redline | b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe
Size

855KB
MD5

43e356847a58f0119be8f31cf5806867
SHA1

859cbb9afad9c8e492ad7131cdd55b76dcf7abb5
SHA256

b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1
SHA512

ade3135a759fc1dcb28fe657e29dcfd76eea5d65a38ff783fdc5c4d6e3791c2761af71e1d0ca1de32e38936a9767aaec64ba7a07cc6bf5f0f203e446639567e4
SSDEEP

12288:lMrAy90gA9ptSzZvJ/HKYz0Jd8Ov02YG5RSJlO5u9bkIZWoD8RnamCg0AjmNa:5yiVSzZfF4/SHbTZ9D8RaJghyA

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2860	v1298987.exe
2408	v8705982.exe
2508	v3488496.exe
4588	v7760337.exe
4512	a7203138.exe
3020	b2095355.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3488496.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7760337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1298987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8705982.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 2860	3264	b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe	81
PID 3264 wrote to memory of 2860	3264	b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe	81
PID 3264 wrote to memory of 2860	3264	b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe	81
PID 2860 wrote to memory of 2408	2860	v1298987.exe	82
PID 2860 wrote to memory of 2408	2860	v1298987.exe	82
PID 2860 wrote to memory of 2408	2860	v1298987.exe	82
PID 2408 wrote to memory of 2508	2408	v8705982.exe	83
PID 2408 wrote to memory of 2508	2408	v8705982.exe	83
PID 2408 wrote to memory of 2508	2408	v8705982.exe	83
PID 2508 wrote to memory of 4588	2508	v3488496.exe	84
PID 2508 wrote to memory of 4588	2508	v3488496.exe	84
PID 2508 wrote to memory of 4588	2508	v3488496.exe	84
PID 4588 wrote to memory of 4512	4588	v7760337.exe	85
PID 4588 wrote to memory of 4512	4588	v7760337.exe	85
PID 4588 wrote to memory of 4512	4588	v7760337.exe	85
PID 4588 wrote to memory of 3020	4588	v7760337.exe	86
PID 4588 wrote to memory of 3020	4588	v7760337.exe	86
PID 4588 wrote to memory of 3020	4588	v7760337.exe	86

C:\Users\Admin\AppData\Local\Temp\b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe
"C:\Users\Admin\AppData\Local\Temp\b70f7dec0d5da7833d794b961edcdcc509c411b21cfa10b4d1bc22827bde8ff1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1298987.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1298987.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8705982.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8705982.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3488496.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3488496.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7760337.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7760337.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7203138.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7203138.exe
        6⤵
        Executes dropped EXE
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2095355.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2095355.exe
        6⤵
        Executes dropped EXE
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1298987.exe

Filesize
723KB

MD5
eab3f16d1b187a73b6ace727ea544ff8

SHA1
0f40b7bd4f13652b7d5983b3e290ab082a862f01

SHA256
aa82484d4e4a94c0fe3e1e95324ce2c5c563986daefd3315aa41bda69304a9d9

SHA512
13a6c8f8b3ac5cfc956464b4eaa2168e7c7e9054a439b3fdd0fc2cbaf635e584f41c617378f97c3665ad6261244a0f77654de0e2dcd475606b1167875bbf7b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1298987.exe

Filesize
723KB

MD5
eab3f16d1b187a73b6ace727ea544ff8

SHA1
0f40b7bd4f13652b7d5983b3e290ab082a862f01

SHA256
aa82484d4e4a94c0fe3e1e95324ce2c5c563986daefd3315aa41bda69304a9d9

SHA512
13a6c8f8b3ac5cfc956464b4eaa2168e7c7e9054a439b3fdd0fc2cbaf635e584f41c617378f97c3665ad6261244a0f77654de0e2dcd475606b1167875bbf7b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8705982.exe

Filesize
599KB

MD5
8eac0c64a185f539032b920c7feb9af1

SHA1
0fac2c51f69e12148cea952e7664095bf7d3ce58

SHA256
917a6e00d3ce391d7c6e53b559e03186e7d5824345b2eaccb9bdfa896d7ed13e

SHA512
805d2509e2ab4dc5ac7b546a9c1715168538c7f0cd522f10eae691851a7b97f35214399f20d75638d1c0fae0155f35117e6cb6e3cd0a84f66eb7e66d5e892e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8705982.exe

Filesize
599KB

MD5
8eac0c64a185f539032b920c7feb9af1

SHA1
0fac2c51f69e12148cea952e7664095bf7d3ce58

SHA256
917a6e00d3ce391d7c6e53b559e03186e7d5824345b2eaccb9bdfa896d7ed13e

SHA512
805d2509e2ab4dc5ac7b546a9c1715168538c7f0cd522f10eae691851a7b97f35214399f20d75638d1c0fae0155f35117e6cb6e3cd0a84f66eb7e66d5e892e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3488496.exe

Filesize
373KB

MD5
d92c207339934cadc006d81065843927

SHA1
4b5e181d6e90f2d59e55fe178c9132f69fbd8f4a

SHA256
214b0c3cd4e4fe845505be88c23c90230ba5bfae219f85bb6cec05f41600e5e2

SHA512
3230b35920eae64ccd87ae70ba22f2cfc847ea03981191058bed7d041141c9a63f5d80931b076883be8f507c6142b8bba7fabef34cc1d6540baaa02437ba42ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3488496.exe

Filesize
373KB

MD5
d92c207339934cadc006d81065843927

SHA1
4b5e181d6e90f2d59e55fe178c9132f69fbd8f4a

SHA256
214b0c3cd4e4fe845505be88c23c90230ba5bfae219f85bb6cec05f41600e5e2

SHA512
3230b35920eae64ccd87ae70ba22f2cfc847ea03981191058bed7d041141c9a63f5d80931b076883be8f507c6142b8bba7fabef34cc1d6540baaa02437ba42ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7760337.exe

Filesize
271KB

MD5
ac2607ec66eac709fce5939ef353bb61

SHA1
f6c7fba15cb1718e866d5042f076eae39f5924de

SHA256
55b5ac0a4f7c31c196005ff50ce353b912c749ee1ff51e941a5159d0f6b6378c

SHA512
9a5699f552ce1e081b89f819a2ea7177fe6b60c3fd493f0718f6952e454ead826f752daf2d7f0e7a45710d48102e6daf041dfb4ce9dbaf251f1e58ffdc8db233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7760337.exe

Filesize
271KB

MD5
ac2607ec66eac709fce5939ef353bb61

SHA1
f6c7fba15cb1718e866d5042f076eae39f5924de

SHA256
55b5ac0a4f7c31c196005ff50ce353b912c749ee1ff51e941a5159d0f6b6378c

SHA512
9a5699f552ce1e081b89f819a2ea7177fe6b60c3fd493f0718f6952e454ead826f752daf2d7f0e7a45710d48102e6daf041dfb4ce9dbaf251f1e58ffdc8db233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7203138.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7203138.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2095355.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2095355.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/3020-171-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/3020-172-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3020-173-0x0000000005150000-0x0000000005768000-memory.dmp

Filesize
6.1MB

Download
memory/3020-174-0x0000000004C40000-0x0000000004D4A000-memory.dmp

Filesize
1.0MB

Download
memory/3020-175-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/3020-176-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/3020-177-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

Filesize
240KB

Download
memory/3020-178-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3020-179-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads