redline | 186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540

Analysis

max time kernel
134s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15/08/2023, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540.exe
Size

842KB
MD5

a69236eb925b65afe5638d4017d220bd
SHA1

3ad228b225364ddd4fd243c22c8b5931e8a98348
SHA256

186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540
SHA512

79a276af6c900ede99164cf38b065939ec97ea0574ec74960eddf5bf671ad5819440757bb7ae7576de4dbcadef1333f73955fd924a623d8c8b416c2e9a0bc9b0
SSDEEP

12288:iMrDy90UOAl5TRWVtFxMSMqnAs7WnY3LtZ210MlG1K7Zr78erGWTYWWWa5shhRP5:Rykc8tFxMjo7f7tZW0G5r/iaq51yR

Score

10^/10

redline meson infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

meson

77.91.124.54:19071

Attributes

auth_value
47ca57ebe5c142c9ad4650f71bf57877

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2204	v7579254.exe
5080	v0240306.exe
4020	v4585699.exe
4224	v7277456.exe
4684	a5447125.exe
2476	b2342625.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7579254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0240306.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4585699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7277456.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2204	4284	186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540.exe	69
PID 4284 wrote to memory of 2204	4284	186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540.exe	69
PID 4284 wrote to memory of 2204	4284	186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540.exe	69
PID 2204 wrote to memory of 5080	2204	v7579254.exe	70
PID 2204 wrote to memory of 5080	2204	v7579254.exe	70
PID 2204 wrote to memory of 5080	2204	v7579254.exe	70
PID 5080 wrote to memory of 4020	5080	v0240306.exe	71
PID 5080 wrote to memory of 4020	5080	v0240306.exe	71
PID 5080 wrote to memory of 4020	5080	v0240306.exe	71
PID 4020 wrote to memory of 4224	4020	v4585699.exe	72
PID 4020 wrote to memory of 4224	4020	v4585699.exe	72
PID 4020 wrote to memory of 4224	4020	v4585699.exe	72
PID 4224 wrote to memory of 4684	4224	v7277456.exe	73
PID 4224 wrote to memory of 4684	4224	v7277456.exe	73
PID 4224 wrote to memory of 4684	4224	v7277456.exe	73
PID 4224 wrote to memory of 2476	4224	v7277456.exe	74
PID 4224 wrote to memory of 2476	4224	v7277456.exe	74
PID 4224 wrote to memory of 2476	4224	v7277456.exe	74

C:\Users\Admin\AppData\Local\Temp\186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540.exe
"C:\Users\Admin\AppData\Local\Temp\186d63d1833b57158c32cf5d225052cb5af614bd60589fcbb89f089b7a0b6540.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7579254.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7579254.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0240306.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0240306.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4585699.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4585699.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7277456.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7277456.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5447125.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5447125.exe
        6⤵
        Executes dropped EXE
        
        PID:4684
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2342625.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2342625.exe
        6⤵
        Executes dropped EXE
        
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7579254.exe

Filesize
722KB

MD5
5d367e95b8d3ebb5ee33e7d57173d9b5

SHA1
84ad00db7d6c8f9d734f03c74c24a8f3d1b54b47

SHA256
93250c5750eed505d6c1eea04efc57c2cbad382a33ba8c8a55079c7539615798

SHA512
981767415244a05f2d87044c6814a4871479a6a4e2f4ef0b5592ba6f1420ced31f190039259501a2e61447f3843c08b94ef91c96a0e997bc457dc7e890b26de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7579254.exe

Filesize
722KB

MD5
5d367e95b8d3ebb5ee33e7d57173d9b5

SHA1
84ad00db7d6c8f9d734f03c74c24a8f3d1b54b47

SHA256
93250c5750eed505d6c1eea04efc57c2cbad382a33ba8c8a55079c7539615798

SHA512
981767415244a05f2d87044c6814a4871479a6a4e2f4ef0b5592ba6f1420ced31f190039259501a2e61447f3843c08b94ef91c96a0e997bc457dc7e890b26de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0240306.exe

Filesize
598KB

MD5
4316d3eafd9830bf65da1ed9e52afd4e

SHA1
b264292dee8f4c9aedc85451437c9ffc60f20037

SHA256
5736b5b258cb6609a2db9ebdffb47f0d6010e7eff0cfab6e6cca865b9bba07ac

SHA512
1731c378bd1c994b6be18ed4cf64c619cf7b07779e952a4a427f3f1c4ae627b2bf86ce9fd220d83bf2b2c9533de9e02ed4710da22a777619817d83d3b480e0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0240306.exe

Filesize
598KB

MD5
4316d3eafd9830bf65da1ed9e52afd4e

SHA1
b264292dee8f4c9aedc85451437c9ffc60f20037

SHA256
5736b5b258cb6609a2db9ebdffb47f0d6010e7eff0cfab6e6cca865b9bba07ac

SHA512
1731c378bd1c994b6be18ed4cf64c619cf7b07779e952a4a427f3f1c4ae627b2bf86ce9fd220d83bf2b2c9533de9e02ed4710da22a777619817d83d3b480e0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4585699.exe

