redline | 8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8.exe
Size

855KB
MD5

d474004eec57ce3d6d3a37fb002d94c6
SHA1

536bba9eb81017bc4d3597b50e1ada1da9bcae84
SHA256

8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8
SHA512

f4858c479593f21cb3d662af0ffe9d0bcf55aa04fa3ea8d32972b9bed36d18ef8b86afb2d41642e1211d72798e355afb8b64f64a0214f69461ed00becf3e1818
SSDEEP

24576:qyQmE8cuNkDFnJwIRH/D1NDcDNoSMLWwV+H72:xQxbEk57RPDuoSML1V+b

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
100	v1239187.exe
1892	v3920658.exe
1312	v7197696.exe
1520	v1923241.exe
4660	a5215458.exe
1268	b6626764.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1239187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3920658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7197696.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1923241.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 100	2392	8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8.exe	82
PID 2392 wrote to memory of 100	2392	8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8.exe	82
PID 2392 wrote to memory of 100	2392	8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8.exe	82
PID 100 wrote to memory of 1892	100	v1239187.exe	83
PID 100 wrote to memory of 1892	100	v1239187.exe	83
PID 100 wrote to memory of 1892	100	v1239187.exe	83
PID 1892 wrote to memory of 1312	1892	v3920658.exe	84
PID 1892 wrote to memory of 1312	1892	v3920658.exe	84
PID 1892 wrote to memory of 1312	1892	v3920658.exe	84
PID 1312 wrote to memory of 1520	1312	v7197696.exe	85
PID 1312 wrote to memory of 1520	1312	v7197696.exe	85
PID 1312 wrote to memory of 1520	1312	v7197696.exe	85
PID 1520 wrote to memory of 4660	1520	v1923241.exe	86
PID 1520 wrote to memory of 4660	1520	v1923241.exe	86
PID 1520 wrote to memory of 4660	1520	v1923241.exe	86
PID 1520 wrote to memory of 1268	1520	v1923241.exe	87
PID 1520 wrote to memory of 1268	1520	v1923241.exe	87
PID 1520 wrote to memory of 1268	1520	v1923241.exe	87

C:\Users\Admin\AppData\Local\Temp\8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8.exe
"C:\Users\Admin\AppData\Local\Temp\8413323f53f791ed497866faa00fbe394b8d2e8f5a192ae73476a0443e9ec9c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1239187.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1239187.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3920658.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3920658.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7197696.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7197696.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1923241.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1923241.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5215458.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5215458.exe
        6⤵
        Executes dropped EXE
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6626764.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6626764.exe
        6⤵
        Executes dropped EXE
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1239187.exe

Filesize
723KB

MD5
34fdf9e8e183201415abf26ddc977617

SHA1
0f6267c19119cbca5eb0b99e8125d565b8731689

SHA256
4156acb19b1774c09b72708ba6146167485eab78a26cb7beb339bd6a510d29c9

SHA512
ab43c65c39f704bd37a286e687e4a1f8d47d8b00deae03e8cada49208c7892db585dee23872d1f7c9ace2c4ba5ebbaeee7145f058fd62523111948c68d8844a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1239187.exe

Filesize
723KB

MD5
34fdf9e8e183201415abf26ddc977617

SHA1
0f6267c19119cbca5eb0b99e8125d565b8731689

SHA256
4156acb19b1774c09b72708ba6146167485eab78a26cb7beb339bd6a510d29c9

SHA512
ab43c65c39f704bd37a286e687e4a1f8d47d8b00deae03e8cada49208c7892db585dee23872d1f7c9ace2c4ba5ebbaeee7145f058fd62523111948c68d8844a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3920658.exe

Filesize
599KB

MD5
4cf4d287c9ae68fce06706a1289233b0

SHA1
83a4321a9624eba0fae04b28684fdc7a3c41c2df

SHA256
8660f0e4b96e0ac73921abd51092464290b5bee20692e3589d30e08046625765

SHA512
24860d5fe41a8169e37796f72671eab90b94f698e1d8ecb9c2d5f3d627e767f7763e1deee15fbccba2e88761ddd46af340313a10005a11cfc7a0e87a25361330

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3920658.exe

Filesize
599KB

MD5
4cf4d287c9ae68fce06706a1289233b0

SHA1
83a4321a9624eba0fae04b28684fdc7a3c41c2df

SHA256
8660f0e4b96e0ac73921abd51092464290b5bee20692e3589d30e08046625765

SHA512
24860d5fe41a8169e37796f72671eab90b94f698e1d8ecb9c2d5f3d627e767f7763e1deee15fbccba2e88761ddd46af340313a10005a11cfc7a0e87a25361330

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7197696.exe

Filesize
373KB

MD5
a8ac8f13c43e2141bce1c3764d35475f

SHA1
8796091bd04d22dbe8c89e60266639b97d3e4bea

SHA256
025671d7b32c6d1d4d0bf0f69799c182b3c35eaf4288411392850224ecacc5da

SHA512
bf3cf61068834c5cfd527fecb3388abf70503dda2788cb015b3c3d4f5d04e8a30c46c9b132552a51bbc1f8f0b5175a10e02ea30e273ba19c2812c95951929a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7197696.exe

Filesize
373KB

MD5
a8ac8f13c43e2141bce1c3764d35475f

SHA1
8796091bd04d22dbe8c89e60266639b97d3e4bea

SHA256
025671d7b32c6d1d4d0bf0f69799c182b3c35eaf4288411392850224ecacc5da

SHA512
bf3cf61068834c5cfd527fecb3388abf70503dda2788cb015b3c3d4f5d04e8a30c46c9b132552a51bbc1f8f0b5175a10e02ea30e273ba19c2812c95951929a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1923241.exe

Filesize
272KB

MD5
7fc90018c1a2b7d59ad508b0bb970296

SHA1
d620d2e96681833b492fcf3e47ee88fccfd936bb

SHA256
bb04b521667ffca4098efdf12b217b100945ff16328f5af4ce25e43fc2792d3b

SHA512
636dcccf10ebea46fbcec70e14f653ac6d28092edfb3c6e0a7476da35d780b4b90f31a1e1b1aa8d3a026fedd51b28e3c669976f75530f5edc71a258140137ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1923241.exe

Filesize
272KB

MD5
7fc90018c1a2b7d59ad508b0bb970296

SHA1
d620d2e96681833b492fcf3e47ee88fccfd936bb

SHA256
bb04b521667ffca4098efdf12b217b100945ff16328f5af4ce25e43fc2792d3b

SHA512
636dcccf10ebea46fbcec70e14f653ac6d28092edfb3c6e0a7476da35d780b4b90f31a1e1b1aa8d3a026fedd51b28e3c669976f75530f5edc71a258140137ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5215458.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5215458.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6626764.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6626764.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/1268-171-0x0000000000880000-0x00000000008B0000-memory.dmp

Filesize
192KB

Download
memory/1268-172-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/1268-173-0x000000000AD20000-0x000000000B338000-memory.dmp

Filesize
6.1MB

Download
memory/1268-174-0x000000000A830000-0x000000000A93A000-memory.dmp

Filesize
1.0MB

Download
memory/1268-175-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1268-176-0x000000000A770000-0x000000000A782000-memory.dmp

Filesize
72KB

Download
memory/1268-177-0x000000000A7D0000-0x000000000A80C000-memory.dmp

Filesize
240KB

Download
memory/1268-178-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/1268-179-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads