redline | 0dfc65d1747e97aa8f387bac127f1839359352cefc169e008f58de2ff06dc49b

Analysis

max time kernel
135s
max time network
147s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

855KB
MD5

2b0d27f3a0c2cc1cf6575e27e8ceea06
SHA1

5a10e0523966fa052bce121f6914e419f1a93070
SHA256

0dfc65d1747e97aa8f387bac127f1839359352cefc169e008f58de2ff06dc49b
SHA512

f3907fb38af2d56b43f9935adfa8a104cad8f1f2da120a5e5ad8776da90c546b3adfe9cf6a5e024b8d4051d46f620e0b78c000f4370cd72f810ab25a9dbd70d4
SSDEEP

12288:sMr0y90cNXWmqLZ/89QQD5PmB7FKnxxeUiTL8OYkK+AuJVuL6dHTbE:oyLne89QSWRKxEzL81XEsL6dHTg

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3004	v4822258.exe
2036	v2282966.exe
2976	v6201141.exe
3016	v3183309.exe
2096	a2859071.exe
2700	b0303637.exe

Loads dropped DLL 12 IoCs

pid	Process
2024	file.exe
3004	v4822258.exe
3004	v4822258.exe
2036	v2282966.exe
2036	v2282966.exe
2976	v6201141.exe
2976	v6201141.exe
3016	v3183309.exe
3016	v3183309.exe
2096	a2859071.exe
3016	v3183309.exe
2700	b0303637.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3183309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4822258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2282966.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6201141.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3004	2024	file.exe	28
PID 2024 wrote to memory of 3004	2024	file.exe	28
PID 2024 wrote to memory of 3004	2024	file.exe	28
PID 2024 wrote to memory of 3004	2024	file.exe	28
PID 2024 wrote to memory of 3004	2024	file.exe	28
PID 2024 wrote to memory of 3004	2024	file.exe	28
PID 2024 wrote to memory of 3004	2024	file.exe	28
PID 3004 wrote to memory of 2036	3004	v4822258.exe	29
PID 3004 wrote to memory of 2036	3004	v4822258.exe	29
PID 3004 wrote to memory of 2036	3004	v4822258.exe	29
PID 3004 wrote to memory of 2036	3004	v4822258.exe	29
PID 3004 wrote to memory of 2036	3004	v4822258.exe	29
PID 3004 wrote to memory of 2036	3004	v4822258.exe	29
PID 3004 wrote to memory of 2036	3004	v4822258.exe	29
PID 2036 wrote to memory of 2976	2036	v2282966.exe	30
PID 2036 wrote to memory of 2976	2036	v2282966.exe	30
PID 2036 wrote to memory of 2976	2036	v2282966.exe	30
PID 2036 wrote to memory of 2976	2036	v2282966.exe	30
PID 2036 wrote to memory of 2976	2036	v2282966.exe	30
PID 2036 wrote to memory of 2976	2036	v2282966.exe	30
PID 2036 wrote to memory of 2976	2036	v2282966.exe	30
PID 2976 wrote to memory of 3016	2976	v6201141.exe	31
PID 2976 wrote to memory of 3016	2976	v6201141.exe	31
PID 2976 wrote to memory of 3016	2976	v6201141.exe	31
PID 2976 wrote to memory of 3016	2976	v6201141.exe	31
PID 2976 wrote to memory of 3016	2976	v6201141.exe	31
PID 2976 wrote to memory of 3016	2976	v6201141.exe	31
PID 2976 wrote to memory of 3016	2976	v6201141.exe	31
PID 3016 wrote to memory of 2096	3016	v3183309.exe	32
PID 3016 wrote to memory of 2096	3016	v3183309.exe	32
PID 3016 wrote to memory of 2096	3016	v3183309.exe	32
PID 3016 wrote to memory of 2096	3016	v3183309.exe	32
PID 3016 wrote to memory of 2096	3016	v3183309.exe	32
PID 3016 wrote to memory of 2096	3016	v3183309.exe	32
PID 3016 wrote to memory of 2096	3016	v3183309.exe	32
PID 3016 wrote to memory of 2700	3016	v3183309.exe	33
PID 3016 wrote to memory of 2700	3016	v3183309.exe	33
PID 3016 wrote to memory of 2700	3016	v3183309.exe	33
PID 3016 wrote to memory of 2700	3016	v3183309.exe	33
PID 3016 wrote to memory of 2700	3016	v3183309.exe	33
PID 3016 wrote to memory of 2700	3016	v3183309.exe	33
PID 3016 wrote to memory of 2700	3016	v3183309.exe	33

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4822258.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4822258.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2282966.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2282966.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6201141.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6201141.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3183309.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3183309.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2859071.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2859071.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0303637.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0303637.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4822258.exe

Filesize
724KB

MD5
70e1d483d352dead98a9d35ab92f406c

SHA1
175407cf3b28df50027d4649a76ff19047a710d9

SHA256
ddf2b4acef0329dd0f5059d02b78edd736f0b2142355156573a180089abb253b

SHA512
cfe9360a1bc42251f8520901e0fadcb2757f9838fc4dc49272be43e8e515e5fee2a042f8b486b6b359fa6828aeb8d54974afe2a71d3e93258bd7c15058c259af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4822258.exe

Filesize
724KB

MD5
70e1d483d352dead98a9d35ab92f406c

SHA1
175407cf3b28df50027d4649a76ff19047a710d9

SHA256
ddf2b4acef0329dd0f5059d02b78edd736f0b2142355156573a180089abb253b

SHA512
cfe9360a1bc42251f8520901e0fadcb2757f9838fc4dc49272be43e8e515e5fee2a042f8b486b6b359fa6828aeb8d54974afe2a71d3e93258bd7c15058c259af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2282966.exe

Filesize
599KB

MD5
e4d5fc261081b7a899bfa6546786a18d

SHA1
4d027a166e892d74df8c9233f2e78d4f12c0e9b6

SHA256
aed6196b9c4606d84223e8b5f2b7cf1f7ccf4b05e3cbcd38c1fd326746345a67

SHA512
e1f31d64f14a0b4e90dccaef244ec7916808a4ee7903c12226a913858324e0141870d3e4684d3077117b8063986fe4162f41a52b128b6ad678423918d816f0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2282966.exe

Filesize
599KB

MD5
e4d5fc261081b7a899bfa6546786a18d

SHA1
4d027a166e892d74df8c9233f2e78d4f12c0e9b6

SHA256
aed6196b9c4606d84223e8b5f2b7cf1f7ccf4b05e3cbcd38c1fd326746345a67

SHA512
e1f31d64f14a0b4e90dccaef244ec7916808a4ee7903c12226a913858324e0141870d3e4684d3077117b8063986fe4162f41a52b128b6ad678423918d816f0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6201141.exe

Filesize
373KB

MD5
65970cc6a973b057f5b546759d99c39a

SHA1
cf1b9083b043d63b89ccbf9931ddf7a8b31546de

SHA256
4f6480d02192ed90de65312835eddaa4727c1a41ec7e8b417ad4f87097d47adc

SHA512
65dda03e0cb6b5d7f1e7278b887655425d60cfb667572efdcb6ff427ad3ad9f44b3dad47034ad7e87e330d8a931db93413ee7517a6f37959d56dae19b35c0a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6201141.exe

Filesize
373KB

MD5
65970cc6a973b057f5b546759d99c39a

SHA1
cf1b9083b043d63b89ccbf9931ddf7a8b31546de

SHA256
4f6480d02192ed90de65312835eddaa4727c1a41ec7e8b417ad4f87097d47adc

SHA512
65dda03e0cb6b5d7f1e7278b887655425d60cfb667572efdcb6ff427ad3ad9f44b3dad47034ad7e87e330d8a931db93413ee7517a6f37959d56dae19b35c0a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3183309.exe

Filesize
272KB

MD5
9dc9c353e6140731748c7aff30c4392d

SHA1
562dd3076d0b1f9f9cf7babd4711697ca868281b

SHA256
4653dc889bea457c5ee85750bbc63f3dd4f7f979fce013bc226a02ad06bd33e4

SHA512
5076750d5ecc0f09d50a5733e0cd7b52377dd7048036a1214d73b5a011ee85535d866bee93e658861bbb68904f0d0042c8aafa8b60862db15757f479d87324f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3183309.exe

Filesize
272KB

MD5
9dc9c353e6140731748c7aff30c4392d

SHA1
562dd3076d0b1f9f9cf7babd4711697ca868281b

SHA256
4653dc889bea457c5ee85750bbc63f3dd4f7f979fce013bc226a02ad06bd33e4

SHA512
5076750d5ecc0f09d50a5733e0cd7b52377dd7048036a1214d73b5a011ee85535d866bee93e658861bbb68904f0d0042c8aafa8b60862db15757f479d87324f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2859071.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2859071.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0303637.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0303637.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4822258.exe

Filesize
724KB

MD5
70e1d483d352dead98a9d35ab92f406c

SHA1
175407cf3b28df50027d4649a76ff19047a710d9

SHA256
ddf2b4acef0329dd0f5059d02b78edd736f0b2142355156573a180089abb253b

SHA512
cfe9360a1bc42251f8520901e0fadcb2757f9838fc4dc49272be43e8e515e5fee2a042f8b486b6b359fa6828aeb8d54974afe2a71d3e93258bd7c15058c259af

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4822258.exe

Filesize
724KB

MD5
70e1d483d352dead98a9d35ab92f406c

SHA1
175407cf3b28df50027d4649a76ff19047a710d9

SHA256
ddf2b4acef0329dd0f5059d02b78edd736f0b2142355156573a180089abb253b

SHA512
cfe9360a1bc42251f8520901e0fadcb2757f9838fc4dc49272be43e8e515e5fee2a042f8b486b6b359fa6828aeb8d54974afe2a71d3e93258bd7c15058c259af

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2282966.exe

Filesize
599KB

MD5
e4d5fc261081b7a899bfa6546786a18d

SHA1
4d027a166e892d74df8c9233f2e78d4f12c0e9b6

SHA256
aed6196b9c4606d84223e8b5f2b7cf1f7ccf4b05e3cbcd38c1fd326746345a67

SHA512
e1f31d64f14a0b4e90dccaef244ec7916808a4ee7903c12226a913858324e0141870d3e4684d3077117b8063986fe4162f41a52b128b6ad678423918d816f0b7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2282966.exe

Filesize
599KB

MD5
e4d5fc261081b7a899bfa6546786a18d

SHA1
4d027a166e892d74df8c9233f2e78d4f12c0e9b6

SHA256
aed6196b9c4606d84223e8b5f2b7cf1f7ccf4b05e3cbcd38c1fd326746345a67

SHA512
e1f31d64f14a0b4e90dccaef244ec7916808a4ee7903c12226a913858324e0141870d3e4684d3077117b8063986fe4162f41a52b128b6ad678423918d816f0b7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6201141.exe

Filesize
373KB

MD5
65970cc6a973b057f5b546759d99c39a

SHA1
cf1b9083b043d63b89ccbf9931ddf7a8b31546de

SHA256
4f6480d02192ed90de65312835eddaa4727c1a41ec7e8b417ad4f87097d47adc

SHA512
65dda03e0cb6b5d7f1e7278b887655425d60cfb667572efdcb6ff427ad3ad9f44b3dad47034ad7e87e330d8a931db93413ee7517a6f37959d56dae19b35c0a1e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6201141.exe

Filesize
373KB

MD5
65970cc6a973b057f5b546759d99c39a

SHA1
cf1b9083b043d63b89ccbf9931ddf7a8b31546de

SHA256
4f6480d02192ed90de65312835eddaa4727c1a41ec7e8b417ad4f87097d47adc

SHA512
65dda03e0cb6b5d7f1e7278b887655425d60cfb667572efdcb6ff427ad3ad9f44b3dad47034ad7e87e330d8a931db93413ee7517a6f37959d56dae19b35c0a1e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3183309.exe

Filesize
272KB

MD5
9dc9c353e6140731748c7aff30c4392d

SHA1
562dd3076d0b1f9f9cf7babd4711697ca868281b

SHA256
4653dc889bea457c5ee85750bbc63f3dd4f7f979fce013bc226a02ad06bd33e4

SHA512
5076750d5ecc0f09d50a5733e0cd7b52377dd7048036a1214d73b5a011ee85535d866bee93e658861bbb68904f0d0042c8aafa8b60862db15757f479d87324f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3183309.exe

Filesize
272KB

MD5
9dc9c353e6140731748c7aff30c4392d

SHA1
562dd3076d0b1f9f9cf7babd4711697ca868281b

SHA256
4653dc889bea457c5ee85750bbc63f3dd4f7f979fce013bc226a02ad06bd33e4

SHA512
5076750d5ecc0f09d50a5733e0cd7b52377dd7048036a1214d73b5a011ee85535d866bee93e658861bbb68904f0d0042c8aafa8b60862db15757f479d87324f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2859071.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2859071.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0303637.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0303637.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/2700-109-0x0000000000C10000-0x0000000000C40000-memory.dmp

Filesize
192KB

Download
memory/2700-110-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads