180	1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe	x7997052.exe
PID 1416 wrote to memory of 1180	1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe	x7997052.exe
PID 1416 wrote to memory of 1180	1416	4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe	x7997052.exe
PID 1180 wrote to memory of 1108	1180	x7997052.exe	x2775179.exe
PID 1180 wrote to memory of 1108	1180	x7997052.exe	x2775179.exe
PID 1180 wrote to memory of 1108	1180	x7997052.exe	x2775179.exe
PID 1180 wrote to memory of 1108	1180	x7997052.exe	x2775179.exe
PID 1180 wrote to memory of 1108	1180	x7997052.exe	x2775179.exe
PID 1180 wrote to memory of 1108	1180	x7997052.exe	x2775179.exe
PID 1180 wrote to memory of 1108	1180	x7997052.exe	x2775179.exe
PID 1108 wrote to memory of 972	1108	x2775179.exe	f4448096.exe
PID 1108 wrote to memory of 972	1108	x2775179.exe	f4448096.exe
PID 1108 wrote to memory of 972	1108	x2775179.exe	f4448096.exe
PID 1108 wrote to memory of 972	1108	x2775179.exe	f4448096.exe
PID 1108 wrote to memory of 972	1108	x2775179.exe	f4448096.exe
PID 1108 wrote to memory of 972	1108	x2775179.exe	f4448096.exe
PID 1108 wrote to memory of 972	1108	x2775179.exe	f4448096.exe

C:\Users\Admin\AppData\Local\Temp\4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe
"C:\Users\Admin\AppData\Local\Temp\4fe304e1ceef6b6a6cd174669f74707f5d832911fc7cbc6a07e50c84d1703c4f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7997052.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7997052.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2775179.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2775179.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4448096.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4448096.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7997052.exe
Filesize
378KB

MD5
0110e17345722275a79b33512fd08a1e

SHA1
19569530e6cf2352262bbfc58a8753d8994268e2

SHA256
d31e9242158b73e8a0d26938f1a53291ed6c4d5f8e6584e2ba42675da719661c

SHA512
28163b22d15df29afe843b980256c23f188762dd1e4ba3520389dd5b9fbbf5621693039af0ed56b2c597f11a7c1b0cd8be76012cfc8d06068b48bdf6bb42b3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7997052.exe
Filesize
378KB

MD5
0110e17345722275a79b33512fd08a1e

SHA1
19569530e6cf2352262bbfc58a8753d8994268e2

SHA256
d31e9242158b73e8a0d26938f1a53291ed6c4d5f8e6584e2ba42675da719661c

SHA512
28163b22d15df29afe843b980256c23f188762dd1e4ba3520389dd5b9fbbf5621693039af0ed56b2c597f11a7c1b0cd8be76012cfc8d06068b48bdf6bb42b3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2775179.exe
Filesize
206KB

MD5
9790e9cd65fac7da0725729f28dd28c7

SHA1
5b4238ad69f7091ccb81d111287c75eb9a47d707

SHA256
5883e38109d428172bd6f3b8d6dbd54af720ceed905169fca3e27ba49cb6512f

SHA512
44bbace7d4f5a539e5b9a6b3dba93d2d163b88ebdd1a10eb39fcee73c0d281eb4ba22cf538b5617494839d85309dec5e15b8c5647c1cd48c8132a03966cabebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2775179.exe
Filesize
206KB

MD5
9790e9cd65fac7da0725729f28dd28c7

SHA1
5b4238ad69f7091ccb81d111287c75eb9a47d707

SHA256
5883e38109d428172bd6f3b8d6dbd54af720ceed905169fca3e27ba49cb6512f

SHA512
44bbace7d4f5a539e5b9a6b3dba93d2d163b88ebdd1a10eb39fcee73c0d281eb4ba22cf538b5617494839d85309dec5e15b8c5647c1cd48c8132a03966cabebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4448096.exe
Filesize
173KB

MD5
803fa534497b7e04bdb37bd1aa947ba0

SHA1
ed45a9a9e35576fdb8e77bf8a97e2c53cea29910

SHA256
74da9f8644d4b8c20321b15dae05dc52b9fc78e451127174633b253cf55bc36d

SHA512
63338f6c19b6a7b452bc6e9caf2123005025fe5432a5c491b506e4d7c0894220730d279a559b7e64d65d47583c7c9c0fdb6d90fcb859d62fe3d62c9368d91db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4448096.exe
Filesize
173KB

MD5
803fa534497b7e04bdb37bd1aa947ba0

SHA1
ed45a9a9e35576fdb8e77bf8a97e2c53cea29910

SHA256
74da9f8644d4b8c20321b15dae05dc52b9fc78e451127174633b253cf55bc36d

SHA512
63338f6c19b6a7b452bc6e9caf2123005025fe5432a5c491b506e4d7c0894220730d279a559b7e64d65d47583c7c9c0fdb6d90fcb859d62fe3d62c9368d91db8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7997052.exe
Filesize
378KB

MD5
0110e17345722275a79b33512fd08a1e

SHA1
19569530e6cf2352262bbfc58a8753d8994268e2

SHA256
d31e9242158b73e8a0d26938f1a53291ed6c4d5f8e6584e2ba42675da719661c

SHA512
28163b22d15df29afe843b980256c23f188762dd1e4ba3520389dd5b9fbbf5621693039af0ed56b2c597f11a7c1b0cd8be76012cfc8d06068b48bdf6bb42b3f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7997052.exe
Filesize
378KB

MD5
0110e17345722275a79b33512fd08a1e

SHA1
19569530e6cf2352262bbfc58a8753d8994268e2

SHA256
d31e9242158b73e8a0d26938f1a53291ed6c4d5f8e6584e2ba42675da719661c

SHA512
28163b22d15df29afe843b980256c23f188762dd1e4ba3520389dd5b9fbbf5621693039af0ed56b2c597f11a7c1b0cd8be76012cfc8d06068b48bdf6bb42b3f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2775179.exe
Filesize
206KB

MD5
9790e9cd65fac7da0725729f28dd28c7

SHA1
5b4238ad69f7091ccb81d111287c75eb9a47d707

SHA256
5883e38109d428172bd6f3b8d6dbd54af720ceed905169fca3e27ba49cb6512f

SHA512
44bbace7d4f5a539e5b9a6b3dba93d2d163b88ebdd1a10eb39fcee73c0d281eb4ba22cf538b5617494839d85309dec5e15b8c5647c1cd48c8132a03966cabebe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2775179.exe
Filesize
206KB

MD5
9790e9cd65fac7da0725729f28dd28c7

SHA1
5b4238ad69f7091ccb81d111287c75eb9a47d707

SHA256
5883e38109d428172bd6f3b8d6dbd54af720ceed905169fca3e27ba49cb6512f

SHA512
44bbace7d4f5a539e5b9a6b3dba93d2d163b88ebdd1a10eb39fcee73c0d281eb4ba22cf538b5617494839d85309dec5e15b8c5647c1cd48c8132a03966cabebe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4448096.exe
Filesize
173KB

MD5
803fa534497b7e04bdb37bd1aa947ba0

SHA1
ed45a9a9e35576fdb8e77bf8a97e2c53cea29910

SHA256
74da9f8644d4b8c20321b15dae05dc52b9fc78e451127174633b253cf55bc36d

SHA512
63338f6c19b6a7b452bc6e9caf2123005025fe5432a5c491b506e4d7c0894220730d279a559b7e64d65d47583c7c9c0fdb6d90fcb859d62fe3d62c9368d91db8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4448096.exe
Filesize
173KB

MD5
803fa534497b7e04bdb37bd1aa947ba0

SHA1
ed45a9a9e35576fdb8e77bf8a97e2c53cea29910

SHA256
74da9f8644d4b8c20321b15dae05dc52b9fc78e451127174633b253cf55bc36d

SHA512
63338f6c19b6a7b452bc6e9caf2123005025fe5432a5c491b506e4d7c0894220730d279a559b7e64d65d47583c7c9c0fdb6d90fcb859d62fe3d62c9368d91db8

Download Submit
memory/972-84-0x0000000000A90000-0x0000000000AC0000-memory.dmp

Filesize
192KB

Download
memory/972-85-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/972-86-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download
memory/972-87-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download