redline | d2ea79a47c266922fb9c860fdfcee1d49049882311cbbeb6457c4400e1475d32

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11-07-2023 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe
Size

517KB
MD5

3e221d2410b84869b0bc3722a81309f2
SHA1

60c5b521ec6e033989614c3755ca1e8b8a3ed5d9
SHA256

5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432
SHA512

4ea9014e11b7bac3e8e820d8ed7b2f08690c1d67162c09f7f292d3b3dcf343b8d2ea2ea163c77481fcd06a69b1d93a551a8df6c5c8e870ea0eb80e57e41d57c3
SSDEEP

12288:GIsAEP+6WSx4u/4fviaRdnQgxG4kT9/HeuqVxRTWY:o4u/Svi82gxG9RNUjv

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2312	x6463215.exe
2856	f4270997.exe

Loads dropped DLL 5 IoCs

pid	Process
2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe
2312	x6463215.exe
2312	x6463215.exe
2312	x6463215.exe
2856	f4270997.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6463215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6463215.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2312	2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe	30
PID 2380 wrote to memory of 2312	2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe	30
PID 2380 wrote to memory of 2312	2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe	30
PID 2380 wrote to memory of 2312	2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe	30
PID 2380 wrote to memory of 2312	2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe	30
PID 2380 wrote to memory of 2312	2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe	30
PID 2380 wrote to memory of 2312	2380	5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe	30
PID 2312 wrote to memory of 2856	2312	x6463215.exe	31
PID 2312 wrote to memory of 2856	2312	x6463215.exe	31
PID 2312 wrote to memory of 2856	2312	x6463215.exe	31
PID 2312 wrote to memory of 2856	2312	x6463215.exe	31
PID 2312 wrote to memory of 2856	2312	x6463215.exe	31
PID 2312 wrote to memory of 2856	2312	x6463215.exe	31
PID 2312 wrote to memory of 2856	2312	x6463215.exe	31

C:\Users\Admin\AppData\Local\Temp\5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe
"C:\Users\Admin\AppData\Local\Temp\5dc72cb883881486f5acc3243736694c266a6ed751b31e8168c84c77e0515432.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6463215.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6463215.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6463215.exe

Filesize
331KB

MD5
c403a2d98cf0b02b619c148e425da484

SHA1
66ef62b8c50e5ce3528ad377f4938f452b3a0ed2

SHA256
ac0667f586584e0286026c737bfb55cc45dbf238ff2f2b184ab59f405158054e

SHA512
5b2803aab1f2b2a065bd8dcdaefe1cce4305b3cc83ab4d528636364e1b116bdd135b7f68a93d1e44417f01d44ccb8afa6dd87c7a4e3db5ee75cb9223ae186348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6463215.exe

Filesize
331KB

MD5
c403a2d98cf0b02b619c148e425da484

SHA1
66ef62b8c50e5ce3528ad377f4938f452b3a0ed2

SHA256
ac0667f586584e0286026c737bfb55cc45dbf238ff2f2b184ab59f405158054e

SHA512
5b2803aab1f2b2a065bd8dcdaefe1cce4305b3cc83ab4d528636364e1b116bdd135b7f68a93d1e44417f01d44ccb8afa6dd87c7a4e3db5ee75cb9223ae186348

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe

Filesize
257KB

MD5
5794d1793c1a0af7df5da957860b1673

SHA1
695fd41e5527a0935e02bfaac8f4a4ac57f8153b

SHA256
b3eb4e8aaa8d036f0435d003678ae5f3300f0114cff394f0d927db68a01e28d9

SHA512
d68ec63eb06cdfd5b6fd777b3a3a06306b7cdd94a0061d414decf716c5645b3d38a0b047cd872fc47eeb3f45a0b69f3d83820bc043d029a0b0df7900f578cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe

Filesize
257KB

MD5
5794d1793c1a0af7df5da957860b1673

SHA1
695fd41e5527a0935e02bfaac8f4a4ac57f8153b

SHA256
b3eb4e8aaa8d036f0435d003678ae5f3300f0114cff394f0d927db68a01e28d9

SHA512
d68ec63eb06cdfd5b6fd777b3a3a06306b7cdd94a0061d414decf716c5645b3d38a0b047cd872fc47eeb3f45a0b69f3d83820bc043d029a0b0df7900f578cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe

Filesize
257KB

MD5
5794d1793c1a0af7df5da957860b1673

SHA1
695fd41e5527a0935e02bfaac8f4a4ac57f8153b

SHA256
b3eb4e8aaa8d036f0435d003678ae5f3300f0114cff394f0d927db68a01e28d9

SHA512
d68ec63eb06cdfd5b6fd777b3a3a06306b7cdd94a0061d414decf716c5645b3d38a0b047cd872fc47eeb3f45a0b69f3d83820bc043d029a0b0df7900f578cd61

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6463215.exe

Filesize
331KB

MD5
c403a2d98cf0b02b619c148e425da484

SHA1
66ef62b8c50e5ce3528ad377f4938f452b3a0ed2

SHA256
ac0667f586584e0286026c737bfb55cc45dbf238ff2f2b184ab59f405158054e

SHA512
5b2803aab1f2b2a065bd8dcdaefe1cce4305b3cc83ab4d528636364e1b116bdd135b7f68a93d1e44417f01d44ccb8afa6dd87c7a4e3db5ee75cb9223ae186348

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6463215.exe

Filesize
331KB

MD5
c403a2d98cf0b02b619c148e425da484

SHA1
66ef62b8c50e5ce3528ad377f4938f452b3a0ed2

SHA256
ac0667f586584e0286026c737bfb55cc45dbf238ff2f2b184ab59f405158054e

SHA512
5b2803aab1f2b2a065bd8dcdaefe1cce4305b3cc83ab4d528636364e1b116bdd135b7f68a93d1e44417f01d44ccb8afa6dd87c7a4e3db5ee75cb9223ae186348

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe

Filesize
257KB

MD5
5794d1793c1a0af7df5da957860b1673

SHA1
695fd41e5527a0935e02bfaac8f4a4ac57f8153b

SHA256
b3eb4e8aaa8d036f0435d003678ae5f3300f0114cff394f0d927db68a01e28d9

SHA512
d68ec63eb06cdfd5b6fd777b3a3a06306b7cdd94a0061d414decf716c5645b3d38a0b047cd872fc47eeb3f45a0b69f3d83820bc043d029a0b0df7900f578cd61

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe

Filesize
257KB

MD5
5794d1793c1a0af7df5da957860b1673

SHA1
695fd41e5527a0935e02bfaac8f4a4ac57f8153b

SHA256
b3eb4e8aaa8d036f0435d003678ae5f3300f0114cff394f0d927db68a01e28d9

SHA512
d68ec63eb06cdfd5b6fd777b3a3a06306b7cdd94a0061d414decf716c5645b3d38a0b047cd872fc47eeb3f45a0b69f3d83820bc043d029a0b0df7900f578cd61

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f4270997.exe

Filesize
257KB

MD5
5794d1793c1a0af7df5da957860b1673

SHA1
695fd41e5527a0935e02bfaac8f4a4ac57f8153b

SHA256
b3eb4e8aaa8d036f0435d003678ae5f3300f0114cff394f0d927db68a01e28d9

SHA512
d68ec63eb06cdfd5b6fd777b3a3a06306b7cdd94a0061d414decf716c5645b3d38a0b047cd872fc47eeb3f45a0b69f3d83820bc043d029a0b0df7900f578cd61

Download Submit
memory/2380-54-0x0000000000320000-0x0000000000391000-memory.dmp

Filesize
452KB

Download
memory/2856-83-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/2856-87-0x0000000001FB0000-0x0000000001FB6000-memory.dmp

Filesize
24KB

Download
memory/2856-88-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download