Filesize
372KB

MD5
1e95b6806299416ec3815a3302a32bba

SHA1
33ae46c6e385778010854ea908555fb373d9f70d

SHA256
de694ce8fa3c1fb1df00de63f68edc0902751657ed3e57efadb46f11d457b2d0

SHA512
0a8a96399c15e6a449d5cac018a358448d458fee609fbbfaddef574c2886dd58cab6f3a35e0be973b41578d4e88843cad0d5bdfc1834aabbdcc2a8b917a73ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4585699.exe

Filesize
372KB

MD5
1e95b6806299416ec3815a3302a32bba

SHA1
33ae46c6e385778010854ea908555fb373d9f70d

SHA256
de694ce8fa3c1fb1df00de63f68edc0902751657ed3e57efadb46f11d457b2d0

SHA512
0a8a96399c15e6a449d5cac018a358448d458fee609fbbfaddef574c2886dd58cab6f3a35e0be973b41578d4e88843cad0d5bdfc1834aabbdcc2a8b917a73ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7277456.exe

Filesize
271KB

MD5
1980f13b393f2e7d40211f76a72aaa54

SHA1
a4508a3f907fcb8c4ba14fe5cc10dea74baed3e4

SHA256
0b5e1874f9339d1b4c44d4bea551b73c648ba80645034b3b24a31b764e8352f5

SHA512
a739d65223cf6ea7cb9907c3d32f77b96303b85d1a1042824b4a070e8dbce85ee165c65c774d6264503d3b3b483fbb4e12f6f10901d04d21f68eea6e055fe16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7277456.exe

Filesize
271KB

MD5
1980f13b393f2e7d40211f76a72aaa54

SHA1
a4508a3f907fcb8c4ba14fe5cc10dea74baed3e4

SHA256
0b5e1874f9339d1b4c44d4bea551b73c648ba80645034b3b24a31b764e8352f5

SHA512
a739d65223cf6ea7cb9907c3d32f77b96303b85d1a1042824b4a070e8dbce85ee165c65c774d6264503d3b3b483fbb4e12f6f10901d04d21f68eea6e055fe16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5447125.exe

Filesize
140KB

MD5
3d94c590d66633f6d6b716828ee2f3e6

SHA1
f7785d585c25452927f23d90148c631397b93c91

SHA256
fc47c5b28c40cff4782a1cf61b8e51f265720e766983bc31c6dca5ad25a08910

SHA512
43987194e3895a2736e44c8e63725acfa4f3d5f1a754444424eb1ad07383793183c262f7f18602191a2f697fca0202f64008a02bfa8db01cb4470a0d9ac5d94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5447125.exe

Filesize
140KB

MD5
3d94c590d66633f6d6b716828ee2f3e6

SHA1
f7785d585c25452927f23d90148c631397b93c91

SHA256
fc47c5b28c40cff4782a1cf61b8e51f265720e766983bc31c6dca5ad25a08910

SHA512
43987194e3895a2736e44c8e63725acfa4f3d5f1a754444424eb1ad07383793183c262f7f18602191a2f697fca0202f64008a02bfa8db01cb4470a0d9ac5d94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2342625.exe

Filesize
174KB

MD5
71755da2ad6d04e34af57974394904bd

SHA1
12eb990abdd6a067fede8dbfdf53b6076415d6ba

SHA256
fa4c0400f2100f27843122d6626e53b3fd8cf4af1ba43ab99f637716bfedf691

SHA512
a8d9dc9cd3a931a3124345f37bf77e79b01847f91a788d629bdec3e0553eb136fc16d3a888fbbeeb2d3a048ab227314da926a7fa02205156101bd34f32c83106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2342625.exe

Filesize
174KB

MD5
71755da2ad6d04e34af57974394904bd

SHA1
12eb990abdd6a067fede8dbfdf53b6076415d6ba

SHA256
fa4c0400f2100f27843122d6626e53b3fd8cf4af1ba43ab99f637716bfedf691

SHA512
a8d9dc9cd3a931a3124345f37bf77e79b01847f91a788d629bdec3e0553eb136fc16d3a888fbbeeb2d3a048ab227314da926a7fa02205156101bd34f32c83106

Download Submit
memory/2476-156-0x0000000000790000-0x00000000007C0000-memory.dmp

Filesize
192KB

Download
memory/2476-157-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-158-0x0000000002A20000-0x0000000002A26000-memory.dmp

Filesize
24KB

Download
memory/2476-159-0x000000000ABA0000-0x000000000B1A6000-memory.dmp

Filesize
6.0MB

Download
memory/2476-160-0x000000000A6E0000-0x000000000A7EA000-memory.dmp

Filesize
1.0MB

Download
memory/2476-161-0x000000000A610000-0x000000000A622000-memory.dmp

Filesize
72KB

Download
memory/2476-162-0x000000000A670000-0x000000000A6AE000-memory.dmp

Filesize
248KB

Download
memory/2476-163-0x000000000A7F0000-0x000000000A83B000-memory.dmp

Filesize
300KB

Download
memory/2476-164-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads