redline | df69d2c8a41a796c33d7a623977ef8a4d4b85cb02b9907fa3ce1c7e777837966

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eaa8200ae1edab74652da8c3.exe
Size

514KB
MD5

8eaa8200ae1edab74652da8c3db0b8e0
SHA1

817310ecc48861a9a52f83321090e5bd33c78f14
SHA256

df69d2c8a41a796c33d7a623977ef8a4d4b85cb02b9907fa3ce1c7e777837966
SHA512

ca623502fcd9e8f28096ac3b58261914150cf0de2fd4bf5156b595c7cf87a526417987c8fc825b67c70d3495ff970b391ea9bfd52aacd65a259d8e8057400e0c
SSDEEP

12288:Sob/GfvfaRdnQgfdj16fH/xcK3FH0fIp30n:SI/cvf82gfCfH/x9VH0Qp30n

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3776	x0718843.exe
1468	f9721398.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8eaa8200ae1edab74652da8c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8eaa8200ae1edab74652da8c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0718843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0718843.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3776	3536	8eaa8200ae1edab74652da8c3.exe	88
PID 3536 wrote to memory of 3776	3536	8eaa8200ae1edab74652da8c3.exe	88
PID 3536 wrote to memory of 3776	3536	8eaa8200ae1edab74652da8c3.exe	88
PID 3776 wrote to memory of 1468	3776	x0718843.exe	89
PID 3776 wrote to memory of 1468	3776	x0718843.exe	89
PID 3776 wrote to memory of 1468	3776	x0718843.exe	89

C:\Users\Admin\AppData\Local\Temp\8eaa8200ae1edab74652da8c3.exe
"C:\Users\Admin\AppData\Local\Temp\8eaa8200ae1edab74652da8c3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0718843.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0718843.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9721398.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9721398.exe
    3⤵
    - Executes dropped EXE
    PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0718843.exe

Filesize
329KB

MD5
7cd3dfc0b123b31b81a9b9511d387aef

SHA1
bdc15a1e298a9d78957ccd50d9d35953f628727b

SHA256
db156b245fa08a72c9c1affacc674d7181ce3aaeb2e0a86e0ff6fd51f82d0e22

SHA512
dfe600346cc0472272dad37192c8d0b215864dd69aff32b27eb15d918b693cd62a0c0528167d92306b60cea990d3f89a945e3bc0ff6374f59c2246d678112469

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0718843.exe

Filesize
329KB

MD5
7cd3dfc0b123b31b81a9b9511d387aef

SHA1
bdc15a1e298a9d78957ccd50d9d35953f628727b

SHA256
db156b245fa08a72c9c1affacc674d7181ce3aaeb2e0a86e0ff6fd51f82d0e22

SHA512
dfe600346cc0472272dad37192c8d0b215864dd69aff32b27eb15d918b693cd62a0c0528167d92306b60cea990d3f89a945e3bc0ff6374f59c2246d678112469

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9721398.exe

Filesize
254KB

MD5
e5897a88018b4173045c91b4b8d14652

SHA1
f3a04093f3635cad26d1622c6a16f3019c02b087

SHA256
43200ebfffb0b5b664f07ffea12e7e7dbbaf6af6a104f9f34f62eaece267657a

SHA512
dd9be8e430c2fe15821d0b51cd1b600a35424b0cea0d2ecf956c9f80bbb5a9a7643ba6122c3e92352ebb75e2f71c2872d5df247a5d90a47aa952ec76523065ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9721398.exe

Filesize
254KB

MD5
e5897a88018b4173045c91b4b8d14652

SHA1
f3a04093f3635cad26d1622c6a16f3019c02b087

SHA256
43200ebfffb0b5b664f07ffea12e7e7dbbaf6af6a104f9f34f62eaece267657a

SHA512
dd9be8e430c2fe15821d0b51cd1b600a35424b0cea0d2ecf956c9f80bbb5a9a7643ba6122c3e92352ebb75e2f71c2872d5df247a5d90a47aa952ec76523065ab

Download Submit
memory/1468-153-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/1468-157-0x0000000009F70000-0x000000000A588000-memory.dmp

Filesize
6.1MB

Download
memory/1468-158-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/1468-159-0x000000000A750000-0x000000000A762000-memory.dmp

Filesize
72KB

Download
memory/1468-160-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1468-161-0x000000000A770000-0x000000000A7AC000-memory.dmp

Filesize
240KB

Download
memory/1468-162-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/3536-133-0x00000000005E0000-0x0000000000651000-memory.dmp

Filesize
452KB

Download