redline | 2d54d544bccdc37e057f72da78a1ee99dba84c663108ad0dff5834e13256cb03

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d54d544bccdc37e057f72da7.exe
Size

517KB
MD5

f41cbf7f9d374a36ea958e5a1ab94348
SHA1

59827542626d543efccb7b039268dc251db4089f
SHA256

2d54d544bccdc37e057f72da78a1ee99dba84c663108ad0dff5834e13256cb03
SHA512

791387d1d02c7fb31f33dbd8f0fabdf6da2ca2b00172d052631909926b30636b4aba74e9fe3a79f2cecf705ef3d613c9ec283eaabd353802bd38bdb9e1177834
SSDEEP

12288:L2Lefv5aRdnQgx/+CtqM8RJcdEyQfFPCzwACkIt6V:L2LEv582gV7UDxTFOCbAV

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
5000	x1397051.exe
2396	f8379536.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d54d544bccdc37e057f72da7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1397051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1397051.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2d54d544bccdc37e057f72da7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 5000	1496	2d54d544bccdc37e057f72da7.exe	86
PID 1496 wrote to memory of 5000	1496	2d54d544bccdc37e057f72da7.exe	86
PID 1496 wrote to memory of 5000	1496	2d54d544bccdc37e057f72da7.exe	86
PID 5000 wrote to memory of 2396	5000	x1397051.exe	87
PID 5000 wrote to memory of 2396	5000	x1397051.exe	87
PID 5000 wrote to memory of 2396	5000	x1397051.exe	87

C:\Users\Admin\AppData\Local\Temp\2d54d544bccdc37e057f72da7.exe
"C:\Users\Admin\AppData\Local\Temp\2d54d544bccdc37e057f72da7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1397051.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1397051.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8379536.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8379536.exe
    3⤵
    - Executes dropped EXE
    PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1397051.exe

Filesize
330KB

MD5
60cbad7a63ddc07f1c494e8ff00bf4f5

SHA1
52714ec009c4f411eebb26e2f02aec6d757df7e2

SHA256
c4fa198b575cdef7d1a09eacc2bc836695d01cb2072938aa857b3035db3e4883

SHA512
f7ef1e786efa7bd79d74f5f5acb60e1fc25d38714a0062d06fbc958613b5f4462c88dfa9f44941cbb89eb0b3c2abcf9bc9864dadb0018fc309faba2dd2b5cca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1397051.exe

Filesize
330KB

MD5
60cbad7a63ddc07f1c494e8ff00bf4f5

SHA1
52714ec009c4f411eebb26e2f02aec6d757df7e2

SHA256
c4fa198b575cdef7d1a09eacc2bc836695d01cb2072938aa857b3035db3e4883

SHA512
f7ef1e786efa7bd79d74f5f5acb60e1fc25d38714a0062d06fbc958613b5f4462c88dfa9f44941cbb89eb0b3c2abcf9bc9864dadb0018fc309faba2dd2b5cca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8379536.exe

Filesize
257KB

MD5
79bd74234c52c923ad504de3506131a3

SHA1
91b87d1d80088100323bed7d789e7054a10a266f

SHA256
a95663678dfdfde9588b8df40ee457b4d6b91bc45a7c3b8351b51765c3425992

SHA512
bf5d2145c868fbc97882e3ea91531da9746a3a8e9d3d7af89556f8c37eee09ede5c107599092303a4f0bfe2e4ad3a752ab412c515f7062fc741d2690e2744688

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8379536.exe

Filesize
257KB

MD5
79bd74234c52c923ad504de3506131a3

SHA1
91b87d1d80088100323bed7d789e7054a10a266f

SHA256
a95663678dfdfde9588b8df40ee457b4d6b91bc45a7c3b8351b51765c3425992

SHA512
bf5d2145c868fbc97882e3ea91531da9746a3a8e9d3d7af89556f8c37eee09ede5c107599092303a4f0bfe2e4ad3a752ab412c515f7062fc741d2690e2744688

Download Submit
memory/1496-133-0x0000000000560000-0x00000000005D1000-memory.dmp

Filesize
452KB

Download
memory/2396-153-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/2396-157-0x0000000004CB0000-0x00000000052C8000-memory.dmp

Filesize
6.1MB

Download
memory/2396-158-0x00000000052D0000-0x00000000053DA000-memory.dmp

Filesize
1.0MB

Download
memory/2396-159-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/2396-160-0x0000000002600000-0x000000000263C000-memory.dmp

Filesize
240KB

Download
memory/2396-161-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/2396-162-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download