redline | 1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47.exe
Size

854KB
MD5

2d13305e6a4ffeda0dcc79b116a8bc5e
SHA1

a2a4351cb9cd745dddf0e095875f8e9aa5bb52b8
SHA256

1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47
SHA512

95d2b9cfe504020031109b1b27cdbb83a8758f444199a0387afe04bda1160f027287035321f26b0c9b85c73d8dcd09fdbd0d327f56c174f088c4a2bacb9e18b8
SSDEEP

12288:vMrCy90oJ7bh87hSt+gkWscd377ySHsF+P+9swAT30TLmzrGmWAQlxYe93AdhDw+:hyPJ7budS4ho3vy4wAz0PEJW3xJ6phB

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4332	v7377611.exe
1200	v9026989.exe
4660	v1567656.exe
5092	v6776555.exe
1132	a6552735.exe
2332	b3548621.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7377611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9026989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1567656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6776555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4332	3040	1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47.exe	81
PID 3040 wrote to memory of 4332	3040	1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47.exe	81
PID 3040 wrote to memory of 4332	3040	1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47.exe	81
PID 4332 wrote to memory of 1200	4332	v7377611.exe	82
PID 4332 wrote to memory of 1200	4332	v7377611.exe	82
PID 4332 wrote to memory of 1200	4332	v7377611.exe	82
PID 1200 wrote to memory of 4660	1200	v9026989.exe	83
PID 1200 wrote to memory of 4660	1200	v9026989.exe	83
PID 1200 wrote to memory of 4660	1200	v9026989.exe	83
PID 4660 wrote to memory of 5092	4660	v1567656.exe	84
PID 4660 wrote to memory of 5092	4660	v1567656.exe	84
PID 4660 wrote to memory of 5092	4660	v1567656.exe	84
PID 5092 wrote to memory of 1132	5092	v6776555.exe	85
PID 5092 wrote to memory of 1132	5092	v6776555.exe	85
PID 5092 wrote to memory of 1132	5092	v6776555.exe	85
PID 5092 wrote to memory of 2332	5092	v6776555.exe	86
PID 5092 wrote to memory of 2332	5092	v6776555.exe	86
PID 5092 wrote to memory of 2332	5092	v6776555.exe	86

C:\Users\Admin\AppData\Local\Temp\1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47.exe
"C:\Users\Admin\AppData\Local\Temp\1a2d6c3994ef44ea447a41438e2a307815c68b203af2b40d71e7b46bb4598f47.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7377611.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7377611.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9026989.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9026989.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1567656.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1567656.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6776555.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6776555.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6552735.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6552735.exe
        6⤵
        Executes dropped EXE
        
        PID:1132
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3548621.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3548621.exe
        6⤵
        Executes dropped EXE
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7377611.exe

Filesize
723KB

MD5
8615ad1c9500273d992906d5b9dfa3bc

SHA1
91eade953a87830b417b6f83195fee450c03f939

SHA256
e5d125cd9542aa53f0a09602c0641d49a7dec74eaf8d0ddd670fa1f26d54876b

SHA512
50ae0323bde2d8ada04bca6e59935ff357c72875179e283e1fc0b14e495315d3675c84136bdf22d6661f99925111bea916c63b9d2fbb577186cf362c0ace3a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7377611.exe

Filesize
723KB

MD5
8615ad1c9500273d992906d5b9dfa3bc

SHA1
91eade953a87830b417b6f83195fee450c03f939

SHA256
e5d125cd9542aa53f0a09602c0641d49a7dec74eaf8d0ddd670fa1f26d54876b

SHA512
50ae0323bde2d8ada04bca6e59935ff357c72875179e283e1fc0b14e495315d3675c84136bdf22d6661f99925111bea916c63b9d2fbb577186cf362c0ace3a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9026989.exe

Filesize
598KB

MD5
dc1d5ab2f4fa2a07073c0b1d541d029c

SHA1
e551ba3a8e5df189a826957b0639c6f16c5f99ed

SHA256
f5502c306e008fed79fe226407e62b0ab62e045b00258df7376558e7e7bb3136

SHA512
ebc3cbfc06343baa8a0d454f55853dd4e3e051d50101c23748fc1bd35f05108671a99c351140dc74278e5e205e8f8c3ad202b4995046a7615acffef38eb3bb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9026989.exe

Filesize
598KB

MD5
dc1d5ab2f4fa2a07073c0b1d541d029c

SHA1
e551ba3a8e5df189a826957b0639c6f16c5f99ed

SHA256
f5502c306e008fed79fe226407e62b0ab62e045b00258df7376558e7e7bb3136

SHA512
ebc3cbfc06343baa8a0d454f55853dd4e3e051d50101c23748fc1bd35f05108671a99c351140dc74278e5e205e8f8c3ad202b4995046a7615acffef38eb3bb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1567656.exe

Filesize
373KB

MD5
fa5ac9c0d3f521714a4fca910ab7f418

SHA1
3c834aff916a8784d659bf17ac69a7e123437a3c

SHA256
10d5a1d3c9337ec02538cbe1d66a9761fa4598733263d7cb0dda485faf04878a

SHA512
d42dfe80b32614b8c4bab5da87be47b765b18bc4f6f53960521aee3247651adf6404f68f90442432f562d514136c32f5d13002c686d616e3321fc8d51149112b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1567656.exe

Filesize
373KB

MD5
fa5ac9c0d3f521714a4fca910ab7f418

SHA1
3c834aff916a8784d659bf17ac69a7e123437a3c

SHA256
10d5a1d3c9337ec02538cbe1d66a9761fa4598733263d7cb0dda485faf04878a

SHA512
d42dfe80b32614b8c4bab5da87be47b765b18bc4f6f53960521aee3247651adf6404f68f90442432f562d514136c32f5d13002c686d616e3321fc8d51149112b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6776555.exe

Filesize
272KB

MD5
17851a6312dc228a6c992511af747f8c

SHA1
d9cef7f4c60a2336241389677c07fef889755a9d

SHA256
5e6628095d020ddf8b891a834a2ed3985238bf779930ff9090e8683111f13602

SHA512
5865370cdabd3e258ef964c67f8fbd3a35851ca2fb0a09b2a29b834b67c64a430981b7b9b70285c37da17dbfcf8a49c388681be7e272cf6a67ebef087d044687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6776555.exe

Filesize
272KB

MD5
17851a6312dc228a6c992511af747f8c

SHA1
d9cef7f4c60a2336241389677c07fef889755a9d

SHA256
5e6628095d020ddf8b891a834a2ed3985238bf779930ff9090e8683111f13602

SHA512
5865370cdabd3e258ef964c67f8fbd3a35851ca2fb0a09b2a29b834b67c64a430981b7b9b70285c37da17dbfcf8a49c388681be7e272cf6a67ebef087d044687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6552735.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6552735.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3548621.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3548621.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/2332-171-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2332-172-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/2332-173-0x0000000005780000-0x0000000005D98000-memory.dmp

Filesize
6.1MB

Download
memory/2332-174-0x0000000005270000-0x000000000537A000-memory.dmp

Filesize
1.0MB

Download
memory/2332-175-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2332-176-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/2332-177-0x0000000005100000-0x000000000513C000-memory.dmp

Filesize
240KB

Download
memory/2332-178-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2332-179-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads