redline | bb5446833553eb948d9cdf4b2751bfa08f681b326754256f8b2af862d4f66473

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe
Size

781KB
MD5

f125d452d4cfd90efa6ff0b4bc4e12c2
SHA1

1be18b41815ebdf4049bb53d290dce80df79e55a
SHA256

a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0
SHA512

a3832fd71e030eea72e6313a0e22108a1447d1e7b7065378de326ea25a26b53f1c6dd9655a9f0d3cbdb0c3b7482006631ca0c55749ac2f1a0d48d576b6de792e
SSDEEP

12288:7Mr1y90ba0iaHKGZ+lZ5gKHQHVDbtewrDNB3YzgjMNi0CS4TohKR9yaqnPFxmMxs:6yb0vH5ZE8Kutec8gz0hQJR8j8MG

Score

10^/10

redline boris infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

boris

83.97.73.129:19068

Attributes

auth_value
205e4fccc0f8c7da1d56fb1da4ac5e6a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v4588147.exev2961609.exev8635391.exea1011963.exe

pid process

2024 v4588147.exe
1996 v2961609.exe
1596 v8635391.exe
1100 a1011963.exe

pid	process
2024	v4588147.exe
1996	v2961609.exe
1596	v8635391.exe
1100	a1011963.exe

Loads dropped DLL 9 IoCs

Processes:

a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exev4588147.exev2961609.exev8635391.exea1011963.exe

pid	process
1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe
2024	v4588147.exe
2024	v4588147.exe
1996	v2961609.exe
1996	v2961609.exe
1596	v8635391.exe
1596	v8635391.exe
1596	v8635391.exe
1100	a1011963.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v4588147.exev2961609.exev8635391.exea8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4588147.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4588147.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2961609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2961609.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8635391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8635391.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exev4588147.exev2961609.exev8635391.exe

description	pid	process	target process
PID 1236 wrote to memory of 2024	1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe	v4588147.exe
PID 1236 wrote to memory of 2024	1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe	v4588147.exe
PID 1236 wrote to memory of 2024	1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe	v4588147.exe
PID 1236 wrote to memory of 2024	1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe	v4588147.exe
PID 1236 wrote to memory of 2024	1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe	v4588147.exe
PID 1236 wrote to memory of 2024	1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe	v4588147.exe
PID 1236 wrote to memory of 2024	1236	a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe	v4588147.exe
PID 2024 wrote to memory of 1996	2024	v4588147.exe	v2961609.exe
PID 2024 wrote to memory of 1996	2024	v4588147.exe	v2961609.exe
PID 2024 wrote to memory of 1996	2024	v4588147.exe	v2961609.exe
PID 2024 wrote to memory of 1996	2024	v4588147.exe	v2961609.exe
PID 2024 wrote to memory of 1996	2024	v4588147.exe	v2961609.exe
PID 2024 wrote to memory of 1996	2024	v4588147.exe	v2961609.exe
PID 2024 wrote to memory of 1996	2024	v4588147.exe	v2961609.exe
PID 1996 wrote to memory of 1596	1996	v2961609.exe	v8635391.exe
PID 1996 wrote to memory of 1596	1996	v2961609.exe	v8635391.exe
PID 1996 wrote to memory of 1596	1996	v2961609.exe	v8635391.exe
PID 1996 wrote to memory of 1596	1996	v2961609.exe	v8635391.exe
PID 1996 wrote to memory of 1596	1996	v2961609.exe	v8635391.exe
PID 1996 wrote to memory of 1596	1996	v2961609.exe	v8635391.exe
PID 1996 wrote to memory of 1596	1996	v2961609.exe	v8635391.exe
PID 1596 wrote to memory of 1100	1596	v8635391.exe	a1011963.exe
PID 1596 wrote to memory of 1100	1596	v8635391.exe	a1011963.exe
PID 1596 wrote to memory of 1100	1596	v8635391.exe	a1011963.exe
PID 1596 wrote to memory of 1100	1596	v8635391.exe	a1011963.exe
PID 1596 wrote to memory of 1100	1596	v8635391.exe	a1011963.exe
PID 1596 wrote to memory of 1100	1596	v8635391.exe	a1011963.exe
PID 1596 wrote to memory of 1100	1596	v8635391.exe	a1011963.exe

C:\Users\Admin\AppData\Local\Temp\a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe
"C:\Users\Admin\AppData\Local\Temp\a8d25eebb258abb8283ec3124a7a95fc1c684665ce8869932591d4abfcf0a5a0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4588147.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4588147.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2961609.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2961609.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8635391.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8635391.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4588147.exe
Filesize
585KB

MD5
c4684488b1c24fb0f782e908c4e0cd0f

SHA1
637228c42d5e1f4251d5a6c86b708545827fe17e

SHA256
106978264ab240f5d5b53eb8402ab89f52afb483de6e65f3e530aa1cb015bd8e

SHA512
22fd0e8d56b8c44fe088e8c13c32b31ada7b57088bd97e4faa4246223c01b30509b43913735ee75c8bcbfc975b60805cbfa24078268e8edaa2206aec16fe5d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4588147.exe
Filesize
585KB

MD5
c4684488b1c24fb0f782e908c4e0cd0f

SHA1
637228c42d5e1f4251d5a6c86b708545827fe17e

SHA256
106978264ab240f5d5b53eb8402ab89f52afb483de6e65f3e530aa1cb015bd8e

SHA512
22fd0e8d56b8c44fe088e8c13c32b31ada7b57088bd97e4faa4246223c01b30509b43913735ee75c8bcbfc975b60805cbfa24078268e8edaa2206aec16fe5d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2961609.exe
Filesize
412KB

MD5
e4fb3f3eab0b555b9c7825f8c5f982f0

SHA1
2f75be7ebea9a629c5886aeea0cc90f7fcdefadf

SHA256
ef25243e78aa28e666cf07c9e6d88d836d1e5b8285e3a433a22051f9ef76b079

SHA512
fec43f7cb2e20820712fc6368bbb7e8dd789e8b7f9f01adcc7ab91e8456b39c1a0cd2187f793521dc72e1d6c99a93eea9cb077e230691abe609db7f9f63c8ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2961609.exe
Filesize
412KB

MD5
e4fb3f3eab0b555b9c7825f8c5f982f0

SHA1
2f75be7ebea9a629c5886aeea0cc90f7fcdefadf

SHA256
ef25243e78aa28e666cf07c9e6d88d836d1e5b8285e3a433a22051f9ef76b079

SHA512
fec43f7cb2e20820712fc6368bbb7e8dd789e8b7f9f01adcc7ab91e8456b39c1a0cd2187f793521dc72e1d6c99a93eea9cb077e230691abe609db7f9f63c8ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8635391.exe
Filesize
257KB

MD5
19e7330a2837f28d363707744da4b26e

SHA1
7e6465127d97dc172d500f64159a48c152f31903

SHA256
0af630e666b49415d0d20a240d2dfc2e9e33532345005ca7bceb143e52b033a3

SHA512
46123a654ce64331485fe2f3fe202fc0e3bc8d309eb0527f6207c2e654e87e827bc3f189ba94d228ae82f625409ec791bede252af0bd2ae28a51063829554cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8635391.exe
Filesize
257KB

MD5
19e7330a2837f28d363707744da4b26e

SHA1
7e6465127d97dc172d500f64159a48c152f31903

SHA256
0af630e666b49415d0d20a240d2dfc2e9e33532345005ca7bceb143e52b033a3

SHA512
46123a654ce64331485fe2f3fe202fc0e3bc8d309eb0527f6207c2e654e87e827bc3f189ba94d228ae82f625409ec791bede252af0bd2ae28a51063829554cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
Filesize
256KB

MD5
5b74240c2f7234c86d88f8e9da8087ea

SHA1
8cdb7c23698877013d86b9aea7a365093647a50b

SHA256
96868953b5191c237c764aa59d2822ac9066548597a6ea77a1017d7d0c8218fc

SHA512
a75c4425748f6447cbca2cfed2cea4d3617820b9b192928725af7c58a935582b27827127cd783c08e1019ca375d5ddefa296e32a9f9ebbc0ae8c9459b8d99ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
Filesize
256KB

MD5
5b74240c2f7234c86d88f8e9da8087ea

SHA1
8cdb7c23698877013d86b9aea7a365093647a50b

SHA256
96868953b5191c237c764aa59d2822ac9066548597a6ea77a1017d7d0c8218fc

SHA512
a75c4425748f6447cbca2cfed2cea4d3617820b9b192928725af7c58a935582b27827127cd783c08e1019ca375d5ddefa296e32a9f9ebbc0ae8c9459b8d99ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
Filesize
256KB

MD5
5b74240c2f7234c86d88f8e9da8087ea

SHA1
8cdb7c23698877013d86b9aea7a365093647a50b

SHA256
96868953b5191c237c764aa59d2822ac9066548597a6ea77a1017d7d0c8218fc

SHA512
a75c4425748f6447cbca2cfed2cea4d3617820b9b192928725af7c58a935582b27827127cd783c08e1019ca375d5ddefa296e32a9f9ebbc0ae8c9459b8d99ab5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4588147.exe
Filesize
585KB

MD5
c4684488b1c24fb0f782e908c4e0cd0f

SHA1
637228c42d5e1f4251d5a6c86b708545827fe17e

SHA256
106978264ab240f5d5b53eb8402ab89f52afb483de6e65f3e530aa1cb015bd8e

SHA512
22fd0e8d56b8c44fe088e8c13c32b31ada7b57088bd97e4faa4246223c01b30509b43913735ee75c8bcbfc975b60805cbfa24078268e8edaa2206aec16fe5d8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4588147.exe
Filesize
585KB

MD5
c4684488b1c24fb0f782e908c4e0cd0f

SHA1
637228c42d5e1f4251d5a6c86b708545827fe17e

SHA256
106978264ab240f5d5b53eb8402ab89f52afb483de6e65f3e530aa1cb015bd8e

SHA512
22fd0e8d56b8c44fe088e8c13c32b31ada7b57088bd97e4faa4246223c01b30509b43913735ee75c8bcbfc975b60805cbfa24078268e8edaa2206aec16fe5d8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2961609.exe
Filesize
412KB

MD5
e4fb3f3eab0b555b9c7825f8c5f982f0

SHA1
2f75be7ebea9a629c5886aeea0cc90f7fcdefadf

SHA256
ef25243e78aa28e666cf07c9e6d88d836d1e5b8285e3a433a22051f9ef76b079

SHA512
fec43f7cb2e20820712fc6368bbb7e8dd789e8b7f9f01adcc7ab91e8456b39c1a0cd2187f793521dc72e1d6c99a93eea9cb077e230691abe609db7f9f63c8ee5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2961609.exe
Filesize
412KB

MD5
e4fb3f3eab0b555b9c7825f8c5f982f0

SHA1
2f75be7ebea9a629c5886aeea0cc90f7fcdefadf

SHA256
ef25243e78aa28e666cf07c9e6d88d836d1e5b8285e3a433a22051f9ef76b079

SHA512
fec43f7cb2e20820712fc6368bbb7e8dd789e8b7f9f01adcc7ab91e8456b39c1a0cd2187f793521dc72e1d6c99a93eea9cb077e230691abe609db7f9f63c8ee5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8635391.exe
Filesize
257KB

MD5
19e7330a2837f28d363707744da4b26e

SHA1
7e6465127d97dc172d500f64159a48c152f31903

SHA256
0af630e666b49415d0d20a240d2dfc2e9e33532345005ca7bceb143e52b033a3

SHA512
46123a654ce64331485fe2f3fe202fc0e3bc8d309eb0527f6207c2e654e87e827bc3f189ba94d228ae82f625409ec791bede252af0bd2ae28a51063829554cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8635391.exe
Filesize
257KB

MD5
19e7330a2837f28d363707744da4b26e

SHA1
7e6465127d97dc172d500f64159a48c152f31903

SHA256
0af630e666b49415d0d20a240d2dfc2e9e33532345005ca7bceb143e52b033a3

SHA512
46123a654ce64331485fe2f3fe202fc0e3bc8d309eb0527f6207c2e654e87e827bc3f189ba94d228ae82f625409ec791bede252af0bd2ae28a51063829554cfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
Filesize
256KB

MD5
5b74240c2f7234c86d88f8e9da8087ea

SHA1
8cdb7c23698877013d86b9aea7a365093647a50b

SHA256
96868953b5191c237c764aa59d2822ac9066548597a6ea77a1017d7d0c8218fc

SHA512
a75c4425748f6447cbca2cfed2cea4d3617820b9b192928725af7c58a935582b27827127cd783c08e1019ca375d5ddefa296e32a9f9ebbc0ae8c9459b8d99ab5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
Filesize
256KB

MD5
5b74240c2f7234c86d88f8e9da8087ea

SHA1
8cdb7c23698877013d86b9aea7a365093647a50b

SHA256
96868953b5191c237c764aa59d2822ac9066548597a6ea77a1017d7d0c8218fc

SHA512
a75c4425748f6447cbca2cfed2cea4d3617820b9b192928725af7c58a935582b27827127cd783c08e1019ca375d5ddefa296e32a9f9ebbc0ae8c9459b8d99ab5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1011963.exe
Filesize
256KB

MD5
5b74240c2f7234c86d88f8e9da8087ea

SHA1
8cdb7c23698877013d86b9aea7a365093647a50b

SHA256
96868953b5191c237c764aa59d2822ac9066548597a6ea77a1017d7d0c8218fc

SHA512
a75c4425748f6447cbca2cfed2cea4d3617820b9b192928725af7c58a935582b27827127cd783c08e1019ca375d5ddefa296e32a9f9ebbc0ae8c9459b8d99ab5

Download Submit
memory/1100-97-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1100-101-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/1100-102-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1100-103-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download