redline | a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341

Analysis

max time kernel
135s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16/08/2023, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe
Size

856KB
MD5

dfc59dca284135282ea4eaa0e655a50f
SHA1

d1d3155245dbf214c87b0d2a0051cfbf68f3f8b3
SHA256

a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341
SHA512

09c870e20ed7b8a58cd3328cbff17ab1a36daea27a1029b3236f33228cd67b741e3a0b8aa922350560117fd1dbbd1a165bbd1f2555facc5b58688486d5ee19d7
SSDEEP

12288:JMrKy90EGHXyn/N9P+VJoVFke0nyhtE1AtF/KS5x2VrXcyw220ShBh6FjO7:byjGHClJoJyvE1Q/KS5x2pXRF20SUK7

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4676	v1167039.exe
320	v2497928.exe
3112	v7151927.exe
4640	v7167388.exe
164	a0498068.exe
1128	b6582972.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7167388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1167039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2497928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7151927.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4676	4588	a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe	70
PID 4588 wrote to memory of 4676	4588	a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe	70
PID 4588 wrote to memory of 4676	4588	a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe	70
PID 4676 wrote to memory of 320	4676	v1167039.exe	71
PID 4676 wrote to memory of 320	4676	v1167039.exe	71
PID 4676 wrote to memory of 320	4676	v1167039.exe	71
PID 320 wrote to memory of 3112	320	v2497928.exe	72
PID 320 wrote to memory of 3112	320	v2497928.exe	72
PID 320 wrote to memory of 3112	320	v2497928.exe	72
PID 3112 wrote to memory of 4640	3112	v7151927.exe	73
PID 3112 wrote to memory of 4640	3112	v7151927.exe	73
PID 3112 wrote to memory of 4640	3112	v7151927.exe	73
PID 4640 wrote to memory of 164	4640	v7167388.exe	74
PID 4640 wrote to memory of 164	4640	v7167388.exe	74
PID 4640 wrote to memory of 164	4640	v7167388.exe	74
PID 4640 wrote to memory of 1128	4640	v7167388.exe	75
PID 4640 wrote to memory of 1128	4640	v7167388.exe	75
PID 4640 wrote to memory of 1128	4640	v7167388.exe	75

C:\Users\Admin\AppData\Local\Temp\a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe
"C:\Users\Admin\AppData\Local\Temp\a3e82f3c4c87ba408542a3f4e10d606dcf204a53edf0a7f6aa369b9920e82341.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1167039.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1167039.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2497928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2497928.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7151927.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7151927.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7167388.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7167388.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0498068.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0498068.exe
        6⤵
        Executes dropped EXE
        
        PID:164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6582972.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6582972.exe
        6⤵
        Executes dropped EXE
        
        PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1167039.exe

Filesize
723KB

MD5
bab718737504eec7b41a1e99e31c0200

SHA1
b3d5912060b1fac7bbeea1207b384686151d23e9

SHA256
edb5fe6c3f3482afd4caa07967f3b8017d980cbd3e643a40171b14781cd41875

SHA512
9c12f68412734f326f903aaae07f7725e4c7ff2f169e0a4dbc25cab00a2fda134122ed381f91e86eac2d1f9396ef07c24284c6e68c687d495bcaf89c34c2d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1167039.exe

Filesize
723KB

MD5
bab718737504eec7b41a1e99e31c0200

SHA1
b3d5912060b1fac7bbeea1207b384686151d23e9

SHA256
edb5fe6c3f3482afd4caa07967f3b8017d980cbd3e643a40171b14781cd41875

SHA512
9c12f68412734f326f903aaae07f7725e4c7ff2f169e0a4dbc25cab00a2fda134122ed381f91e86eac2d1f9396ef07c24284c6e68c687d495bcaf89c34c2d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2497928.exe

