redline | c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d

Analysis

max time kernel
134s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
17/08/2023, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d.exe
Size

855KB
MD5

54d1542ff20b618b6430ffb4038537af
SHA1

921b9382d7a922c12fc43ba03e5760b57a8702fe
SHA256

c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d
SHA512

dbf32f48201d50e1ff2ff197ea38618ea8cf7d95b8f66bd383557fbd43ecbc4297e130e38ae220a6d7b8ba0f99b70ca30957cc927352588e63182a99d2eb4648
SSDEEP

24576:uyA2cYb/JlGFcCP4biuX4oT2uwSXxoC8WwE:94YDJoFdBWiuwSXxoC8W

Score

10^/10

redline dava infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4152	v3769981.exe
4900	v7050788.exe
1904	v7255195.exe
1896	v5475743.exe
4304	a2078789.exe
996	b7258885.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3769981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7050788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7255195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5475743.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4152	3260	c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d.exe	69
PID 3260 wrote to memory of 4152	3260	c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d.exe	69
PID 3260 wrote to memory of 4152	3260	c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d.exe	69
PID 4152 wrote to memory of 4900	4152	v3769981.exe	70
PID 4152 wrote to memory of 4900	4152	v3769981.exe	70
PID 4152 wrote to memory of 4900	4152	v3769981.exe	70
PID 4900 wrote to memory of 1904	4900	v7050788.exe	71
PID 4900 wrote to memory of 1904	4900	v7050788.exe	71
PID 4900 wrote to memory of 1904	4900	v7050788.exe	71
PID 1904 wrote to memory of 1896	1904	v7255195.exe	72
PID 1904 wrote to memory of 1896	1904	v7255195.exe	72
PID 1904 wrote to memory of 1896	1904	v7255195.exe	72
PID 1896 wrote to memory of 4304	1896	v5475743.exe	73
PID 1896 wrote to memory of 4304	1896	v5475743.exe	73
PID 1896 wrote to memory of 4304	1896	v5475743.exe	73
PID 1896 wrote to memory of 996	1896	v5475743.exe	74
PID 1896 wrote to memory of 996	1896	v5475743.exe	74
PID 1896 wrote to memory of 996	1896	v5475743.exe	74

C:\Users\Admin\AppData\Local\Temp\c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d.exe
"C:\Users\Admin\AppData\Local\Temp\c1f5b6ca6c879680ad0053ac4fecb5ab33434e083d90a049ee16e6f5caf0d86d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3769981.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3769981.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7050788.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7050788.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7255195.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7255195.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5475743.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5475743.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2078789.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2078789.exe
        6⤵
        Executes dropped EXE
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7258885.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7258885.exe
        6⤵
        Executes dropped EXE
        
        PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3769981.exe

Filesize
724KB

MD5
b975395805648dce1ed81153402485b2

SHA1
acff3481148d871e2b92787a0ebce83495c4692a

SHA256
005b746acfc99af4ae33677729d556d032781f301d4a5b51cd9f22619b105359

SHA512
8072de0082a33823de69de27ffcfc4be42b1891bc0312437dacd923ea62ee3e91c54d307a9a451abfa35ef185ca263a0293dd528fa29866886d045ebeb715c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3769981.exe

Filesize
724KB

MD5
b975395805648dce1ed81153402485b2

SHA1
acff3481148d871e2b92787a0ebce83495c4692a

SHA256
005b746acfc99af4ae33677729d556d032781f301d4a5b51cd9f22619b105359

SHA512
8072de0082a33823de69de27ffcfc4be42b1891bc0312437dacd923ea62ee3e91c54d307a9a451abfa35ef185ca263a0293dd528fa29866886d045ebeb715c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7050788.exe

Filesize
599KB

MD5
b2c59bf110791a63cc3b348c4b1dae40

SHA1
4ef832677debeef6517879f5be454090df34db53

SHA256
7b6bdee574bb04429ef172d53f93bf7d3d1223d7d619c6ca2bc8ffa8f51620fb

SHA512
4ed556eded85c94e01d79ca49bde67bcb44812cdddfd79f67983035b57161a46b5b382e8140bf00a6be17667f4a473909a5469e5ca792f801db0e65b9c0dc1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7050788.exe

Filesize
599KB

MD5
b2c59bf110791a63cc3b348c4b1dae40

SHA1
4ef832677debeef6517879f5be454090df34db53

SHA256
7b6bdee574bb04429ef172d53f93bf7d3d1223d7d619c6ca2bc8ffa8f51620fb

SHA512
4ed556eded85c94e01d79ca49bde67bcb44812cdddfd79f67983035b57161a46b5b382e8140bf00a6be17667f4a473909a5469e5ca792f801db0e65b9c0dc1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7255195.exe

Filesize
373KB

MD5
59ff07e9d492f46eb34c799c08c5c3b4

SHA1
d2904eaa56ea3a32ef099286e23d43bdb5fb1a04

SHA256
a9ca61739d0625109a9515999f9f26e62d5de885cc5efeebc4be1c05f2de04f4

SHA512
747bc098f48303d82a42dcc4ef73e481154be7837fb391feebd7b77cb3d0031fc69c1951d7fc1e019780917a6c01b9acfcfad53e472498318c33598a8263e95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7255195.exe

Filesize
373KB

MD5
59ff07e9d492f46eb34c799c08c5c3b4

SHA1
d2904eaa56ea3a32ef099286e23d43bdb5fb1a04

SHA256
a9ca61739d0625109a9515999f9f26e62d5de885cc5efeebc4be1c05f2de04f4

SHA512
747bc098f48303d82a42dcc4ef73e481154be7837fb391feebd7b77cb3d0031fc69c1951d7fc1e019780917a6c01b9acfcfad53e472498318c33598a8263e95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5475743.exe

Filesize
272KB

MD5
eb559fd211f8e6cb1d6f5d0cbb78de25

SHA1
f656c207e0fcce4d35f8de6fd5b5fa4e93869b1c

SHA256
565491d9f25fa8717f84dcc5fd1f07e4c2d7d4a8db47915bf7c55235c71f39b9

SHA512
4ba9b2d5ca696194a4a0d338181dd1d50881ba9803ed3d4b2cfa5cdaf09388d237bcf4dc6635758b5bdf9a8f13fee5b97594ebf6b4383e12d459992b731778a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5475743.exe

Filesize
272KB

MD5
eb559fd211f8e6cb1d6f5d0cbb78de25

SHA1
f656c207e0fcce4d35f8de6fd5b5fa4e93869b1c

SHA256
565491d9f25fa8717f84dcc5fd1f07e4c2d7d4a8db47915bf7c55235c71f39b9

SHA512
4ba9b2d5ca696194a4a0d338181dd1d50881ba9803ed3d4b2cfa5cdaf09388d237bcf4dc6635758b5bdf9a8f13fee5b97594ebf6b4383e12d459992b731778a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2078789.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2078789.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7258885.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7258885.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/996-158-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/996-159-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/996-160-0x0000000002620000-0x0000000002626000-memory.dmp

Filesize
24KB

Download
memory/996-161-0x000000000A880000-0x000000000AE86000-memory.dmp

Filesize
6.0MB

Download
memory/996-162-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

Filesize
1.0MB

Download
memory/996-163-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/996-164-0x000000000A380000-0x000000000A3BE000-memory.dmp

Filesize
248KB

Download
memory/996-165-0x000000000A500000-0x000000000A54B000-memory.dmp

Filesize
300KB

Download
memory/996-166-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads