redline | 86ab42464328e3c2be9058bdaedd58d64689a269d47b3d7a105f5095e9d18c8f

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95dbd6a9c065bc50de08888eb.exe
Size

512KB
MD5

95dbd6a9c065bc50de08888eb366fad5
SHA1

9d30766ec69abde7ea13aade6d07495f16bfd6b1
SHA256

86ab42464328e3c2be9058bdaedd58d64689a269d47b3d7a105f5095e9d18c8f
SHA512

4a57981d073e40394bbda108c7227cb4cdc6c52881f7309fe64ecf2e8a4bdc2f52834441af7f63096ed2d419d3b5d0d6cdf8c8b198e993fdc590da09b5728939
SSDEEP

12288:+wcwfvwaRdnQgzGv1BBLH9rJXitnJey7BFm5Xz9vl:+wc6vw82gzGdjvXiN/N+z

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2320	x8875996.exe
2968	f9455141.exe

Loads dropped DLL 5 IoCs

pid	Process
2092	95dbd6a9c065bc50de08888eb.exe
2320	x8875996.exe
2320	x8875996.exe
2320	x8875996.exe
2968	f9455141.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	95dbd6a9c065bc50de08888eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	95dbd6a9c065bc50de08888eb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8875996.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8875996.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2320	2092	95dbd6a9c065bc50de08888eb.exe	30
PID 2092 wrote to memory of 2320	2092	95dbd6a9c065bc50de08888eb.exe	30
PID 2092 wrote to memory of 2320	2092	95dbd6a9c065bc50de08888eb.exe	30
PID 2092 wrote to memory of 2320	2092	95dbd6a9c065bc50de08888eb.exe	30
PID 2092 wrote to memory of 2320	2092	95dbd6a9c065bc50de08888eb.exe	30
PID 2092 wrote to memory of 2320	2092	95dbd6a9c065bc50de08888eb.exe	30
PID 2092 wrote to memory of 2320	2092	95dbd6a9c065bc50de08888eb.exe	30
PID 2320 wrote to memory of 2968	2320	x8875996.exe	31
PID 2320 wrote to memory of 2968	2320	x8875996.exe	31
PID 2320 wrote to memory of 2968	2320	x8875996.exe	31
PID 2320 wrote to memory of 2968	2320	x8875996.exe	31
PID 2320 wrote to memory of 2968	2320	x8875996.exe	31
PID 2320 wrote to memory of 2968	2320	x8875996.exe	31
PID 2320 wrote to memory of 2968	2320	x8875996.exe	31

C:\Users\Admin\AppData\Local\Temp\95dbd6a9c065bc50de08888eb.exe
"C:\Users\Admin\AppData\Local\Temp\95dbd6a9c065bc50de08888eb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8875996.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8875996.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8875996.exe

Filesize
329KB

MD5
84075b3ef1abdaa6ee2a62f2660141fa

SHA1
af8631bbaa1c6e447a5f59920871a15a44b9db1f

SHA256
1cfffa615579289b9361c65da272deb8a5b25da520e6c32e019310f0f1110337

SHA512
bc4506787d4ffd8486b66a39ab907a9d19629b2b2e2ea4f3a4848c3ae777bd330460b32ee7f5bee9bb64b48c658a3c02e95414042f71767396e3547e1c6719c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8875996.exe

Filesize
329KB

MD5
84075b3ef1abdaa6ee2a62f2660141fa

SHA1
af8631bbaa1c6e447a5f59920871a15a44b9db1f

SHA256
1cfffa615579289b9361c65da272deb8a5b25da520e6c32e019310f0f1110337

SHA512
bc4506787d4ffd8486b66a39ab907a9d19629b2b2e2ea4f3a4848c3ae777bd330460b32ee7f5bee9bb64b48c658a3c02e95414042f71767396e3547e1c6719c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe

Filesize
254KB

MD5
4a0ab0765366afa8f1933a8356d58de0

SHA1
238eadc6884911a31d93f92828d818b686d67dee

SHA256
aa7ecdd6a013d6088a14f96aef51ecde94e4c7ca33c85b0039cb4813f0e42c07

SHA512
4b3dbab34d40230b1e45c8fec690507ead258bc25c4e4d4920e74636820e17515f9fcd40473a51becdc8c7ba3739cb541171fd6f0d8f8c0a78ac3956badb0ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe

Filesize
254KB

MD5
4a0ab0765366afa8f1933a8356d58de0

SHA1
238eadc6884911a31d93f92828d818b686d67dee

SHA256
aa7ecdd6a013d6088a14f96aef51ecde94e4c7ca33c85b0039cb4813f0e42c07

SHA512
4b3dbab34d40230b1e45c8fec690507ead258bc25c4e4d4920e74636820e17515f9fcd40473a51becdc8c7ba3739cb541171fd6f0d8f8c0a78ac3956badb0ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe

Filesize
254KB

MD5
4a0ab0765366afa8f1933a8356d58de0

SHA1
238eadc6884911a31d93f92828d818b686d67dee

SHA256
aa7ecdd6a013d6088a14f96aef51ecde94e4c7ca33c85b0039cb4813f0e42c07

SHA512
4b3dbab34d40230b1e45c8fec690507ead258bc25c4e4d4920e74636820e17515f9fcd40473a51becdc8c7ba3739cb541171fd6f0d8f8c0a78ac3956badb0ee3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8875996.exe

Filesize
329KB

MD5
84075b3ef1abdaa6ee2a62f2660141fa

SHA1
af8631bbaa1c6e447a5f59920871a15a44b9db1f

SHA256
1cfffa615579289b9361c65da272deb8a5b25da520e6c32e019310f0f1110337

SHA512
bc4506787d4ffd8486b66a39ab907a9d19629b2b2e2ea4f3a4848c3ae777bd330460b32ee7f5bee9bb64b48c658a3c02e95414042f71767396e3547e1c6719c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8875996.exe

Filesize
329KB

MD5
84075b3ef1abdaa6ee2a62f2660141fa

SHA1
af8631bbaa1c6e447a5f59920871a15a44b9db1f

SHA256
1cfffa615579289b9361c65da272deb8a5b25da520e6c32e019310f0f1110337

SHA512
bc4506787d4ffd8486b66a39ab907a9d19629b2b2e2ea4f3a4848c3ae777bd330460b32ee7f5bee9bb64b48c658a3c02e95414042f71767396e3547e1c6719c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe

Filesize
254KB

MD5
4a0ab0765366afa8f1933a8356d58de0

SHA1
238eadc6884911a31d93f92828d818b686d67dee

SHA256
aa7ecdd6a013d6088a14f96aef51ecde94e4c7ca33c85b0039cb4813f0e42c07

SHA512
4b3dbab34d40230b1e45c8fec690507ead258bc25c4e4d4920e74636820e17515f9fcd40473a51becdc8c7ba3739cb541171fd6f0d8f8c0a78ac3956badb0ee3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe

Filesize
254KB

MD5
4a0ab0765366afa8f1933a8356d58de0

SHA1
238eadc6884911a31d93f92828d818b686d67dee

SHA256
aa7ecdd6a013d6088a14f96aef51ecde94e4c7ca33c85b0039cb4813f0e42c07

SHA512
4b3dbab34d40230b1e45c8fec690507ead258bc25c4e4d4920e74636820e17515f9fcd40473a51becdc8c7ba3739cb541171fd6f0d8f8c0a78ac3956badb0ee3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9455141.exe

Filesize
254KB

MD5
4a0ab0765366afa8f1933a8356d58de0

SHA1
238eadc6884911a31d93f92828d818b686d67dee

SHA256
aa7ecdd6a013d6088a14f96aef51ecde94e4c7ca33c85b0039cb4813f0e42c07

SHA512
4b3dbab34d40230b1e45c8fec690507ead258bc25c4e4d4920e74636820e17515f9fcd40473a51becdc8c7ba3739cb541171fd6f0d8f8c0a78ac3956badb0ee3

Download Submit
memory/2092-54-0x0000000000500000-0x0000000000571000-memory.dmp

Filesize
452KB

Download
memory/2968-83-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/2968-87-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/2968-88-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download