redline | 3f0c1954ba094353d98983ca0bf2a6c61ca44493979a26575ba5e7c79d7fdd5d

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f0c1954ba094353d98983ca0.exe
Size

518KB
MD5

61d613c738b706df26c0dd7f90fe3342
SHA1

5a9c798d5f99b39b95bc0ebeba9c062e2aeca3a8
SHA256

3f0c1954ba094353d98983ca0bf2a6c61ca44493979a26575ba5e7c79d7fdd5d
SHA512

dfaccf35e01330457e887de24cba5824feb6e43ab49f4dc074386df5cc1b55c538698b7ffc9e2e4380429589cdfeb22b74929405c382201739539cbd334253eb
SSDEEP

6144:RaEXZjpxfvECAFbmaklCdnQgMy7PyMbjYOkYOWRbHR6Hv+9/57wYc5KAWyEagKsV:8EXpfvfaRdnQg97DjYyNR7gvL0ffxlFb

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1888	x4172374.exe
4812	f9638695.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3f0c1954ba094353d98983ca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f0c1954ba094353d98983ca0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4172374.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4172374.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1888	2816	3f0c1954ba094353d98983ca0.exe	86
PID 2816 wrote to memory of 1888	2816	3f0c1954ba094353d98983ca0.exe	86
PID 2816 wrote to memory of 1888	2816	3f0c1954ba094353d98983ca0.exe	86
PID 1888 wrote to memory of 4812	1888	x4172374.exe	87
PID 1888 wrote to memory of 4812	1888	x4172374.exe	87
PID 1888 wrote to memory of 4812	1888	x4172374.exe	87

C:\Users\Admin\AppData\Local\Temp\3f0c1954ba094353d98983ca0.exe
"C:\Users\Admin\AppData\Local\Temp\3f0c1954ba094353d98983ca0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe
    3⤵
    - Executes dropped EXE
    PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe

Filesize
331KB

MD5
27fcfcdbfb87189d84d9115265799f48

SHA1
ca6252e521c074cfcd60261ef182e12e226ca1ca

SHA256
22aebbdbb7eac798c78f637176d47fcff96a9b558a5d14701c4d4bf85c770efb

SHA512
1b3d0b08b71e03ea7dcd0a3e03c4716a078fb5ffb6c047dbbc867b25fdece1ac71f15b3f2ab7e172995d1cd50effa1ef6dde7bd70609c3660a178e39a0ee57d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4172374.exe

Filesize
331KB

MD5
27fcfcdbfb87189d84d9115265799f48

SHA1
ca6252e521c074cfcd60261ef182e12e226ca1ca

SHA256
22aebbdbb7eac798c78f637176d47fcff96a9b558a5d14701c4d4bf85c770efb

SHA512
1b3d0b08b71e03ea7dcd0a3e03c4716a078fb5ffb6c047dbbc867b25fdece1ac71f15b3f2ab7e172995d1cd50effa1ef6dde7bd70609c3660a178e39a0ee57d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9638695.exe

Filesize
257KB

MD5
a3aa832b69a85d19b3c6bcc3c84de06b

SHA1
329df718d6b025fa7498c4c3b648a28d42661053

SHA256
992f7b8b25a606580e7a403098725d32f7855409450fc676ca80257e0f13c378

SHA512
31db74ad660ee1f9ae576a06f25e9d438da4cfcbf331785423d38d6eade21bf610c92e41e680105263732547a7f0c4c0b28df7320776028be6bc849e9194fe0c

Download Submit
memory/2816-133-0x00000000006F0000-0x0000000000761000-memory.dmp

Filesize
452KB

Download
memory/4812-153-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/4812-157-0x000000000A0D0000-0x000000000A6E8000-memory.dmp

Filesize
6.1MB

Download
memory/4812-158-0x000000000A760000-0x000000000A86A000-memory.dmp

Filesize
1.0MB

Download
memory/4812-159-0x000000000A8A0000-0x000000000A8B2000-memory.dmp

Filesize
72KB

Download
memory/4812-160-0x000000000A8C0000-0x000000000A8FC000-memory.dmp

Filesize
240KB

Download
memory/4812-161-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4812-162-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download