redline | 70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c.exe
Size

855KB
MD5

f630dd3df8c1420ceb164d51abd3b539
SHA1

d0fb9257274b7b24c963a6778ac46de88fec4c62
SHA256

70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c
SHA512

c8436470e78378ce6532a602db58c3f6ba2c4110d80b15bb294eadb86b494cad438476f300eb323c13501350414988e649f1f462817046c35da5cce7abad74e9
SSDEEP

24576:PyUnRZYC5e/RFdM7tVOWXvtB5yOmmEtnEZDAG:asZTG6/OWXlyOmmsn2

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2984	v9031159.exe
212	v0228204.exe
4720	v9719912.exe
4116	v0142731.exe
3560	a4558917.exe
4712	b0254392.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0228204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9719912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0142731.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9031159.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2984	2656	70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c.exe	82
PID 2656 wrote to memory of 2984	2656	70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c.exe	82
PID 2656 wrote to memory of 2984	2656	70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c.exe	82
PID 2984 wrote to memory of 212	2984	v9031159.exe	83
PID 2984 wrote to memory of 212	2984	v9031159.exe	83
PID 2984 wrote to memory of 212	2984	v9031159.exe	83
PID 212 wrote to memory of 4720	212	v0228204.exe	84
PID 212 wrote to memory of 4720	212	v0228204.exe	84
PID 212 wrote to memory of 4720	212	v0228204.exe	84
PID 4720 wrote to memory of 4116	4720	v9719912.exe	85
PID 4720 wrote to memory of 4116	4720	v9719912.exe	85
PID 4720 wrote to memory of 4116	4720	v9719912.exe	85
PID 4116 wrote to memory of 3560	4116	v0142731.exe	86
PID 4116 wrote to memory of 3560	4116	v0142731.exe	86
PID 4116 wrote to memory of 3560	4116	v0142731.exe	86
PID 4116 wrote to memory of 4712	4116	v0142731.exe	87
PID 4116 wrote to memory of 4712	4116	v0142731.exe	87
PID 4116 wrote to memory of 4712	4116	v0142731.exe	87

C:\Users\Admin\AppData\Local\Temp\70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c.exe
"C:\Users\Admin\AppData\Local\Temp\70dd7b7fc8072f97314921a25cd014e0d9bf4889c49655ac134b25bd1f22ff3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9031159.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9031159.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0228204.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0228204.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9719912.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9719912.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0142731.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0142731.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4558917.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4558917.exe
        6⤵
        Executes dropped EXE
        
        PID:3560
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0254392.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0254392.exe
        6⤵
        Executes dropped EXE
        
        PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9031159.exe

Filesize
723KB

MD5
c7909c261cc37a897f6623eb2a3a7644

SHA1
58d7bf25d951a38abdeb03738ed425656cc2301f

SHA256
7c228596e22f0fc3ecf628436182d44d7d758934967bab8638274612e199b3d2

SHA512
64d46e3f83dc84d3fe6f5fd51e6cb597dbc71aca61f0d55ec831812946934e15d4b7cffb2fd25df8a6d3c5013e268ab4b5ccd120725ddb7ab7a99abf616df7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9031159.exe

Filesize
723KB

MD5
c7909c261cc37a897f6623eb2a3a7644

SHA1
58d7bf25d951a38abdeb03738ed425656cc2301f

SHA256
7c228596e22f0fc3ecf628436182d44d7d758934967bab8638274612e199b3d2

SHA512
64d46e3f83dc84d3fe6f5fd51e6cb597dbc71aca61f0d55ec831812946934e15d4b7cffb2fd25df8a6d3c5013e268ab4b5ccd120725ddb7ab7a99abf616df7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0228204.exe

Filesize
598KB

MD5
7f30eb1b8bbba99f128387f9610c065a

SHA1
37f810df74273def36dd3c30add69df9605222fc

SHA256
397a8231290b29d1c29ebf703c89710b2a552735d8ead38bcd7ac98f8fb2693f

SHA512
e95774a7230fa8902fac548c1c6da040c267833298d7cc16d9a853bf0622ea812c830c5d96497466cec545c2fab2d9e2f07ae6df6a84c7b726c992942d58581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0228204.exe

Filesize
598KB

MD5
7f30eb1b8bbba99f128387f9610c065a

SHA1
37f810df74273def36dd3c30add69df9605222fc

SHA256
397a8231290b29d1c29ebf703c89710b2a552735d8ead38bcd7ac98f8fb2693f

SHA512
e95774a7230fa8902fac548c1c6da040c267833298d7cc16d9a853bf0622ea812c830c5d96497466cec545c2fab2d9e2f07ae6df6a84c7b726c992942d58581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9719912.exe

Filesize
373KB

MD5
22d6186fe1403f36d3087d7a94f2ee4b

SHA1
48061c8a48f427e6066da8c913ba289d4c7949b9

SHA256
6b6f66b1fe97e4afb5e04efbc9e3030ed90d7c3eb5d81952d67f0aae15eb467f

SHA512
e1b970e85596d4db5b5e966daa2fefea647a8e2f4067f474811ae8148ae4ae3145b551b9f69f6f1904e50b96daa22a1671d7c666730dbbcfbbc1b5ca49a5b096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9719912.exe

Filesize
373KB

MD5
22d6186fe1403f36d3087d7a94f2ee4b

SHA1
48061c8a48f427e6066da8c913ba289d4c7949b9

SHA256
6b6f66b1fe97e4afb5e04efbc9e3030ed90d7c3eb5d81952d67f0aae15eb467f

SHA512
e1b970e85596d4db5b5e966daa2fefea647a8e2f4067f474811ae8148ae4ae3145b551b9f69f6f1904e50b96daa22a1671d7c666730dbbcfbbc1b5ca49a5b096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0142731.exe

Filesize
271KB

MD5
25ddd59447691c1655033b28134b367c

SHA1
fe6efba08bb4cc0ac9f1e70937c6d2bf5006785e

SHA256
8bbc76f2fec2ec3711eae395d662701f7cafed96c1b553c391b90d81e27436ae

SHA512
144e4095faede5d208d72a95e3428ab098908b9964fec8a363aef7e7cd1a4da6f1b5f05f286c5065a5efbbd2f313dbeecf4e22e3eabaf511b3d49d6fda5a41df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0142731.exe

Filesize
271KB

MD5
25ddd59447691c1655033b28134b367c

SHA1
fe6efba08bb4cc0ac9f1e70937c6d2bf5006785e

SHA256
8bbc76f2fec2ec3711eae395d662701f7cafed96c1b553c391b90d81e27436ae

SHA512
144e4095faede5d208d72a95e3428ab098908b9964fec8a363aef7e7cd1a4da6f1b5f05f286c5065a5efbbd2f313dbeecf4e22e3eabaf511b3d49d6fda5a41df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4558917.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4558917.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0254392.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0254392.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/4712-171-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/4712-172-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/4712-173-0x0000000005570000-0x0000000005B88000-memory.dmp

Filesize
6.1MB

Download
memory/4712-174-0x0000000005080000-0x000000000518A000-memory.dmp

Filesize
1.0MB

Download
memory/4712-175-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/4712-176-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4712-177-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/4712-178-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/4712-179-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads