redline | 7bf2f48d58010eedd8df3a6b54b3dc816cbec1eca4d7e97d0930d050cf928cb6

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bf2f48d58010eedd8df3a6b5.exe
Size

518KB
MD5

e80962cda1467356c56448a7bc37d852
SHA1

d5f5f48efce0b7e94e557a0763efb95f36d84a89
SHA256

7bf2f48d58010eedd8df3a6b54b3dc816cbec1eca4d7e97d0930d050cf928cb6
SHA512

a931d90e5fa3fe424fc222c8443b01e7dbabc32fc1531b2c2716b2ea04703596c99b236332247fdd148e7084ae307d0024c8063dedef86c3c7e413eddd6e06bc
SSDEEP

12288:AX+0fvzaRdnQgBmljqGqKOrfvrf8wmXrN:AX+evz82gBMjquEf7u

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2244	x5505810.exe
2936	f8585117.exe

Loads dropped DLL 5 IoCs

pid	Process
1768	7bf2f48d58010eedd8df3a6b5.exe
2244	x5505810.exe
2244	x5505810.exe
2244	x5505810.exe
2936	f8585117.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7bf2f48d58010eedd8df3a6b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7bf2f48d58010eedd8df3a6b5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5505810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5505810.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2244	1768	7bf2f48d58010eedd8df3a6b5.exe	30
PID 1768 wrote to memory of 2244	1768	7bf2f48d58010eedd8df3a6b5.exe	30
PID 1768 wrote to memory of 2244	1768	7bf2f48d58010eedd8df3a6b5.exe	30
PID 1768 wrote to memory of 2244	1768	7bf2f48d58010eedd8df3a6b5.exe	30
PID 1768 wrote to memory of 2244	1768	7bf2f48d58010eedd8df3a6b5.exe	30
PID 1768 wrote to memory of 2244	1768	7bf2f48d58010eedd8df3a6b5.exe	30
PID 1768 wrote to memory of 2244	1768	7bf2f48d58010eedd8df3a6b5.exe	30
PID 2244 wrote to memory of 2936	2244	x5505810.exe	31
PID 2244 wrote to memory of 2936	2244	x5505810.exe	31
PID 2244 wrote to memory of 2936	2244	x5505810.exe	31
PID 2244 wrote to memory of 2936	2244	x5505810.exe	31
PID 2244 wrote to memory of 2936	2244	x5505810.exe	31
PID 2244 wrote to memory of 2936	2244	x5505810.exe	31
PID 2244 wrote to memory of 2936	2244	x5505810.exe	31

C:\Users\Admin\AppData\Local\Temp\7bf2f48d58010eedd8df3a6b5.exe
"C:\Users\Admin\AppData\Local\Temp\7bf2f48d58010eedd8df3a6b5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5505810.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5505810.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5505810.exe

Filesize
331KB

MD5
3a84f144b7843e2d4caa122e21e08395

SHA1
2819650225c6ec5e0ae324b0ba474af2ba952ed8

SHA256
8d1e701650f2675c2e3cde559c8d6ecec9e8fbdee62374e7e9fad33dc7fb8c4b

SHA512
860409b3944ec659917e9e5a965f7096584da1b2902fc9782e5d49ed21fb5bf7b7bcd91d7aa1f42e65ad44308101ab5d8c3d4bed6dbd927255f2636cb3516a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5505810.exe

Filesize
331KB

MD5
3a84f144b7843e2d4caa122e21e08395

SHA1
2819650225c6ec5e0ae324b0ba474af2ba952ed8

SHA256
8d1e701650f2675c2e3cde559c8d6ecec9e8fbdee62374e7e9fad33dc7fb8c4b

SHA512
860409b3944ec659917e9e5a965f7096584da1b2902fc9782e5d49ed21fb5bf7b7bcd91d7aa1f42e65ad44308101ab5d8c3d4bed6dbd927255f2636cb3516a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe

Filesize
257KB

MD5
07fee6c8de088c2a6115e0ac90c7339f

SHA1
4e8554410d97b13d3602a0f11a09570a44a76bc0

SHA256
0640c62cfc121b508c6584f0d088878396b17d34122726a21edc74b00fb01ad6

SHA512
98957c9ffd2be7c4792772e02894aacef6f8062f6b2e8f83278fd49e8ab75eeba9bb0579b36b48ad9dd4a8f103d29079b317e0f927ebdc35916da9ee595360df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe

Filesize
257KB

MD5
07fee6c8de088c2a6115e0ac90c7339f

SHA1
4e8554410d97b13d3602a0f11a09570a44a76bc0

SHA256
0640c62cfc121b508c6584f0d088878396b17d34122726a21edc74b00fb01ad6

SHA512
98957c9ffd2be7c4792772e02894aacef6f8062f6b2e8f83278fd49e8ab75eeba9bb0579b36b48ad9dd4a8f103d29079b317e0f927ebdc35916da9ee595360df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe

Filesize
257KB

MD5
07fee6c8de088c2a6115e0ac90c7339f

SHA1
4e8554410d97b13d3602a0f11a09570a44a76bc0

SHA256
0640c62cfc121b508c6584f0d088878396b17d34122726a21edc74b00fb01ad6

SHA512
98957c9ffd2be7c4792772e02894aacef6f8062f6b2e8f83278fd49e8ab75eeba9bb0579b36b48ad9dd4a8f103d29079b317e0f927ebdc35916da9ee595360df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5505810.exe

Filesize
331KB

MD5
3a84f144b7843e2d4caa122e21e08395

SHA1
2819650225c6ec5e0ae324b0ba474af2ba952ed8

SHA256
8d1e701650f2675c2e3cde559c8d6ecec9e8fbdee62374e7e9fad33dc7fb8c4b

SHA512
860409b3944ec659917e9e5a965f7096584da1b2902fc9782e5d49ed21fb5bf7b7bcd91d7aa1f42e65ad44308101ab5d8c3d4bed6dbd927255f2636cb3516a23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5505810.exe

Filesize
331KB

MD5
3a84f144b7843e2d4caa122e21e08395

SHA1
2819650225c6ec5e0ae324b0ba474af2ba952ed8

SHA256
8d1e701650f2675c2e3cde559c8d6ecec9e8fbdee62374e7e9fad33dc7fb8c4b

SHA512
860409b3944ec659917e9e5a965f7096584da1b2902fc9782e5d49ed21fb5bf7b7bcd91d7aa1f42e65ad44308101ab5d8c3d4bed6dbd927255f2636cb3516a23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe

Filesize
257KB

MD5
07fee6c8de088c2a6115e0ac90c7339f

SHA1
4e8554410d97b13d3602a0f11a09570a44a76bc0

SHA256
0640c62cfc121b508c6584f0d088878396b17d34122726a21edc74b00fb01ad6

SHA512
98957c9ffd2be7c4792772e02894aacef6f8062f6b2e8f83278fd49e8ab75eeba9bb0579b36b48ad9dd4a8f103d29079b317e0f927ebdc35916da9ee595360df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe

Filesize
257KB

MD5
07fee6c8de088c2a6115e0ac90c7339f

SHA1
4e8554410d97b13d3602a0f11a09570a44a76bc0

SHA256
0640c62cfc121b508c6584f0d088878396b17d34122726a21edc74b00fb01ad6

SHA512
98957c9ffd2be7c4792772e02894aacef6f8062f6b2e8f83278fd49e8ab75eeba9bb0579b36b48ad9dd4a8f103d29079b317e0f927ebdc35916da9ee595360df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8585117.exe

Filesize
257KB

MD5
07fee6c8de088c2a6115e0ac90c7339f

SHA1
4e8554410d97b13d3602a0f11a09570a44a76bc0

SHA256
0640c62cfc121b508c6584f0d088878396b17d34122726a21edc74b00fb01ad6

SHA512
98957c9ffd2be7c4792772e02894aacef6f8062f6b2e8f83278fd49e8ab75eeba9bb0579b36b48ad9dd4a8f103d29079b317e0f927ebdc35916da9ee595360df

Download Submit
memory/1768-54-0x0000000000310000-0x0000000000381000-memory.dmp

Filesize
452KB

Download
memory/2936-83-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/2936-87-0x00000000020A0000-0x00000000020A6000-memory.dmp

Filesize
24KB

Download
memory/2936-88-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download