redline | 42fc4dc8b4a173133c9428321bb31b91ef41d2746d1662bccfc7a3185646516e

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

42fc4dc8b4a173133c9428321.exe
Size

513KB
MD5

280ed5461b5376e7acd971ebba4bbe24
SHA1

8bb614ffb41b8aed64f91c15fdbdcb9885f05c76
SHA256

42fc4dc8b4a173133c9428321bb31b91ef41d2746d1662bccfc7a3185646516e
SHA512

30566219a2c46fae40c65c174f99fa4bb803cb12615529534e82770c456d4d46d636f2d1fc2cb804b1435b44f2ba9ba181394627633853900b718efc6e389477
SSDEEP

12288:ZFiBV94I6WQBS/h3JZEjqpZu3otQYPJlnnTpAwjzloLFeDSjA:49p/h5ZEqO3LwlnywjBoL4uj

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1304	x4696713.exe
5052	f3830351.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42fc4dc8b4a173133c9428321.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4696713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4696713.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	42fc4dc8b4a173133c9428321.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 1304	4432	42fc4dc8b4a173133c9428321.exe	86
PID 4432 wrote to memory of 1304	4432	42fc4dc8b4a173133c9428321.exe	86
PID 4432 wrote to memory of 1304	4432	42fc4dc8b4a173133c9428321.exe	86
PID 1304 wrote to memory of 5052	1304	x4696713.exe	87
PID 1304 wrote to memory of 5052	1304	x4696713.exe	87
PID 1304 wrote to memory of 5052	1304	x4696713.exe	87

C:\Users\Admin\AppData\Local\Temp\42fc4dc8b4a173133c9428321.exe
"C:\Users\Admin\AppData\Local\Temp\42fc4dc8b4a173133c9428321.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4696713.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4696713.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3830351.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3830351.exe
    3⤵
    - Executes dropped EXE
    PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4696713.exe

Filesize
319KB

MD5
3441e6317cd6e42af1c6cd1f260d991a

SHA1
2b5ca51394ccfd915f3407860a664ac78987ba1c

SHA256
91a9b37a13cb7f8ee0a566939b846009f6bd14a71c7b66d2c333348e86907f87

SHA512
b3c5be466b826f7e05fe1babb16092a53126cec4f84cd38eb73a69d9935b856216cf3dbcb00f84b5f8b042252220ae8812fb0dc3c0c31673f17b7680f33fca9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4696713.exe

Filesize
319KB

MD5
3441e6317cd6e42af1c6cd1f260d991a

SHA1
2b5ca51394ccfd915f3407860a664ac78987ba1c

SHA256
91a9b37a13cb7f8ee0a566939b846009f6bd14a71c7b66d2c333348e86907f87

SHA512
b3c5be466b826f7e05fe1babb16092a53126cec4f84cd38eb73a69d9935b856216cf3dbcb00f84b5f8b042252220ae8812fb0dc3c0c31673f17b7680f33fca9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3830351.exe

Filesize
265KB

MD5
eaf2a9ac494cf1e48654930517dd8636

SHA1
3efede98a8724690feb9ce18e8f99fe6cca1ac13

SHA256
ecbd8c0ff0ea5e877684e11ba09a0777023124688608a84492734625a4785e0c

SHA512
c4456109b24ceb7147fe864ad971da50f37b7609fe1139c4b9584c6c5dd52ab8f317ced1e513d2f1a55c5c72fd67a1f346ee235af8c817d84aa7a0a11659bff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3830351.exe

Filesize
265KB

MD5
eaf2a9ac494cf1e48654930517dd8636

SHA1
3efede98a8724690feb9ce18e8f99fe6cca1ac13

SHA256
ecbd8c0ff0ea5e877684e11ba09a0777023124688608a84492734625a4785e0c

SHA512
c4456109b24ceb7147fe864ad971da50f37b7609fe1139c4b9584c6c5dd52ab8f317ced1e513d2f1a55c5c72fd67a1f346ee235af8c817d84aa7a0a11659bff2

Download Submit
memory/4432-133-0x0000000000620000-0x000000000068E000-memory.dmp

Filesize
440KB

Download
memory/5052-153-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/5052-157-0x0000000009FC0000-0x000000000A5D8000-memory.dmp

Filesize
6.1MB

Download
memory/5052-158-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/5052-159-0x000000000A750000-0x000000000A762000-memory.dmp

Filesize
72KB

Download
memory/5052-160-0x000000000A770000-0x000000000A7AC000-memory.dmp

Filesize
240KB

Download
memory/5052-161-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/5052-162-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download