redline | f627484a2eace806014e7fa68d071a1ed1b8ee381512d48e8e75837f2d980b0e

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 11:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cb18afb03c89cdded0da435d.exe
Size

518KB
MD5

8cb18afb03c89cdded0da435d33ceba7
SHA1

e67223f2f099ee3f4c1dcee552192a2f035f2010
SHA256

f627484a2eace806014e7fa68d071a1ed1b8ee381512d48e8e75837f2d980b0e
SHA512

816241ba43ad71b2047e6f8b63083ac222a0810951929f5c7c67519ae4ad244850660c27377c856e0055eac0970b372d363310c57a5824f8f059e17456badf26
SSDEEP

12288:HqgKBfvWaRdnQgkNXGJgZ9wukYM0d1u6/nbY:KgKtvW82gEXG+rem4

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1464	x1915949.exe
1904	f3814391.exe

Loads dropped DLL 5 IoCs

pid	Process
2312	8cb18afb03c89cdded0da435d.exe
1464	x1915949.exe
1464	x1915949.exe
1464	x1915949.exe
1904	f3814391.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1915949.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8cb18afb03c89cdded0da435d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8cb18afb03c89cdded0da435d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1915949.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1464	2312	8cb18afb03c89cdded0da435d.exe	29
PID 2312 wrote to memory of 1464	2312	8cb18afb03c89cdded0da435d.exe	29
PID 2312 wrote to memory of 1464	2312	8cb18afb03c89cdded0da435d.exe	29
PID 2312 wrote to memory of 1464	2312	8cb18afb03c89cdded0da435d.exe	29
PID 2312 wrote to memory of 1464	2312	8cb18afb03c89cdded0da435d.exe	29
PID 2312 wrote to memory of 1464	2312	8cb18afb03c89cdded0da435d.exe	29
PID 2312 wrote to memory of 1464	2312	8cb18afb03c89cdded0da435d.exe	29
PID 1464 wrote to memory of 1904	1464	x1915949.exe	30
PID 1464 wrote to memory of 1904	1464	x1915949.exe	30
PID 1464 wrote to memory of 1904	1464	x1915949.exe	30
PID 1464 wrote to memory of 1904	1464	x1915949.exe	30
PID 1464 wrote to memory of 1904	1464	x1915949.exe	30
PID 1464 wrote to memory of 1904	1464	x1915949.exe	30
PID 1464 wrote to memory of 1904	1464	x1915949.exe	30

C:\Users\Admin\AppData\Local\Temp\8cb18afb03c89cdded0da435d.exe
"C:\Users\Admin\AppData\Local\Temp\8cb18afb03c89cdded0da435d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1915949.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1915949.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1915949.exe

Filesize
332KB

MD5
39ec808c8cc6842c6d53b648b1b63af9

SHA1
99c0b97b3fff5fa3f742b31988d189a9c22d6b40

SHA256
4f1c9508cd9005b126f690e336e6a102a83419fe20de5e9c4bc6353cf417b9f1

SHA512
8e8d89df8b92548b725147bbda209c6489f36b88c5a58c6c52fb36596b8062510e9e558e0955624dc1ce5cb206c297ede8e4d525fde68ba709b46ce172ba7677

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1915949.exe

Filesize
332KB

MD5
39ec808c8cc6842c6d53b648b1b63af9

SHA1
99c0b97b3fff5fa3f742b31988d189a9c22d6b40

SHA256
4f1c9508cd9005b126f690e336e6a102a83419fe20de5e9c4bc6353cf417b9f1

SHA512
8e8d89df8b92548b725147bbda209c6489f36b88c5a58c6c52fb36596b8062510e9e558e0955624dc1ce5cb206c297ede8e4d525fde68ba709b46ce172ba7677

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe

Filesize
258KB

MD5
30d06b6baed780ca7e58988e8056547d

SHA1
53e7d30ebcb4c7dc7e034e33fc9ec2e5bbf5c6e6

SHA256
55c7f6250af66f4c3affba391096b25c3f4a62c0139793eb06af8974a645b377

SHA512
7baad74d0b822c58d16f8b09bea81b9af6ecf21223698aa9fed1112a419ddef4d6980f77a3def20be88709741f2145613a05ef7b6dda4abcbb6f2183bd678eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe

Filesize
258KB

MD5
30d06b6baed780ca7e58988e8056547d

SHA1
53e7d30ebcb4c7dc7e034e33fc9ec2e5bbf5c6e6

SHA256
55c7f6250af66f4c3affba391096b25c3f4a62c0139793eb06af8974a645b377

SHA512
7baad74d0b822c58d16f8b09bea81b9af6ecf21223698aa9fed1112a419ddef4d6980f77a3def20be88709741f2145613a05ef7b6dda4abcbb6f2183bd678eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe

Filesize
258KB

MD5
30d06b6baed780ca7e58988e8056547d

SHA1
53e7d30ebcb4c7dc7e034e33fc9ec2e5bbf5c6e6

SHA256
55c7f6250af66f4c3affba391096b25c3f4a62c0139793eb06af8974a645b377

SHA512
7baad74d0b822c58d16f8b09bea81b9af6ecf21223698aa9fed1112a419ddef4d6980f77a3def20be88709741f2145613a05ef7b6dda4abcbb6f2183bd678eae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1915949.exe

Filesize
332KB

MD5
39ec808c8cc6842c6d53b648b1b63af9

SHA1
99c0b97b3fff5fa3f742b31988d189a9c22d6b40

SHA256
4f1c9508cd9005b126f690e336e6a102a83419fe20de5e9c4bc6353cf417b9f1

SHA512
8e8d89df8b92548b725147bbda209c6489f36b88c5a58c6c52fb36596b8062510e9e558e0955624dc1ce5cb206c297ede8e4d525fde68ba709b46ce172ba7677

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1915949.exe

Filesize
332KB

MD5
39ec808c8cc6842c6d53b648b1b63af9

SHA1
99c0b97b3fff5fa3f742b31988d189a9c22d6b40

SHA256
4f1c9508cd9005b126f690e336e6a102a83419fe20de5e9c4bc6353cf417b9f1

SHA512
8e8d89df8b92548b725147bbda209c6489f36b88c5a58c6c52fb36596b8062510e9e558e0955624dc1ce5cb206c297ede8e4d525fde68ba709b46ce172ba7677

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe

Filesize
258KB

MD5
30d06b6baed780ca7e58988e8056547d

SHA1
53e7d30ebcb4c7dc7e034e33fc9ec2e5bbf5c6e6

SHA256
55c7f6250af66f4c3affba391096b25c3f4a62c0139793eb06af8974a645b377

SHA512
7baad74d0b822c58d16f8b09bea81b9af6ecf21223698aa9fed1112a419ddef4d6980f77a3def20be88709741f2145613a05ef7b6dda4abcbb6f2183bd678eae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe

Filesize
258KB

MD5
30d06b6baed780ca7e58988e8056547d

SHA1
53e7d30ebcb4c7dc7e034e33fc9ec2e5bbf5c6e6

SHA256
55c7f6250af66f4c3affba391096b25c3f4a62c0139793eb06af8974a645b377

SHA512
7baad74d0b822c58d16f8b09bea81b9af6ecf21223698aa9fed1112a419ddef4d6980f77a3def20be88709741f2145613a05ef7b6dda4abcbb6f2183bd678eae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f3814391.exe

Filesize
258KB

MD5
30d06b6baed780ca7e58988e8056547d

SHA1
53e7d30ebcb4c7dc7e034e33fc9ec2e5bbf5c6e6

SHA256
55c7f6250af66f4c3affba391096b25c3f4a62c0139793eb06af8974a645b377

SHA512
7baad74d0b822c58d16f8b09bea81b9af6ecf21223698aa9fed1112a419ddef4d6980f77a3def20be88709741f2145613a05ef7b6dda4abcbb6f2183bd678eae

Download Submit
memory/1904-83-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/1904-87-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/1904-88-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/1904-89-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/2312-54-0x0000000000490000-0x0000000000501000-memory.dmp

Filesize
452KB

Download