redline | 9d4035a327dafaed0a688d2ecde747fcfe6c92ee05bd83b0f4020a1f8040f4f7

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c03b7492e75c731fe6c3ad134.exe
Size

513KB
MD5

c03b7492e75c731fe6c3ad1349bf568e
SHA1

beb374b968b11084952499b9d3f570069bdb08e9
SHA256

9d4035a327dafaed0a688d2ecde747fcfe6c92ee05bd83b0f4020a1f8040f4f7
SHA512

15d60ec52f8886fcdb3b7dbe90076dafc64432dde325f489051e978cc535cb2de09bfc6b9eb57d39a6895bb488a70db399e4d64503a66ea05fbfab26e92abfa1
SSDEEP

12288:qfrlfv/aRdnQgnvtT8jCJyizL/ivKjIph:qfrBv/82gnvxGCUh

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1988	x9918193.exe
1548	f9017522.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c03b7492e75c731fe6c3ad134.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c03b7492e75c731fe6c3ad134.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9918193.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9918193.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 1988	4404	c03b7492e75c731fe6c3ad134.exe	87
PID 4404 wrote to memory of 1988	4404	c03b7492e75c731fe6c3ad134.exe	87
PID 4404 wrote to memory of 1988	4404	c03b7492e75c731fe6c3ad134.exe	87
PID 1988 wrote to memory of 1548	1988	x9918193.exe	88
PID 1988 wrote to memory of 1548	1988	x9918193.exe	88
PID 1988 wrote to memory of 1548	1988	x9918193.exe	88

C:\Users\Admin\AppData\Local\Temp\c03b7492e75c731fe6c3ad134.exe
"C:\Users\Admin\AppData\Local\Temp\c03b7492e75c731fe6c3ad134.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9918193.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9918193.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9017522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9017522.exe
    3⤵
    - Executes dropped EXE
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9918193.exe

Filesize
329KB

MD5
8db1f51e12653d709afa70b38c945af3

SHA1
9b01a113bd71867441599ad0fd1a2063eb5c7798

SHA256
2e5074d9c1a70e559518a558c5ada98247d67325fcc09acf98814db8ba789774

SHA512
23b99782c8966dccdddfb4e50e6df50337e913811008d1d5fb7758a92cc8532cae635511436a7d5566dad78be45c6bc6c30f81b21c76da38fe3f40aa1d52f3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9918193.exe

Filesize
329KB

MD5
8db1f51e12653d709afa70b38c945af3

SHA1
9b01a113bd71867441599ad0fd1a2063eb5c7798

SHA256
2e5074d9c1a70e559518a558c5ada98247d67325fcc09acf98814db8ba789774

SHA512
23b99782c8966dccdddfb4e50e6df50337e913811008d1d5fb7758a92cc8532cae635511436a7d5566dad78be45c6bc6c30f81b21c76da38fe3f40aa1d52f3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9017522.exe

Filesize
255KB

MD5
02f3efaacaafb3536da0f9b3900cee2a

SHA1
8f626639ad7eecef176c4003f719daeafa3ee2de

SHA256
d29f79e0ec31573af961fc6ca988d758ec0bd912fd33f93020f252e1986c98dd

SHA512
8a778c0ea923524fbec1c35298604b91ca834bea080047532b4a041ba06d9b7f7a4155be979a28d8918ad0e41319e7a01531ff663c097a3586ccf897a681726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f9017522.exe

Filesize
255KB

MD5
02f3efaacaafb3536da0f9b3900cee2a

SHA1
8f626639ad7eecef176c4003f719daeafa3ee2de

SHA256
d29f79e0ec31573af961fc6ca988d758ec0bd912fd33f93020f252e1986c98dd

SHA512
8a778c0ea923524fbec1c35298604b91ca834bea080047532b4a041ba06d9b7f7a4155be979a28d8918ad0e41319e7a01531ff663c097a3586ccf897a681726c

Download Submit
memory/1548-153-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/1548-157-0x0000000004BD0000-0x00000000051E8000-memory.dmp

Filesize
6.1MB

Download
memory/1548-158-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/1548-159-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/1548-160-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1548-161-0x0000000005350000-0x000000000538C000-memory.dmp

Filesize
240KB

Download
memory/1548-162-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4404-133-0x0000000000490000-0x0000000000501000-memory.dmp

Filesize
452KB

Download