redline | 19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00.exe
Size

854KB
MD5

82744a748e483776edd4787336182bca
SHA1

f1ca054af178d7426ec399e040a384c83b2e713a
SHA256

19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00
SHA512

88fc3a824cc74f3bfda2122c9133bda3923a6fb465eb76ba685a47907615dfee37dabf6904cd371c5b981421a7570da7cc7d5f86d0c9312df1b6a8bfb58a889f
SSDEEP

12288:9MrQy90KYQU3dgUAVE7moJ1IMwekToiDnnxG/k9Su/Nqd+kyDmkt7iq:ZyR1U3O5uNLIMw2iDxMc/Ahs9

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4552	v8955911.exe
1248	v4737197.exe
1384	v6956050.exe
488	v2856113.exe
2548	a9488654.exe
3836	b9306264.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8955911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4737197.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6956050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2856113.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4552	3812	19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00.exe	80
PID 3812 wrote to memory of 4552	3812	19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00.exe	80
PID 3812 wrote to memory of 4552	3812	19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00.exe	80
PID 4552 wrote to memory of 1248	4552	v8955911.exe	81
PID 4552 wrote to memory of 1248	4552	v8955911.exe	81
PID 4552 wrote to memory of 1248	4552	v8955911.exe	81
PID 1248 wrote to memory of 1384	1248	v4737197.exe	82
PID 1248 wrote to memory of 1384	1248	v4737197.exe	82
PID 1248 wrote to memory of 1384	1248	v4737197.exe	82
PID 1384 wrote to memory of 488	1384	v6956050.exe	83
PID 1384 wrote to memory of 488	1384	v6956050.exe	83
PID 1384 wrote to memory of 488	1384	v6956050.exe	83
PID 488 wrote to memory of 2548	488	v2856113.exe	84
PID 488 wrote to memory of 2548	488	v2856113.exe	84
PID 488 wrote to memory of 2548	488	v2856113.exe	84
PID 488 wrote to memory of 3836	488	v2856113.exe	85
PID 488 wrote to memory of 3836	488	v2856113.exe	85
PID 488 wrote to memory of 3836	488	v2856113.exe	85

C:\Users\Admin\AppData\Local\Temp\19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00.exe
"C:\Users\Admin\AppData\Local\Temp\19eba0d44e1fa574d3772d7e3ea3a5fffd4544f8dc9012af87531b6a2302eb00.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8955911.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8955911.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4737197.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4737197.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6956050.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6956050.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2856113.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2856113.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:488
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9488654.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9488654.exe
        6⤵
        Executes dropped EXE
        
        PID:2548
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9306264.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9306264.exe
        6⤵
        Executes dropped EXE
        
        PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8955911.exe

Filesize
723KB

MD5
f941b511cc10488389d8b00eae5c03fd

SHA1
c4d2ab3bdd681a6ac836f6194a3e37b40f75a9af

SHA256
75ae8797793213833b72dbea7b5813ef36ac084211a7a22a0e61bb8a2028f31b

SHA512
e3441d83d8dd2dc434d7847edae034e7b1dc3f4c343522312ef01a01fde9e27cd57e459f664b52f5f5a55490a4ce6c4a81cb33b784b94fda85f276ab581edeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8955911.exe

Filesize
723KB

MD5
f941b511cc10488389d8b00eae5c03fd

SHA1
c4d2ab3bdd681a6ac836f6194a3e37b40f75a9af

SHA256
75ae8797793213833b72dbea7b5813ef36ac084211a7a22a0e61bb8a2028f31b

SHA512
e3441d83d8dd2dc434d7847edae034e7b1dc3f4c343522312ef01a01fde9e27cd57e459f664b52f5f5a55490a4ce6c4a81cb33b784b94fda85f276ab581edeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4737197.exe

Filesize
599KB

MD5
9cf27d45e02e440bc8d6a883dd2df8fc

SHA1
455645fd2cb935250b3568004bac6afffa95afc4

SHA256
929585d6021c337da1871d6917a952d5d7657d2e2bf7ca967df26c5640c20985

SHA512
938cc552cb6c3137b66063948f7a0a7f41f7eb981ab5ed107ee076aff2ab36498a9e899864a8d8484cd1abe4ac5a1bbd7eb877a150343b78becb12cb2a6c7ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4737197.exe

Filesize
599KB

MD5
9cf27d45e02e440bc8d6a883dd2df8fc

SHA1
455645fd2cb935250b3568004bac6afffa95afc4

SHA256
929585d6021c337da1871d6917a952d5d7657d2e2bf7ca967df26c5640c20985

SHA512
938cc552cb6c3137b66063948f7a0a7f41f7eb981ab5ed107ee076aff2ab36498a9e899864a8d8484cd1abe4ac5a1bbd7eb877a150343b78becb12cb2a6c7ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6956050.exe

Filesize
373KB

MD5
f71b0abd4f616c8b7f3c56fb2d93c489

SHA1
19788a57adf6fffbb71172e5e59375e095e89428

SHA256
31a4a93a33588e3cc4d2059c50badb24b933fdbe223204b3ec7aaf58138fd5b2

SHA512
92a999441bd912d4c72c8a468d5239db234b82b541b8c4416fa3630b96b240e61ecbb946580a35e07cfc18e7e1750bd8b90e8add1764274a9a42ec48d46ed2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6956050.exe

Filesize
373KB

MD5
f71b0abd4f616c8b7f3c56fb2d93c489

SHA1
19788a57adf6fffbb71172e5e59375e095e89428

SHA256
31a4a93a33588e3cc4d2059c50badb24b933fdbe223204b3ec7aaf58138fd5b2

SHA512
92a999441bd912d4c72c8a468d5239db234b82b541b8c4416fa3630b96b240e61ecbb946580a35e07cfc18e7e1750bd8b90e8add1764274a9a42ec48d46ed2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2856113.exe

Filesize
272KB

MD5
119e247646697ad8bb6e7f39d1f1a374

SHA1
7b445b3e700dbc1af85f0ffae495e6ed4b06d130

SHA256
90533d012899fff7ef7a300cf4114d1e63aabc52415404298926625cbad5358e

SHA512
cf0b386a0ba5313183d215f188c3456520033a4e5cf624fa7c7d2fa7f7684e28eb03bdadb080fc504e8349f29d1727adc79f968efe5731054b7a3fc228032a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2856113.exe

Filesize
272KB

MD5
119e247646697ad8bb6e7f39d1f1a374

SHA1
7b445b3e700dbc1af85f0ffae495e6ed4b06d130

SHA256
90533d012899fff7ef7a300cf4114d1e63aabc52415404298926625cbad5358e

SHA512
cf0b386a0ba5313183d215f188c3456520033a4e5cf624fa7c7d2fa7f7684e28eb03bdadb080fc504e8349f29d1727adc79f968efe5731054b7a3fc228032a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9488654.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9488654.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9306264.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9306264.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/3836-171-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/3836-172-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/3836-173-0x000000000A500000-0x000000000AB18000-memory.dmp

Filesize
6.1MB

Download
memory/3836-174-0x000000000A030000-0x000000000A13A000-memory.dmp

Filesize
1.0MB

Download
memory/3836-175-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/3836-176-0x0000000009F70000-0x0000000009F82000-memory.dmp

Filesize
72KB

Download
memory/3836-177-0x0000000009FD0000-0x000000000A00C000-memory.dmp

Filesize
240KB

Download
memory/3836-178-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/3836-179-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads