redline | e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe
Size

854KB
MD5

6ffea49edea043c637932164084e37e4
SHA1

677a2490612180148eb42899d1fc0e085c560e26
SHA256

e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3
SHA512

b700446a8d8cff8af7987e0cca5ea6ceda41fd775cee1b8ef79976d11dabab4d245134efef3cb484a6b2917a7e448a40aad5b6d2cdd6798e4fd011ec4a0bf7b7
SSDEEP

12288:sMrRy90Vs0gAekBAl1XQx3xDHVYAOk+aVBlc7aQ5oYGT51dT6ztOtxrQGPI:lynLkw6x5VYBKc7a4Y5196gx9w

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4756	v6972760.exe
1664	v8664317.exe
1904	v6297385.exe
2816	v5775710.exe
3796	a4489135.exe
2624	b2995690.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6972760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8664317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6297385.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5775710.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4756	3940	e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe	82
PID 3940 wrote to memory of 4756	3940	e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe	82
PID 3940 wrote to memory of 4756	3940	e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe	82
PID 4756 wrote to memory of 1664	4756	v6972760.exe	83
PID 4756 wrote to memory of 1664	4756	v6972760.exe	83
PID 4756 wrote to memory of 1664	4756	v6972760.exe	83
PID 1664 wrote to memory of 1904	1664	v8664317.exe	84
PID 1664 wrote to memory of 1904	1664	v8664317.exe	84
PID 1664 wrote to memory of 1904	1664	v8664317.exe	84
PID 1904 wrote to memory of 2816	1904	v6297385.exe	85
PID 1904 wrote to memory of 2816	1904	v6297385.exe	85
PID 1904 wrote to memory of 2816	1904	v6297385.exe	85
PID 2816 wrote to memory of 3796	2816	v5775710.exe	86
PID 2816 wrote to memory of 3796	2816	v5775710.exe	86
PID 2816 wrote to memory of 3796	2816	v5775710.exe	86
PID 2816 wrote to memory of 2624	2816	v5775710.exe	87
PID 2816 wrote to memory of 2624	2816	v5775710.exe	87
PID 2816 wrote to memory of 2624	2816	v5775710.exe	87

C:\Users\Admin\AppData\Local\Temp\e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe
"C:\Users\Admin\AppData\Local\Temp\e4602c2b7472f13bced73d5598782be6c8605240ecc53213c24ee32cf544c7a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6972760.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6972760.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8664317.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8664317.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6297385.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6297385.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5775710.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5775710.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4489135.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4489135.exe
        6⤵
        Executes dropped EXE
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2995690.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2995690.exe
        6⤵
        Executes dropped EXE
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6972760.exe

Filesize
723KB

MD5
5b8d9af4156e76f2c1b1bb25bf6734fb

SHA1
0565ac59586eedc27fe5f5484bbfa06fb4f0033e

SHA256
760a43c7842aa230fdfd7852bbd23c9748df493a3120b50b14cdc90e60992d11

SHA512
1d7db9e99ab922b133c1245185775fd8ae3031e5c99074df7bb1eaf0e7d0535af558b93537085e8951d6e5976d305db2853b41daa2143125ac17f12cd5079954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6972760.exe

Filesize
723KB

MD5
5b8d9af4156e76f2c1b1bb25bf6734fb

SHA1
0565ac59586eedc27fe5f5484bbfa06fb4f0033e

SHA256
760a43c7842aa230fdfd7852bbd23c9748df493a3120b50b14cdc90e60992d11

SHA512
1d7db9e99ab922b133c1245185775fd8ae3031e5c99074df7bb1eaf0e7d0535af558b93537085e8951d6e5976d305db2853b41daa2143125ac17f12cd5079954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8664317.exe

Filesize
598KB

MD5
c454146b322d4d505d763c3e031e3a43

SHA1
a7de177dcad29753a1f7dd4250d48f77063a19c3

SHA256
5f9328048cb6d9af57dbf5655c0cb915d276c0c69b15f02d41936cb8f63e3a4b

SHA512
7171856b4d3cbce9521b30ff3b73155c8d172e651665940ea1875a449f1201ed20bba11f1bd0a605a2c156c564df508355587fb507845f922fad749ba127421f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8664317.exe

Filesize
598KB

MD5
c454146b322d4d505d763c3e031e3a43

SHA1
a7de177dcad29753a1f7dd4250d48f77063a19c3

SHA256
5f9328048cb6d9af57dbf5655c0cb915d276c0c69b15f02d41936cb8f63e3a4b

SHA512
7171856b4d3cbce9521b30ff3b73155c8d172e651665940ea1875a449f1201ed20bba11f1bd0a605a2c156c564df508355587fb507845f922fad749ba127421f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6297385.exe

Filesize
373KB

MD5
956c8604037603c8ca2e9193b8784a4b

SHA1
febc75fd182b0a67216becb60d16c372a12ea4d7

SHA256
33d2bab243d1c7f63f3a40d53b71f59fcf64a91a0a1116a2e5f771e06cc905d5

SHA512
d352e57c0942e3c149f6ae0779cfc326bdf2ad5e309d168384a559b4afde80695d7debd3c008470e5c9e138cf910e8b5c1cab710bd32b1eb9b2752dedfb3e032

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6297385.exe

Filesize
373KB

MD5
956c8604037603c8ca2e9193b8784a4b

SHA1
febc75fd182b0a67216becb60d16c372a12ea4d7

SHA256
33d2bab243d1c7f63f3a40d53b71f59fcf64a91a0a1116a2e5f771e06cc905d5

SHA512
d352e57c0942e3c149f6ae0779cfc326bdf2ad5e309d168384a559b4afde80695d7debd3c008470e5c9e138cf910e8b5c1cab710bd32b1eb9b2752dedfb3e032

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5775710.exe

Filesize
272KB

MD5
ca9a956070f139eb03828d1518324cb2

SHA1
85940c9e79bc6ccbec6431b20efe8660d5697720

SHA256
75f0e4ef4c421130c8752d9cd46abfbf3053c99122e146482da71615298385d1

SHA512
3e8543ffb3538d58e935367753bb5f5811bd85974a5b41476f1a15a44ba57b09e4ed118a925bff59b7e27dd675718ce60899ed7a428bee72f17f3cdb7ef42cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5775710.exe

Filesize
272KB

MD5
ca9a956070f139eb03828d1518324cb2

SHA1
85940c9e79bc6ccbec6431b20efe8660d5697720

SHA256
75f0e4ef4c421130c8752d9cd46abfbf3053c99122e146482da71615298385d1

SHA512
3e8543ffb3538d58e935367753bb5f5811bd85974a5b41476f1a15a44ba57b09e4ed118a925bff59b7e27dd675718ce60899ed7a428bee72f17f3cdb7ef42cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4489135.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4489135.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2995690.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2995690.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/2624-173-0x0000000073FF0000-0x00000000747A0000-memory.dmp

Filesize
7.7MB

Download
memory/2624-172-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

Filesize
192KB

Download
memory/2624-174-0x000000000B1D0000-0x000000000B7E8000-memory.dmp

Filesize
6.1MB

Download
memory/2624-175-0x000000000AD10000-0x000000000AE1A000-memory.dmp

Filesize
1.0MB

Download
memory/2624-176-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/2624-177-0x000000000AC50000-0x000000000AC62000-memory.dmp

Filesize
72KB

Download
memory/2624-178-0x000000000ACB0000-0x000000000ACEC000-memory.dmp

Filesize
240KB

Download
memory/2624-179-0x0000000073FF0000-0x00000000747A0000-memory.dmp

Filesize
7.7MB

Download
memory/2624-180-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads