redline | 7d0b155b95248002441c6e45f30672503e4c985172832607c93a393e7122a7b5

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72b0829f02d6495c469e35469.exe
Size

518KB
MD5

72b0829f02d6495c469e35469ca71bbe
SHA1

5da83853e4629f02f9436a3d91efd8d14178b0e7
SHA256

7d0b155b95248002441c6e45f30672503e4c985172832607c93a393e7122a7b5
SHA512

6a23805aa680cfc2cd8c18d9076b604e89c5c31f56d83a070cfd6c6d056b02ad9d2b1eedab31b0fe9940ff380006dab03130de8078869b21c99796b7ccb38c0c
SSDEEP

12288:AuknfvzaRdnQgdi84HFJ+nHQnWNgqRX2Y:Aukfvz82gdJ4HSnHK8gqJf

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2196	x6351756.exe
2360	f9920822.exe

Loads dropped DLL 5 IoCs

pid	Process
2944	72b0829f02d6495c469e35469.exe
2196	x6351756.exe
2196	x6351756.exe
2196	x6351756.exe
2360	f9920822.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	72b0829f02d6495c469e35469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72b0829f02d6495c469e35469.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6351756.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6351756.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2196	2944	72b0829f02d6495c469e35469.exe	29
PID 2944 wrote to memory of 2196	2944	72b0829f02d6495c469e35469.exe	29
PID 2944 wrote to memory of 2196	2944	72b0829f02d6495c469e35469.exe	29
PID 2944 wrote to memory of 2196	2944	72b0829f02d6495c469e35469.exe	29
PID 2944 wrote to memory of 2196	2944	72b0829f02d6495c469e35469.exe	29
PID 2944 wrote to memory of 2196	2944	72b0829f02d6495c469e35469.exe	29
PID 2944 wrote to memory of 2196	2944	72b0829f02d6495c469e35469.exe	29
PID 2196 wrote to memory of 2360	2196	x6351756.exe	30
PID 2196 wrote to memory of 2360	2196	x6351756.exe	30
PID 2196 wrote to memory of 2360	2196	x6351756.exe	30
PID 2196 wrote to memory of 2360	2196	x6351756.exe	30
PID 2196 wrote to memory of 2360	2196	x6351756.exe	30
PID 2196 wrote to memory of 2360	2196	x6351756.exe	30
PID 2196 wrote to memory of 2360	2196	x6351756.exe	30

C:\Users\Admin\AppData\Local\Temp\72b0829f02d6495c469e35469.exe
"C:\Users\Admin\AppData\Local\Temp\72b0829f02d6495c469e35469.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6351756.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6351756.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6351756.exe

Filesize
331KB

MD5
4097f972241bb5e85f312fabf23b5715

SHA1
f2dcf1bf2c87a6d9925b579a0e42c1be362563e6

SHA256
87420cc0fad6f5b9de2fa10f7b5048403656a8ac71570a2daceb09c68e225cf1

SHA512
772da18282e37173cd95c39b364e9a4448a113e4b5cabc3b2fe5416213d469b5e17b53b3300f7ffaddc91dda8edeb1b6e92d7a62142ace1ed65e0d68bd95a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6351756.exe

Filesize
331KB

MD5
4097f972241bb5e85f312fabf23b5715

SHA1
f2dcf1bf2c87a6d9925b579a0e42c1be362563e6

SHA256
87420cc0fad6f5b9de2fa10f7b5048403656a8ac71570a2daceb09c68e225cf1

SHA512
772da18282e37173cd95c39b364e9a4448a113e4b5cabc3b2fe5416213d469b5e17b53b3300f7ffaddc91dda8edeb1b6e92d7a62142ace1ed65e0d68bd95a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe

Filesize
257KB

MD5
01033083d7bb423410c58373e06191e0

SHA1
136d6fa71c21b78e10650644da84dd6af697b4b3

SHA256
dd152a28160d4a70918cfabbb5aa59e0f6d919ead139927bd94711ea53786d15

SHA512
25bda85c25fd83b45ed6977c635900a3a72e80e8f0329febfda01716ddefff06ffe9747d67f57596ffef780f588143968f7b470277400a150f9a0dbe2d7f2b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe

Filesize
257KB

MD5
01033083d7bb423410c58373e06191e0

SHA1
136d6fa71c21b78e10650644da84dd6af697b4b3

SHA256
dd152a28160d4a70918cfabbb5aa59e0f6d919ead139927bd94711ea53786d15

SHA512
25bda85c25fd83b45ed6977c635900a3a72e80e8f0329febfda01716ddefff06ffe9747d67f57596ffef780f588143968f7b470277400a150f9a0dbe2d7f2b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe

Filesize
257KB

MD5
01033083d7bb423410c58373e06191e0

SHA1
136d6fa71c21b78e10650644da84dd6af697b4b3

SHA256
dd152a28160d4a70918cfabbb5aa59e0f6d919ead139927bd94711ea53786d15

SHA512
25bda85c25fd83b45ed6977c635900a3a72e80e8f0329febfda01716ddefff06ffe9747d67f57596ffef780f588143968f7b470277400a150f9a0dbe2d7f2b13

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6351756.exe

Filesize
331KB

MD5
4097f972241bb5e85f312fabf23b5715

SHA1
f2dcf1bf2c87a6d9925b579a0e42c1be362563e6

SHA256
87420cc0fad6f5b9de2fa10f7b5048403656a8ac71570a2daceb09c68e225cf1

SHA512
772da18282e37173cd95c39b364e9a4448a113e4b5cabc3b2fe5416213d469b5e17b53b3300f7ffaddc91dda8edeb1b6e92d7a62142ace1ed65e0d68bd95a17d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6351756.exe

Filesize
331KB

MD5
4097f972241bb5e85f312fabf23b5715

SHA1
f2dcf1bf2c87a6d9925b579a0e42c1be362563e6

SHA256
87420cc0fad6f5b9de2fa10f7b5048403656a8ac71570a2daceb09c68e225cf1

SHA512
772da18282e37173cd95c39b364e9a4448a113e4b5cabc3b2fe5416213d469b5e17b53b3300f7ffaddc91dda8edeb1b6e92d7a62142ace1ed65e0d68bd95a17d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe

Filesize
257KB

MD5
01033083d7bb423410c58373e06191e0

SHA1
136d6fa71c21b78e10650644da84dd6af697b4b3

SHA256
dd152a28160d4a70918cfabbb5aa59e0f6d919ead139927bd94711ea53786d15

SHA512
25bda85c25fd83b45ed6977c635900a3a72e80e8f0329febfda01716ddefff06ffe9747d67f57596ffef780f588143968f7b470277400a150f9a0dbe2d7f2b13

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe

Filesize
257KB

MD5
01033083d7bb423410c58373e06191e0

SHA1
136d6fa71c21b78e10650644da84dd6af697b4b3

SHA256
dd152a28160d4a70918cfabbb5aa59e0f6d919ead139927bd94711ea53786d15

SHA512
25bda85c25fd83b45ed6977c635900a3a72e80e8f0329febfda01716ddefff06ffe9747d67f57596ffef780f588143968f7b470277400a150f9a0dbe2d7f2b13

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9920822.exe

Filesize
257KB

MD5
01033083d7bb423410c58373e06191e0

SHA1
136d6fa71c21b78e10650644da84dd6af697b4b3

SHA256
dd152a28160d4a70918cfabbb5aa59e0f6d919ead139927bd94711ea53786d15

SHA512
25bda85c25fd83b45ed6977c635900a3a72e80e8f0329febfda01716ddefff06ffe9747d67f57596ffef780f588143968f7b470277400a150f9a0dbe2d7f2b13

Download Submit
memory/2360-83-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/2360-87-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/2360-88-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2944-54-0x0000000000370000-0x00000000003E1000-memory.dmp

Filesize
452KB

Download