redline | 720db36b3d85431e6837b9bd15fa534fbca23df3b0db991be3184d8c05f55748

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

720db36b3d85431e6837b9bd1.exe
Size

514KB
MD5

3f8f066367d99ea21c6ef83ccbfc1694
SHA1

29d5f77eba1c9be4fa6d8899e8173c38e5a1210b
SHA256

720db36b3d85431e6837b9bd15fa534fbca23df3b0db991be3184d8c05f55748
SHA512

6f240e19893a4ead2cc33a8261dfe1ae9e2c499cc993e07873c05127827232a17e49e40ebc65b57d6f9b91c0d5ebb7072403c6db6ef7a1a98f8d1dd2edd4f1c2
SSDEEP

12288:UJ/rve+fvqaRdnQgdAWMCXdX2h+XGFjpnlCNUmfU/uusM7N:UJTvVvq82gdAW1dmpFjCNjUvZJ

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
704	x1009913.exe
2140	f9849285.exe

Loads dropped DLL 5 IoCs

pid	Process
2952	720db36b3d85431e6837b9bd1.exe
704	x1009913.exe
704	x1009913.exe
704	x1009913.exe
2140	f9849285.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	720db36b3d85431e6837b9bd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	720db36b3d85431e6837b9bd1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1009913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1009913.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 704	2952	720db36b3d85431e6837b9bd1.exe	29
PID 2952 wrote to memory of 704	2952	720db36b3d85431e6837b9bd1.exe	29
PID 2952 wrote to memory of 704	2952	720db36b3d85431e6837b9bd1.exe	29
PID 2952 wrote to memory of 704	2952	720db36b3d85431e6837b9bd1.exe	29
PID 2952 wrote to memory of 704	2952	720db36b3d85431e6837b9bd1.exe	29
PID 2952 wrote to memory of 704	2952	720db36b3d85431e6837b9bd1.exe	29
PID 2952 wrote to memory of 704	2952	720db36b3d85431e6837b9bd1.exe	29
PID 704 wrote to memory of 2140	704	x1009913.exe	30
PID 704 wrote to memory of 2140	704	x1009913.exe	30
PID 704 wrote to memory of 2140	704	x1009913.exe	30
PID 704 wrote to memory of 2140	704	x1009913.exe	30
PID 704 wrote to memory of 2140	704	x1009913.exe	30
PID 704 wrote to memory of 2140	704	x1009913.exe	30
PID 704 wrote to memory of 2140	704	x1009913.exe	30

C:\Users\Admin\AppData\Local\Temp\720db36b3d85431e6837b9bd1.exe
"C:\Users\Admin\AppData\Local\Temp\720db36b3d85431e6837b9bd1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1009913.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1009913.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1009913.exe

Filesize
330KB

MD5
cfd388d5e7198e89bee974ba2a4d1fe3

SHA1
5566651d54f9b40f025100e51efb8cd1482e0501

SHA256
180d15eaaeca80549bd6cf55123a8b012be208f9d364c458a984d0cb05b1c121

SHA512
3943ea18cc45b461d0df67c73c92fe02c1b30bf3be3129621390a3058e61db0ab1504dcca06cbc46880f928b10788e54e6263007f0ffc8d92dd75aabc89dda4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1009913.exe

Filesize
330KB

MD5
cfd388d5e7198e89bee974ba2a4d1fe3

SHA1
5566651d54f9b40f025100e51efb8cd1482e0501

SHA256
180d15eaaeca80549bd6cf55123a8b012be208f9d364c458a984d0cb05b1c121

SHA512
3943ea18cc45b461d0df67c73c92fe02c1b30bf3be3129621390a3058e61db0ab1504dcca06cbc46880f928b10788e54e6263007f0ffc8d92dd75aabc89dda4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe

Filesize
255KB

MD5
c8f002e9cb49105ecc1f08a624074710

SHA1
bdaa1cd68de51b53b1957e281445c012d621f7e5

SHA256
81a1bf57d7ff33a09a2d31916ee0662cdbb9ac88527c409abf66c6c77011387b

SHA512
bbb4c962b409300d754a8b14b02f621f221a311713609b323aeba41884231c3f78d9f58c10b5b1f1107a5c0dc361ff971e68de46345c6e52c0126bdae901cdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe

Filesize
255KB

MD5
c8f002e9cb49105ecc1f08a624074710

SHA1
bdaa1cd68de51b53b1957e281445c012d621f7e5

SHA256
81a1bf57d7ff33a09a2d31916ee0662cdbb9ac88527c409abf66c6c77011387b

SHA512
bbb4c962b409300d754a8b14b02f621f221a311713609b323aeba41884231c3f78d9f58c10b5b1f1107a5c0dc361ff971e68de46345c6e52c0126bdae901cdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe

Filesize
255KB

MD5
c8f002e9cb49105ecc1f08a624074710

SHA1
bdaa1cd68de51b53b1957e281445c012d621f7e5

SHA256
81a1bf57d7ff33a09a2d31916ee0662cdbb9ac88527c409abf66c6c77011387b

SHA512
bbb4c962b409300d754a8b14b02f621f221a311713609b323aeba41884231c3f78d9f58c10b5b1f1107a5c0dc361ff971e68de46345c6e52c0126bdae901cdd0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1009913.exe

Filesize
330KB

MD5
cfd388d5e7198e89bee974ba2a4d1fe3

SHA1
5566651d54f9b40f025100e51efb8cd1482e0501

SHA256
180d15eaaeca80549bd6cf55123a8b012be208f9d364c458a984d0cb05b1c121

SHA512
3943ea18cc45b461d0df67c73c92fe02c1b30bf3be3129621390a3058e61db0ab1504dcca06cbc46880f928b10788e54e6263007f0ffc8d92dd75aabc89dda4b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1009913.exe

Filesize
330KB

MD5
cfd388d5e7198e89bee974ba2a4d1fe3

SHA1
5566651d54f9b40f025100e51efb8cd1482e0501

SHA256
180d15eaaeca80549bd6cf55123a8b012be208f9d364c458a984d0cb05b1c121

SHA512
3943ea18cc45b461d0df67c73c92fe02c1b30bf3be3129621390a3058e61db0ab1504dcca06cbc46880f928b10788e54e6263007f0ffc8d92dd75aabc89dda4b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe

Filesize
255KB

MD5
c8f002e9cb49105ecc1f08a624074710

SHA1
bdaa1cd68de51b53b1957e281445c012d621f7e5

SHA256
81a1bf57d7ff33a09a2d31916ee0662cdbb9ac88527c409abf66c6c77011387b

SHA512
bbb4c962b409300d754a8b14b02f621f221a311713609b323aeba41884231c3f78d9f58c10b5b1f1107a5c0dc361ff971e68de46345c6e52c0126bdae901cdd0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe

Filesize
255KB

MD5
c8f002e9cb49105ecc1f08a624074710

SHA1
bdaa1cd68de51b53b1957e281445c012d621f7e5

SHA256
81a1bf57d7ff33a09a2d31916ee0662cdbb9ac88527c409abf66c6c77011387b

SHA512
bbb4c962b409300d754a8b14b02f621f221a311713609b323aeba41884231c3f78d9f58c10b5b1f1107a5c0dc361ff971e68de46345c6e52c0126bdae901cdd0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9849285.exe

Filesize
255KB

MD5
c8f002e9cb49105ecc1f08a624074710

SHA1
bdaa1cd68de51b53b1957e281445c012d621f7e5

SHA256
81a1bf57d7ff33a09a2d31916ee0662cdbb9ac88527c409abf66c6c77011387b

SHA512
bbb4c962b409300d754a8b14b02f621f221a311713609b323aeba41884231c3f78d9f58c10b5b1f1107a5c0dc361ff971e68de46345c6e52c0126bdae901cdd0

Download Submit
memory/2140-83-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/2140-87-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

Filesize
24KB

Download
memory/2140-88-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2140-89-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2952-54-0x0000000000220000-0x0000000000291000-memory.dmp

Filesize
452KB

Download