redline | 2ebbf1406615506857a59ebe5259460c4403b6a604afae96cf8789dde5a868d0

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c6a1d67251363c885e1637b8.exe
Size

518KB
MD5

6c6a1d67251363c885e1637b8672c63d
SHA1

b152b976b334a874073bf23468f3838a4f7ce1bd
SHA256

2ebbf1406615506857a59ebe5259460c4403b6a604afae96cf8789dde5a868d0
SHA512

fc420ad9d2d531164fab3f9ca8956d1c854a8ed477514e776df29124f269d9557b92ccbcde39522f626523826c30fb9a6acf15aff10bce13bf2b0521375cd79e
SSDEEP

12288:RlaQfvZaRdnQgn4A3/+UyOLWNtBi0Xf7QIGo2N:RlaavZ82gwpOLiEoTQD

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2184	x8040809.exe
1148	f8170594.exe

Loads dropped DLL 5 IoCs

pid	Process
1316	6c6a1d67251363c885e1637b8.exe
2184	x8040809.exe
2184	x8040809.exe
2184	x8040809.exe
1148	f8170594.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6c6a1d67251363c885e1637b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6c6a1d67251363c885e1637b8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8040809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8040809.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2184	1316	6c6a1d67251363c885e1637b8.exe	30
PID 1316 wrote to memory of 2184	1316	6c6a1d67251363c885e1637b8.exe	30
PID 1316 wrote to memory of 2184	1316	6c6a1d67251363c885e1637b8.exe	30
PID 1316 wrote to memory of 2184	1316	6c6a1d67251363c885e1637b8.exe	30
PID 1316 wrote to memory of 2184	1316	6c6a1d67251363c885e1637b8.exe	30
PID 1316 wrote to memory of 2184	1316	6c6a1d67251363c885e1637b8.exe	30
PID 1316 wrote to memory of 2184	1316	6c6a1d67251363c885e1637b8.exe	30
PID 2184 wrote to memory of 1148	2184	x8040809.exe	31
PID 2184 wrote to memory of 1148	2184	x8040809.exe	31
PID 2184 wrote to memory of 1148	2184	x8040809.exe	31
PID 2184 wrote to memory of 1148	2184	x8040809.exe	31
PID 2184 wrote to memory of 1148	2184	x8040809.exe	31
PID 2184 wrote to memory of 1148	2184	x8040809.exe	31
PID 2184 wrote to memory of 1148	2184	x8040809.exe	31

C:\Users\Admin\AppData\Local\Temp\6c6a1d67251363c885e1637b8.exe
"C:\Users\Admin\AppData\Local\Temp\6c6a1d67251363c885e1637b8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8040809.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8040809.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8040809.exe

Filesize
331KB

MD5
b7f53ee86c0d515f67af490b7b6c0b17

SHA1
93f41e557c2f27f96499b7887cab28bc4b79ab63

SHA256
546d4cb5b1ac3247b357c44b137d5986d8ac9ebffc87ba81881917b03ab4ad31

SHA512
abf9983777e050e0916f4e2890cf3c47b81f4d1020629b337e88d1b4dd98285c75b46a6f05eec5db7bc1cf5d0f53e31c1b6a5c35f03bcd80342f991d000c9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8040809.exe

Filesize
331KB

MD5
b7f53ee86c0d515f67af490b7b6c0b17

SHA1
93f41e557c2f27f96499b7887cab28bc4b79ab63

SHA256
546d4cb5b1ac3247b357c44b137d5986d8ac9ebffc87ba81881917b03ab4ad31

SHA512
abf9983777e050e0916f4e2890cf3c47b81f4d1020629b337e88d1b4dd98285c75b46a6f05eec5db7bc1cf5d0f53e31c1b6a5c35f03bcd80342f991d000c9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe

Filesize
257KB

MD5
bf961ce77f95f691f49f4f082b229192

SHA1
971c2292bde95fed5961565d8e38470f164b1491

SHA256
e3b4e80fcba458c094bc2a59ad5fe26a69077bb3a29ba2528147d1a5e9f01b4d

SHA512
e38eede95fdd34a32500bf4c83506fbc78ad4e6798d6f7d7704b7f6cf04d6987b89e549525fba18d46ac075c51193b1a5f652010d8e52bbe9574e31f3eb0c23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe

Filesize
257KB

MD5
bf961ce77f95f691f49f4f082b229192

SHA1
971c2292bde95fed5961565d8e38470f164b1491

SHA256
e3b4e80fcba458c094bc2a59ad5fe26a69077bb3a29ba2528147d1a5e9f01b4d

SHA512
e38eede95fdd34a32500bf4c83506fbc78ad4e6798d6f7d7704b7f6cf04d6987b89e549525fba18d46ac075c51193b1a5f652010d8e52bbe9574e31f3eb0c23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe

Filesize
257KB

MD5
bf961ce77f95f691f49f4f082b229192

SHA1
971c2292bde95fed5961565d8e38470f164b1491

SHA256
e3b4e80fcba458c094bc2a59ad5fe26a69077bb3a29ba2528147d1a5e9f01b4d

SHA512
e38eede95fdd34a32500bf4c83506fbc78ad4e6798d6f7d7704b7f6cf04d6987b89e549525fba18d46ac075c51193b1a5f652010d8e52bbe9574e31f3eb0c23f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8040809.exe

Filesize
331KB

MD5
b7f53ee86c0d515f67af490b7b6c0b17

SHA1
93f41e557c2f27f96499b7887cab28bc4b79ab63

SHA256
546d4cb5b1ac3247b357c44b137d5986d8ac9ebffc87ba81881917b03ab4ad31

SHA512
abf9983777e050e0916f4e2890cf3c47b81f4d1020629b337e88d1b4dd98285c75b46a6f05eec5db7bc1cf5d0f53e31c1b6a5c35f03bcd80342f991d000c9d55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8040809.exe

Filesize
331KB

MD5
b7f53ee86c0d515f67af490b7b6c0b17

SHA1
93f41e557c2f27f96499b7887cab28bc4b79ab63

SHA256
546d4cb5b1ac3247b357c44b137d5986d8ac9ebffc87ba81881917b03ab4ad31

SHA512
abf9983777e050e0916f4e2890cf3c47b81f4d1020629b337e88d1b4dd98285c75b46a6f05eec5db7bc1cf5d0f53e31c1b6a5c35f03bcd80342f991d000c9d55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe

Filesize
257KB

MD5
bf961ce77f95f691f49f4f082b229192

SHA1
971c2292bde95fed5961565d8e38470f164b1491

SHA256
e3b4e80fcba458c094bc2a59ad5fe26a69077bb3a29ba2528147d1a5e9f01b4d

SHA512
e38eede95fdd34a32500bf4c83506fbc78ad4e6798d6f7d7704b7f6cf04d6987b89e549525fba18d46ac075c51193b1a5f652010d8e52bbe9574e31f3eb0c23f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe

Filesize
257KB

MD5
bf961ce77f95f691f49f4f082b229192

SHA1
971c2292bde95fed5961565d8e38470f164b1491

SHA256
e3b4e80fcba458c094bc2a59ad5fe26a69077bb3a29ba2528147d1a5e9f01b4d

SHA512
e38eede95fdd34a32500bf4c83506fbc78ad4e6798d6f7d7704b7f6cf04d6987b89e549525fba18d46ac075c51193b1a5f652010d8e52bbe9574e31f3eb0c23f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f8170594.exe

Filesize
257KB

MD5
bf961ce77f95f691f49f4f082b229192

SHA1
971c2292bde95fed5961565d8e38470f164b1491

SHA256
e3b4e80fcba458c094bc2a59ad5fe26a69077bb3a29ba2528147d1a5e9f01b4d

SHA512
e38eede95fdd34a32500bf4c83506fbc78ad4e6798d6f7d7704b7f6cf04d6987b89e549525fba18d46ac075c51193b1a5f652010d8e52bbe9574e31f3eb0c23f

Download Submit
memory/1148-83-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/1148-87-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/1148-88-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1148-89-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1316-54-0x00000000002A0000-0x0000000000311000-memory.dmp

Filesize
452KB

Download