redline | 61aa9d12ce3598966dc1514db442fe726f167b17e2b0a7ca6a30f82ebcb1f0a0

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61aa9d12ce3598966dc1514db.exe
Size

502KB
MD5

a2696885c43b65bb96cb145eca45c9fc
SHA1

8fea508ec2dee517b2ee38b835399fce6ac468d5
SHA256

61aa9d12ce3598966dc1514db442fe726f167b17e2b0a7ca6a30f82ebcb1f0a0
SHA512

8c34700b60da0da97a64a60bffdf77780dd55c243cae7f235f450177f2662fd22cce01588f382a93fe7edd269fa9fbbf59459e943bfdd453990ded97a17f6ae8
SSDEEP

12288:hqiHS+fvHaRdnQgH/6pt0UhPaVKAvwP+zsFW2d:hqiHSkvH82gat5fN+mW2d

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4700	x8959098.exe
1936	f6500714.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8959098.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	61aa9d12ce3598966dc1514db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	61aa9d12ce3598966dc1514db.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8959098.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 4700	3832	61aa9d12ce3598966dc1514db.exe	85
PID 3832 wrote to memory of 4700	3832	61aa9d12ce3598966dc1514db.exe	85
PID 3832 wrote to memory of 4700	3832	61aa9d12ce3598966dc1514db.exe	85
PID 4700 wrote to memory of 1936	4700	x8959098.exe	86
PID 4700 wrote to memory of 1936	4700	x8959098.exe	86
PID 4700 wrote to memory of 1936	4700	x8959098.exe	86

C:\Users\Admin\AppData\Local\Temp\61aa9d12ce3598966dc1514db.exe
"C:\Users\Admin\AppData\Local\Temp\61aa9d12ce3598966dc1514db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe
    3⤵
    - Executes dropped EXE
    PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe

Filesize
318KB

MD5
ff3953a57d031e67dc493d179eada79a

SHA1
739c9bef06a6f2013e00ebb50c249217b6c419ab

SHA256
91da317526588d2da62bc875d6e4a6e71c9b5d09ecd03ebcdf2a3093b65fd5a1

SHA512
ce1a4a0b488f655a1cbf17f99e92257ad41cfeb3a62348e5354c1dd912e5797a66db0645c73b063da8c1009b4e3cbe283d640aca944d400408ca22e9d57a0e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe

Filesize
318KB

MD5
ff3953a57d031e67dc493d179eada79a

SHA1
739c9bef06a6f2013e00ebb50c249217b6c419ab

SHA256
91da317526588d2da62bc875d6e4a6e71c9b5d09ecd03ebcdf2a3093b65fd5a1

SHA512
ce1a4a0b488f655a1cbf17f99e92257ad41cfeb3a62348e5354c1dd912e5797a66db0645c73b063da8c1009b4e3cbe283d640aca944d400408ca22e9d57a0e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
memory/1936-153-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/1936-157-0x00000000051B0000-0x00000000057C8000-memory.dmp

Filesize
6.1MB

Download
memory/1936-158-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

Filesize
1.0MB

Download
memory/1936-159-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/1936-160-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/1936-161-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1936-162-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3832-133-0x00000000006E0000-0x000000000074E000-memory.dmp

Filesize
440KB

Download