redline | 647feb7cc1e57303bad08c1584526218fa1564b1c56d6edfe999486bddcc90ac

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

647feb7cc1e57303bad08c158.exe
Size

517KB
MD5

a839b1433c6cf133a9146a84dcf15a88
SHA1

278fdc62902264e6f5a759a1779c1282c68436d5
SHA256

647feb7cc1e57303bad08c1584526218fa1564b1c56d6edfe999486bddcc90ac
SHA512

621961ef07994499787d4c933cbbb0cd9e3b96372923a963a8a3202c720d5eec16d2d0e828227d37c29bec292b3281c0bf60cd256901709ac9e9ec79d87091ca
SSDEEP

12288:xf7afvbaRdnQgU+ps4QKrnPQE7mMSNYrHB4VUzSh:xf7wvb82gRu4Q6QEGYVYaSh

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
928	x7236569.exe
2628	f5956729.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	647feb7cc1e57303bad08c158.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	647feb7cc1e57303bad08c158.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7236569.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7236569.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 928	372	647feb7cc1e57303bad08c158.exe	85
PID 372 wrote to memory of 928	372	647feb7cc1e57303bad08c158.exe	85
PID 372 wrote to memory of 928	372	647feb7cc1e57303bad08c158.exe	85
PID 928 wrote to memory of 2628	928	x7236569.exe	86
PID 928 wrote to memory of 2628	928	x7236569.exe	86
PID 928 wrote to memory of 2628	928	x7236569.exe	86

C:\Users\Admin\AppData\Local\Temp\647feb7cc1e57303bad08c158.exe
"C:\Users\Admin\AppData\Local\Temp\647feb7cc1e57303bad08c158.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7236569.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7236569.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5956729.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5956729.exe
    3⤵
    - Executes dropped EXE
    PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7236569.exe

Filesize
330KB

MD5
04bc97a35c3d7caa1647e9e5179f6cbb

SHA1
70ede62d1b92c1809c9655f2be4f6bcaead412e3

SHA256
57fea13a070a4abb8506d2bdc812e41e0fb6d76eb9e0fa11629c18dd9d764668

SHA512
ec1e0b0807adaf3c61c8f923bb899a532188667d9146d710aeb7fc8499bd87501d3745411b7784e0a086db8733c4d4bb0fb2fb171d2265ec57b9592c36c99951

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7236569.exe

Filesize
330KB

MD5
04bc97a35c3d7caa1647e9e5179f6cbb

SHA1
70ede62d1b92c1809c9655f2be4f6bcaead412e3

SHA256
57fea13a070a4abb8506d2bdc812e41e0fb6d76eb9e0fa11629c18dd9d764668

SHA512
ec1e0b0807adaf3c61c8f923bb899a532188667d9146d710aeb7fc8499bd87501d3745411b7784e0a086db8733c4d4bb0fb2fb171d2265ec57b9592c36c99951

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5956729.exe

Filesize
257KB

MD5
a333dd015ad952957027816cf2f790fc

SHA1
abdfbcfb1ff9fed89418366d7c9ad7dc7a133617

SHA256
0b684f20909a64fb375b0960331f6da0494ac50cdcacc72a8c071c6b62f26762

SHA512
c80c430397374c84215fd1df7c5ed3df384fcdb3f260eecbd1e7df8e3c519953a1a278fc10bda060199b9d3245c85eb24572b3c5ff58601e22c1e1262c115e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f5956729.exe

Filesize
257KB

MD5
a333dd015ad952957027816cf2f790fc

SHA1
abdfbcfb1ff9fed89418366d7c9ad7dc7a133617

SHA256
0b684f20909a64fb375b0960331f6da0494ac50cdcacc72a8c071c6b62f26762

SHA512
c80c430397374c84215fd1df7c5ed3df384fcdb3f260eecbd1e7df8e3c519953a1a278fc10bda060199b9d3245c85eb24572b3c5ff58601e22c1e1262c115e03

Download Submit
memory/372-136-0x0000000000840000-0x00000000008B1000-memory.dmp

Filesize
452KB

Download
memory/2628-156-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/2628-160-0x000000000A120000-0x000000000A738000-memory.dmp

Filesize
6.1MB

Download
memory/2628-161-0x000000000A760000-0x000000000A86A000-memory.dmp

Filesize
1.0MB

Download
memory/2628-162-0x000000000A8A0000-0x000000000A8B2000-memory.dmp

Filesize
72KB

Download
memory/2628-163-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2628-164-0x000000000A8C0000-0x000000000A8FC000-memory.dmp

Filesize
240KB

Download
memory/2628-165-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download