redline | 5ee968ec1e7b4f29b22c5fe2b00d3eb4c2934cabce68f92cef1c298ff6a96c41

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2023 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe
Size

789KB
MD5

88c935e2c3e1fc910cf1318b9e238671
SHA1

352f923cdca7589d97465d78aec359c0b5619f62
SHA256

e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f
SHA512

8c139f9843fc5afbe6769c6f9720ae8ac2d45d6e57f9b8d108d1b6cd93b28abd8eb67a49ecf3f59ded67bf82a6f92741b927076ffd22f1a0e58400a87fff26c2
SSDEEP

12288:0Mrry90Ap5bDJPCcg2/2X7hNx9Po7TrqjjyoKcyg+lKkRXdSnwWVEQ:fyP1PCGeL3o7PLcyg+j7SHX

Score

10^/10

redline joker infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

joker

83.97.73.130:19061

Attributes

auth_value
a98d303cc28bb3b32a23c59214ae3bc0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v1194131.exev3003135.exev0672124.exea2630861.exe

pid process

1856 v1194131.exe
2024 v3003135.exe
1228 v0672124.exe
1892 a2630861.exe

pid	process
1856	v1194131.exe
2024	v3003135.exe
1228	v0672124.exe
1892	a2630861.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v0672124.exee32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exev1194131.exev3003135.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0672124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0672124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1194131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1194131.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3003135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3003135.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exev1194131.exev3003135.exev0672124.exe

description	pid	process	target process
PID 4172 wrote to memory of 1856	4172	e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe	v1194131.exe
PID 4172 wrote to memory of 1856	4172	e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe	v1194131.exe
PID 4172 wrote to memory of 1856	4172	e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe	v1194131.exe
PID 1856 wrote to memory of 2024	1856	v1194131.exe	v3003135.exe
PID 1856 wrote to memory of 2024	1856	v1194131.exe	v3003135.exe
PID 1856 wrote to memory of 2024	1856	v1194131.exe	v3003135.exe
PID 2024 wrote to memory of 1228	2024	v3003135.exe	v0672124.exe
PID 2024 wrote to memory of 1228	2024	v3003135.exe	v0672124.exe
PID 2024 wrote to memory of 1228	2024	v3003135.exe	v0672124.exe
PID 1228 wrote to memory of 1892	1228	v0672124.exe	a2630861.exe
PID 1228 wrote to memory of 1892	1228	v0672124.exe	a2630861.exe
PID 1228 wrote to memory of 1892	1228	v0672124.exe	a2630861.exe

C:\Users\Admin\AppData\Local\Temp\e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe
"C:\Users\Admin\AppData\Local\Temp\e32d03b8206f29e5e3a4c35216e23e9c77162b341d4057ada8e8030073ff020f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1194131.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1194131.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003135.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003135.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0672124.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0672124.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2630861.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2630861.exe
5⤵
- Executes dropped EXE
PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1194131.exe
Filesize
588KB

MD5
cf314fa58c9728d3da57875cfc333223

SHA1
ace40fbc174b5208cb928cc1ff734bc3fcda8412

SHA256
7f19a02276346dc574dbac233458e0db68db616dc9b779d0edeac1e5f70fa1e0

SHA512
424c533da52ac8189bfaa95ed120d4c76567c4de27c0bf86ccd323469b58a2d24ef004b3af5e3719997ee4d1a5fffb0bb61bafa505c35f6a4a56080f41923af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1194131.exe
Filesize
588KB

MD5
cf314fa58c9728d3da57875cfc333223

SHA1
ace40fbc174b5208cb928cc1ff734bc3fcda8412

SHA256
7f19a02276346dc574dbac233458e0db68db616dc9b779d0edeac1e5f70fa1e0

SHA512
424c533da52ac8189bfaa95ed120d4c76567c4de27c0bf86ccd323469b58a2d24ef004b3af5e3719997ee4d1a5fffb0bb61bafa505c35f6a4a56080f41923af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003135.exe
Filesize
416KB

MD5
35f68434c640e3c4767329bc75d6586b

SHA1
299bd595a097b658ddbd53d305631ffb3ae38179

SHA256
afa4a85eb59d67f53b77081e2e9f8b3105820639675567943b2f52970803b874

SHA512
05f7cfab8623b7aef67cd2fcacaac6caabc4546215e3cc6e635fc18db255e9e6fd5d57483fed4af5f24bae0020338418c185b9bad95f34dda5c38b4439825603

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003135.exe
Filesize
416KB

MD5
35f68434c640e3c4767329bc75d6586b

SHA1
299bd595a097b658ddbd53d305631ffb3ae38179

SHA256
afa4a85eb59d67f53b77081e2e9f8b3105820639675567943b2f52970803b874

SHA512
05f7cfab8623b7aef67cd2fcacaac6caabc4546215e3cc6e635fc18db255e9e6fd5d57483fed4af5f24bae0020338418c185b9bad95f34dda5c38b4439825603

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0672124.exe
Filesize
261KB

MD5
565bd1b9bc0db65e7b36e0b4a6f34cee

SHA1
29e00e0caee4aa7d8120eaaf1d6a16a36795c9b3

SHA256
ddac590b913eff716a7b7f74b5efb55045d89288e7f374c61db70cd6fa980aec

SHA512
03276ce996f6d88e0c3e4185171ed54ea3843264aed3eda16cdc9f615d62aa001ab51af16c5b4fe17b90802877e483d412ac06cbdb28b3d74099045385c9f1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0672124.exe
Filesize
261KB

MD5
565bd1b9bc0db65e7b36e0b4a6f34cee

SHA1
29e00e0caee4aa7d8120eaaf1d6a16a36795c9b3

SHA256
ddac590b913eff716a7b7f74b5efb55045d89288e7f374c61db70cd6fa980aec

SHA512
03276ce996f6d88e0c3e4185171ed54ea3843264aed3eda16cdc9f615d62aa001ab51af16c5b4fe17b90802877e483d412ac06cbdb28b3d74099045385c9f1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2630861.exe
Filesize
256KB

MD5
98f6ffea625674043b230a2f1143e555

SHA1
69a7f9b6b502a4f2ec681296cd183e2b1e9a93cf

SHA256
3c5cd68ceb2e5397b1f4cfd9db927d1ce62c0564f205615544dacc8562ca532f

SHA512
1ca3954717cfedec7b0e631de6d082c9c2f820fce4b42618c81e854bea81eb338e77b5e7aeeca6f7e1140ab72034407bee43de2864991590b86a5bd38b2e018b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2630861.exe
Filesize
256KB

MD5
98f6ffea625674043b230a2f1143e555

SHA1
69a7f9b6b502a4f2ec681296cd183e2b1e9a93cf

SHA256
3c5cd68ceb2e5397b1f4cfd9db927d1ce62c0564f205615544dacc8562ca532f

SHA512
1ca3954717cfedec7b0e631de6d082c9c2f820fce4b42618c81e854bea81eb338e77b5e7aeeca6f7e1140ab72034407bee43de2864991590b86a5bd38b2e018b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2630861.exe
Filesize
256KB

MD5
98f6ffea625674043b230a2f1143e555

SHA1
69a7f9b6b502a4f2ec681296cd183e2b1e9a93cf

SHA256
3c5cd68ceb2e5397b1f4cfd9db927d1ce62c0564f205615544dacc8562ca532f

SHA512
1ca3954717cfedec7b0e631de6d082c9c2f820fce4b42618c81e854bea81eb338e77b5e7aeeca6f7e1140ab72034407bee43de2864991590b86a5bd38b2e018b

Download Submit
memory/1892-161-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/1892-165-0x0000000009E90000-0x000000000A4A8000-memory.dmp

Filesize
6.1MB

Download
memory/1892-166-0x000000000A4D0000-0x000000000A5DA000-memory.dmp

Filesize
1.0MB

Download
memory/1892-167-0x000000000A610000-0x000000000A622000-memory.dmp

Filesize
72KB

Download
memory/1892-168-0x000000000A630000-0x000000000A66C000-memory.dmp

Filesize
240KB

Download
memory/1892-169-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1892-170-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download