redline | 7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120

Analysis

max time kernel
134s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2023 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120.exe
Size

854KB
MD5

3543a5e1f18cd7e9c1122ca2bae0b1b4
SHA1

cdc1026fb069102a97389326c39df9b8746e9d8f
SHA256

7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120
SHA512

4200281ca69de4987f91d310bc4979f21d9184d2c03d143ba7f1bd6ac01a9c25381c7437501cc0bbe1838e8cc1875a10bb9aaf43a334c844759e12791279b264
SSDEEP

12288:ZMr6y90cayt+3biPPl1UV+eGi5dazH6WR0cY4my6G8dtmzktlbinNOVFGP0:vyBt+e+RGi/azH6pcAbdtmcYNOVw0

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
192	v1748870.exe
2216	v0815805.exe
4772	v4784214.exe
5088	v2661470.exe
4360	a2828966.exe
752	b2067794.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2661470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1748870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0815805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4784214.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 192	3376	7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120.exe	57
PID 3376 wrote to memory of 192	3376	7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120.exe	57
PID 3376 wrote to memory of 192	3376	7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120.exe	57
PID 192 wrote to memory of 2216	192	v1748870.exe	71
PID 192 wrote to memory of 2216	192	v1748870.exe	71
PID 192 wrote to memory of 2216	192	v1748870.exe	71
PID 2216 wrote to memory of 4772	2216	v0815805.exe	72
PID 2216 wrote to memory of 4772	2216	v0815805.exe	72
PID 2216 wrote to memory of 4772	2216	v0815805.exe	72
PID 4772 wrote to memory of 5088	4772	v4784214.exe	73
PID 4772 wrote to memory of 5088	4772	v4784214.exe	73
PID 4772 wrote to memory of 5088	4772	v4784214.exe	73
PID 5088 wrote to memory of 4360	5088	v2661470.exe	74
PID 5088 wrote to memory of 4360	5088	v2661470.exe	74
PID 5088 wrote to memory of 4360	5088	v2661470.exe	74
PID 5088 wrote to memory of 752	5088	v2661470.exe	75
PID 5088 wrote to memory of 752	5088	v2661470.exe	75
PID 5088 wrote to memory of 752	5088	v2661470.exe	75

C:\Users\Admin\AppData\Local\Temp\7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120.exe
"C:\Users\Admin\AppData\Local\Temp\7b259027fed72487cff3328c1c2b8cb5723de102dfdcea22a431642b8d43f120.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1748870.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1748870.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0815805.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0815805.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4784214.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4784214.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2661470.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2661470.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2828966.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2828966.exe
        6⤵
        Executes dropped EXE
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2067794.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2067794.exe
        6⤵
        Executes dropped EXE
        
        PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1748870.exe

Filesize
723KB

MD5
8f414307dfdc72751143d35c504b65be

SHA1
c0b6decf37eca94eab04dd4c0f86577f1a4af3f6

SHA256
8ddc9ea9fbb6d48258110c889b36a25f12b87b4849f580725a494a076794c7c8

SHA512
8f72f1d2d798d727913dc156e64a42c51af827dad7438447f8f695b91da2b11c5e3c21797fd31163830932816e41923a95491b7a43b06e666e9f76859962e6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1748870.exe

Filesize
723KB

MD5
8f414307dfdc72751143d35c504b65be

SHA1
c0b6decf37eca94eab04dd4c0f86577f1a4af3f6

SHA256
8ddc9ea9fbb6d48258110c889b36a25f12b87b4849f580725a494a076794c7c8

SHA512
8f72f1d2d798d727913dc156e64a42c51af827dad7438447f8f695b91da2b11c5e3c21797fd31163830932816e41923a95491b7a43b06e666e9f76859962e6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0815805.exe

Filesize
598KB

MD5
333b606ec82fc8ded351411c84455932

SHA1
97cbc4a72efa14d93bbf5ed191ee9f9ca7cc88a5

SHA256
54ef00f36fb935f3159c72a938c599007d2ba44223353b7b594e992de6bc429c

SHA512
9e9423768663f5fd8482cbabca7cc1b59a376e433c8f84eddea61b0ee64d50bd85cc863c27458f77dc8aed3f5d4e55a0d97b4a30b3394d4911cd3844a4f11cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0815805.exe

Filesize
598KB

MD5
333b606ec82fc8ded351411c84455932

SHA1
97cbc4a72efa14d93bbf5ed191ee9f9ca7cc88a5

SHA256
54ef00f36fb935f3159c72a938c599007d2ba44223353b7b594e992de6bc429c

SHA512
9e9423768663f5fd8482cbabca7cc1b59a376e433c8f84eddea61b0ee64d50bd85cc863c27458f77dc8aed3f5d4e55a0d97b4a30b3394d4911cd3844a4f11cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4784214.exe

Filesize
373KB

MD5
5a9cea4e333947b5d93f30480af5b4f9

SHA1
9d3d4b6bccaf88fb62d2e05a562de7f1cf5ef0cb

SHA256
0806bf1e29e3341f6c51dd2aec015c13466cef88c0013d57ff71e5ce8405e66e

SHA512
d52a7842b6ec22d20abf84c985b1aa7b24b17afeab0090e5364c1a936f402e97f3e62fc3c71c2ee4cff6686e6065d07f4be055e8e522eb406724c4ffc03d2a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4784214.exe

Filesize
373KB

MD5
5a9cea4e333947b5d93f30480af5b4f9

SHA1
9d3d4b6bccaf88fb62d2e05a562de7f1cf5ef0cb

SHA256
0806bf1e29e3341f6c51dd2aec015c13466cef88c0013d57ff71e5ce8405e66e

SHA512
d52a7842b6ec22d20abf84c985b1aa7b24b17afeab0090e5364c1a936f402e97f3e62fc3c71c2ee4cff6686e6065d07f4be055e8e522eb406724c4ffc03d2a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2661470.exe

Filesize
272KB

MD5
bea2ddc6dcbbafe45a8558aa8ef0db13

SHA1
c4c7ad94c7765b669a612a503755def6d5612a6c

SHA256
ccf4ff326dd655ab072df27d5165f8a1a0ec23c24182c5b374be94ff7c260892

SHA512
9b778fdf61cd3e06ca357a1c7ffd33b82775e0ef64d46dd9822f16dac125ca77daa0e132b5abc7b7ee7bdabf9d3da598a29a0d18e06a55ec728d3a3b31458949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2661470.exe

Filesize
272KB

MD5
bea2ddc6dcbbafe45a8558aa8ef0db13

SHA1
c4c7ad94c7765b669a612a503755def6d5612a6c

SHA256
ccf4ff326dd655ab072df27d5165f8a1a0ec23c24182c5b374be94ff7c260892

SHA512
9b778fdf61cd3e06ca357a1c7ffd33b82775e0ef64d46dd9822f16dac125ca77daa0e132b5abc7b7ee7bdabf9d3da598a29a0d18e06a55ec728d3a3b31458949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2828966.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2828966.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2067794.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2067794.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/752-161-0x0000000072CB0000-0x000000007339E000-memory.dmp

Filesize
6.9MB

Download
memory/752-160-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/752-162-0x0000000002510000-0x0000000002516000-memory.dmp

Filesize
24KB

Download
memory/752-163-0x000000000A4A0000-0x000000000AAA6000-memory.dmp

Filesize
6.0MB

Download
memory/752-164-0x000000000A030000-0x000000000A13A000-memory.dmp

Filesize
1.0MB

Download
memory/752-165-0x0000000009F60000-0x0000000009F72000-memory.dmp

Filesize
72KB

Download
memory/752-166-0x0000000009FC0000-0x0000000009FFE000-memory.dmp

Filesize
248KB

Download
memory/752-167-0x000000000A140000-0x000000000A18B000-memory.dmp

Filesize
300KB

Download
memory/752-168-0x0000000072CB0000-0x000000007339E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads