redline | 3f0c1954ba094353d98983ca0bf2a6c61ca44493979a26575ba5e7c79d7fdd5d

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f0c1954ba094353d98983ca0.exe
Size

518KB
MD5

61d613c738b706df26c0dd7f90fe3342
SHA1

5a9c798d5f99b39b95bc0ebeba9c062e2aeca3a8
SHA256

3f0c1954ba094353d98983ca0bf2a6c61ca44493979a26575ba5e7c79d7fdd5d
SHA512

dfaccf35e01330457e887de24cba5824feb6e43ab49f4dc074386df5cc1b55c538698b7ffc9e2e4380429589cdfeb22b74929405c382201739539cbd334253eb
SSDEEP

6144:RaEXZjpxfvECAFbmaklCdnQgMy7PyMbjYOkYOWRbHR6Hv+9/57wYc5KAWyEagKsV:8EXpfvfaRdnQg97DjYyNR7gvL0ffxlFb

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3048	x4172374.exe
1460	f9638695.exe

Loads dropped DLL 5 IoCs

pid	Process
2400	3f0c1954ba094353d98983ca0.exe
3048	x4172374.exe
3048	x4172374.exe
3048	x4172374.exe
1460	f9638695.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3f0c1954ba094353d98983ca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f0c1954ba094353d98983ca0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4172374.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4172374.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3048	2400	3f0c1954ba094353d98983ca0.exe	30
PID 2400 wrote to memory of 3048	2400	3f0c1954ba094353d98983ca0.exe	30
PID 2400 wrote to memory of 3048	2400	3f0c1954ba094353d98983ca0.exe	30
PID 2400 wrote to memory of 3048	2400	3f0c1954ba094353d98983ca0.exe	30
PID 2400 wrote to memory of 3048	2400	3f0c1954ba094353d98983ca0.exe	30
PID 2400 wrote to memory of 3048	2400	3f0c1954ba094353d98983ca0.exe	30
PID 2400 wrote to memory of 3048	2400	3f0c1954ba094353d98983ca0.exe	30
PID 3048 wrote to memory of 1460	3048	x4172374.exe	31
PID 3048 wrote to memory of 1460	3048	x4172374.exe	31
PID 3048 wrote to memory of 1460	3048	x4172374.exe	31
PID 3048 wrote to memory of 1460	3048	x4172374.exe	31
PID 3048 wrote to memory of 1460	3048	x4172374.exe	31
PID 3048 wrote to memory of 1460	3048	x4172374.exe	31
PID 3048 wrote to memory of 1460	3048	x4172374.exe	31

C:\Users\Admin\AppData\Local\Temp\3f0c1954ba094353d98983ca0.exe
"C:\Users\Admin\AppData\Local\Temp\3f0c1954ba094353d98983ca0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe

Filesize
331KB

MD5
27fcfcdbfb87189d84d9115265799f48

SHA1
ca6252e521c074cfcd60261ef182e12e226ca1ca

SHA256
22aebbdbb7eac798c78f637176d47fcff96a9b558a5d14701c4d4bf85c770efb

SHA512
1b3d0b08b71e03ea7dcd0a3e03c4716a078fb5ffb6c047dbbc867b25fdece1ac71f15b3f2ab7e172995d1cd50effa1ef6dde7bd70609c3660a178e39a0ee57d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe

Filesize
331KB

MD5
27fcfcdbfb87189d84d9115265799f48

SHA1
ca6252e521c074cfcd60261ef182e12e226ca1ca

SHA256
22aebbdbb7eac798c78f637176d47fcff96a9b558a5d14701c4d4bf85c770efb

SHA512
1b3d0b08b71e03ea7dcd0a3e03c4716a078fb5ffb6c047dbbc867b25fdece1ac71f15b3f2ab7e172995d1cd50effa1ef6dde7bd70609c3660a178e39a0ee57d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe

Filesize
331KB

MD5
27fcfcdbfb87189d84d9115265799f48

SHA1
ca6252e521c074cfcd60261ef182e12e226ca1ca

SHA256
22aebbdbb7eac798c78f637176d47fcff96a9b558a5d14701c4d4bf85c770efb

SHA512
1b3d0b08b71e03ea7dcd0a3e03c4716a078fb5ffb6c047dbbc867b25fdece1ac71f15b3f2ab7e172995d1cd50effa1ef6dde7bd70609c3660a178e39a0ee57d0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe

Filesize
331KB

MD5
27fcfcdbfb87189d84d9115265799f48

SHA1
ca6252e521c074cfcd60261ef182e12e226ca1ca

SHA256
22aebbdbb7eac798c78f637176d47fcff96a9b558a5d14701c4d4bf85c770efb

SHA512
1b3d0b08b71e03ea7dcd0a3e03c4716a078fb5ffb6c047dbbc867b25fdece1ac71f15b3f2ab7e172995d1cd50effa1ef6dde7bd70609c3660a178e39a0ee57d0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
memory/1460-83-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/1460-87-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download
memory/1460-88-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/1460-89-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2400-54-0x0000000000310000-0x0000000000381000-memory.dmp

Filesize
452KB

Download