Filesize
599KB

MD5
20b10be840f01feb4df777538d10afff

SHA1
0cf00a570d66c04f2730b7e2bfd0fce2e889c3d9

SHA256
db17a0f76139141bae48dc53cab01ee8d7c71fbbdb688b069b455f4ea71f465f

SHA512
a464d48cd1ff17effc8f8103636c3b296066e51490cd1943c319fd52c5a254e8c0432649d4ea50e87c89ee127a4a0bbe2b30ea5727a983d21158284416f7c2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2497928.exe

Filesize
599KB

MD5
20b10be840f01feb4df777538d10afff

SHA1
0cf00a570d66c04f2730b7e2bfd0fce2e889c3d9

SHA256
db17a0f76139141bae48dc53cab01ee8d7c71fbbdb688b069b455f4ea71f465f

SHA512
a464d48cd1ff17effc8f8103636c3b296066e51490cd1943c319fd52c5a254e8c0432649d4ea50e87c89ee127a4a0bbe2b30ea5727a983d21158284416f7c2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7151927.exe

Filesize
373KB

MD5
cc2bfc132cf71abce9ed4c497b8f3eed

SHA1
6afed79dd9d6c162c2299c5eedde450fc3a76385

SHA256
e6cefd02ebbf10064dd81f11eebf29dabc8ce27506582273bd2881c24b904918

SHA512
c7b2bbabe0a19bfb078b3bcca69126552deb34793ad43e13603c8f9292a7f5b3cdbe961863710dbb273253cea1d49d8b1fd01c5b3e1354e2c31cbe8cb0b46063

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7151927.exe

Filesize
373KB

MD5
cc2bfc132cf71abce9ed4c497b8f3eed

SHA1
6afed79dd9d6c162c2299c5eedde450fc3a76385

SHA256
e6cefd02ebbf10064dd81f11eebf29dabc8ce27506582273bd2881c24b904918

SHA512
c7b2bbabe0a19bfb078b3bcca69126552deb34793ad43e13603c8f9292a7f5b3cdbe961863710dbb273253cea1d49d8b1fd01c5b3e1354e2c31cbe8cb0b46063

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7167388.exe

Filesize
271KB

MD5
ab80cb2152f4ea7a8cae6c30db00437e

SHA1
f8668d508dc9d2c63e9678814786ea1bf48acbfd

SHA256
c959c1d6bb4241572d2b8c8c687afe05f914a4ae3adbf26566f11e2870f2a4c8

SHA512
9cdc6abd486df8e75b8bdd306d6bc93fa23218000df883568ee34308fcf5dbb9e1cc8e70570ce2eb70cde028690ff3bf4abe4f0f568c97f91f9a4b5a3de69aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7167388.exe

Filesize
271KB

MD5
ab80cb2152f4ea7a8cae6c30db00437e

SHA1
f8668d508dc9d2c63e9678814786ea1bf48acbfd

SHA256
c959c1d6bb4241572d2b8c8c687afe05f914a4ae3adbf26566f11e2870f2a4c8

SHA512
9cdc6abd486df8e75b8bdd306d6bc93fa23218000df883568ee34308fcf5dbb9e1cc8e70570ce2eb70cde028690ff3bf4abe4f0f568c97f91f9a4b5a3de69aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0498068.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0498068.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6582972.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6582972.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/1128-160-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/1128-161-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/1128-162-0x0000000003070000-0x0000000003076000-memory.dmp

Filesize
24KB

Download
memory/1128-163-0x000000000B170000-0x000000000B776000-memory.dmp

Filesize
6.0MB

Download
memory/1128-164-0x000000000AC70000-0x000000000AD7A000-memory.dmp

Filesize
1.0MB

Download
memory/1128-165-0x000000000AB80000-0x000000000AB92000-memory.dmp

Filesize
72KB

Download
memory/1128-166-0x000000000ABE0000-0x000000000AC1E000-memory.dmp

Filesize
248KB

Download
memory/1128-167-0x000000000AD80000-0x000000000ADCB000-memory.dmp

Filesize
300KB

Download
memory/1128-168-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads