redline | 4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e

Analysis

max time kernel
135s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
17/08/2023, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e.exe
Size

854KB
MD5

1ce1213b026afe34d8425eb7d58c7a01
SHA1

8ae72d698ac8021d87f443cb86d6973fc5d2cb19
SHA256

4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e
SHA512

657c61ef3c1eab46a0604e1f5c6f1302b15a990b6008fe35716f4fa52b9690cc7e3b451baeb5bb98189b5974923300753dfc6e36f95f79cb1a9b2cde1d8c2c97
SSDEEP

24576:dys+0BN6EdW13H2nhhZp2XVPqOFDNbXeMAclX8:4J09U3HghZp2XZDNbEI

Score

10^/10

redline maga infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

maga

77.91.124.54:19071

Attributes

auth_value
9dd7a0be219be9b6228dc9b4e112b812

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4180	v2160525.exe
656	v7824430.exe
4512	v8299040.exe
4628	v2377483.exe
3076	a1489646.exe
2100	b9359452.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2160525.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7824430.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8299040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2377483.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 4180	832	4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e.exe	70
PID 832 wrote to memory of 4180	832	4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e.exe	70
PID 832 wrote to memory of 4180	832	4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e.exe	70
PID 4180 wrote to memory of 656	4180	v2160525.exe	71
PID 4180 wrote to memory of 656	4180	v2160525.exe	71
PID 4180 wrote to memory of 656	4180	v2160525.exe	71
PID 656 wrote to memory of 4512	656	v7824430.exe	72
PID 656 wrote to memory of 4512	656	v7824430.exe	72
PID 656 wrote to memory of 4512	656	v7824430.exe	72
PID 4512 wrote to memory of 4628	4512	v8299040.exe	73
PID 4512 wrote to memory of 4628	4512	v8299040.exe	73
PID 4512 wrote to memory of 4628	4512	v8299040.exe	73
PID 4628 wrote to memory of 3076	4628	v2377483.exe	74
PID 4628 wrote to memory of 3076	4628	v2377483.exe	74
PID 4628 wrote to memory of 3076	4628	v2377483.exe	74
PID 4628 wrote to memory of 2100	4628	v2377483.exe	75
PID 4628 wrote to memory of 2100	4628	v2377483.exe	75
PID 4628 wrote to memory of 2100	4628	v2377483.exe	75

C:\Users\Admin\AppData\Local\Temp\4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e.exe
"C:\Users\Admin\AppData\Local\Temp\4ebf32693e1e4f85ae90bbabd71873eea617c1b55c4eb4040b6af68d25a64a5e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2160525.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2160525.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7824430.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7824430.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8299040.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8299040.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2377483.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2377483.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1489646.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1489646.exe
        6⤵
        Executes dropped EXE
        
        PID:3076
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9359452.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9359452.exe
        6⤵
        Executes dropped EXE
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2160525.exe

Filesize
723KB

MD5
0adafe48751a11ec7cdf15a14c84d151

SHA1
ad9c1286c7938de5f35caac1bb92aea327785e45

SHA256
ec2d3a5665c5fcaf64c3bd7171296d3e58f2c8ff58960bcc770ebe98501ce3d7

SHA512
fbe3362fe91bede04db7d34897a048650f4c5508484e4501370b5d1c7951ca508af1369446d55b783a6e3d04b25966dc873838bdf5934693693c4e2968f11954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2160525.exe

Filesize
723KB

MD5
0adafe48751a11ec7cdf15a14c84d151

SHA1
ad9c1286c7938de5f35caac1bb92aea327785e45

SHA256
ec2d3a5665c5fcaf64c3bd7171296d3e58f2c8ff58960bcc770ebe98501ce3d7

SHA512
fbe3362fe91bede04db7d34897a048650f4c5508484e4501370b5d1c7951ca508af1369446d55b783a6e3d04b25966dc873838bdf5934693693c4e2968f11954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7824430.exe

Filesize
598KB

MD5
9714b668cce5935fa6f62e086cbc9384

SHA1
db6729bc4a04d93f7fa204553afded539672d25f

SHA256
e67c4841d26a0094d4a40752f00727da432482910292a2bb43cea0851b60f81f

SHA512
8e9567736a435e3fbec85c44268e999dd7c26247ab3f87f3ebda0a18a83bd27145d606aefc8ccd1317687d6fca20219a6d4776629c69e64ebf1fe825b5899edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7824430.exe

Filesize
598KB

MD5
9714b668cce5935fa6f62e086cbc9384

SHA1
db6729bc4a04d93f7fa204553afded539672d25f

SHA256
e67c4841d26a0094d4a40752f00727da432482910292a2bb43cea0851b60f81f

SHA512
8e9567736a435e3fbec85c44268e999dd7c26247ab3f87f3ebda0a18a83bd27145d606aefc8ccd1317687d6fca20219a6d4776629c69e64ebf1fe825b5899edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8299040.exe

Filesize
372KB

MD5
140ceb74ded12d775d2420d160981339

SHA1
0d18f8306b9d03a171f600f90e2657e2822b0b63

SHA256
2e9638286b86ece668017d8b998d34f0ff2c9f555c802b6f56b9bf8e2cb65b54

SHA512
f2accd194e81a31da7f01d98c7631fde717f1565181f2fa9c7e88ac49f3dcfd2dd7e5bae6e3ba0236395d2ea91e527ee635fd6d23cf8488587a849d150bff440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8299040.exe

Filesize
372KB

MD5
140ceb74ded12d775d2420d160981339

SHA1
0d18f8306b9d03a171f600f90e2657e2822b0b63

SHA256
2e9638286b86ece668017d8b998d34f0ff2c9f555c802b6f56b9bf8e2cb65b54

SHA512
f2accd194e81a31da7f01d98c7631fde717f1565181f2fa9c7e88ac49f3dcfd2dd7e5bae6e3ba0236395d2ea91e527ee635fd6d23cf8488587a849d150bff440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2377483.exe

Filesize
271KB

MD5
f34455fc3943bb9b9cfab6b8c0af7bd7

SHA1
dd6bbb0442428b85e4f697df7ed62244b6fd6203

SHA256
0bd392dd49575a473f9a8ee149a58db92f5005a0e1b75639636000ce0e9ed013

SHA512
1a9c1ac7eefde35076ed43f0874951c8fbafbbe6c50e97308dca4d160ff8e2fa76f000dbc8c982b743d4e0629885461f0f200808de01fa0e30fc7d4ed688665e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2377483.exe

Filesize
271KB

MD5
f34455fc3943bb9b9cfab6b8c0af7bd7

SHA1
dd6bbb0442428b85e4f697df7ed62244b6fd6203

SHA256
0bd392dd49575a473f9a8ee149a58db92f5005a0e1b75639636000ce0e9ed013

SHA512
1a9c1ac7eefde35076ed43f0874951c8fbafbbe6c50e97308dca4d160ff8e2fa76f000dbc8c982b743d4e0629885461f0f200808de01fa0e30fc7d4ed688665e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1489646.exe

Filesize
140KB

MD5
e96c7a40800a6ad47ba9c9a4c1fc8132

SHA1
bea1fa124822f7b290cb7cde30ad9d3f4c7e715e

SHA256
6adebbe0870c8835c654bf6270627e03ee39fb8f662e09d4342293c6fb099597

SHA512
bd229c46410064ce98785fa59130e5a60326181e38f07aa04075edd0013a4d8561785bb20235d991b3628eba80781993fbfcfe27edbe23dfdbfa0bfe1509779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1489646.exe

Filesize
140KB

MD5
e96c7a40800a6ad47ba9c9a4c1fc8132

SHA1
bea1fa124822f7b290cb7cde30ad9d3f4c7e715e

SHA256
6adebbe0870c8835c654bf6270627e03ee39fb8f662e09d4342293c6fb099597

SHA512
bd229c46410064ce98785fa59130e5a60326181e38f07aa04075edd0013a4d8561785bb20235d991b3628eba80781993fbfcfe27edbe23dfdbfa0bfe1509779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9359452.exe

Filesize
174KB

MD5
c589a2892deb8511cb773c751b1f3e87

SHA1
bec401a3553e249a7538a5e9a9122deed71b61ce

SHA256
a7172f7f88ad5dd9d4d7287b181f6c18c2bede457b7f54c1a188289340987399

SHA512
888262be66ec6e6be572c0825173245e410e97c8306c4ea408d0478a925975f62cf08d342edaf6a8bbbcbcba0cc067a65df14764dacc4a81650a50817a24cabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9359452.exe

Filesize
174KB

MD5
c589a2892deb8511cb773c751b1f3e87

SHA1
bec401a3553e249a7538a5e9a9122deed71b61ce

SHA256
a7172f7f88ad5dd9d4d7287b181f6c18c2bede457b7f54c1a188289340987399

SHA512
888262be66ec6e6be572c0825173245e410e97c8306c4ea408d0478a925975f62cf08d342edaf6a8bbbcbcba0cc067a65df14764dacc4a81650a50817a24cabe

Download Submit
memory/2100-158-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/2100-159-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-160-0x0000000007B90000-0x0000000007B96000-memory.dmp

Filesize
24KB

Download
memory/2100-161-0x0000000005E20000-0x0000000006426000-memory.dmp

Filesize
6.0MB

Download
memory/2100-162-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/2100-163-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/2100-164-0x00000000058B0000-0x00000000058EE000-memory.dmp

Filesize
248KB

Download
memory/2100-165-0x0000000005A30000-0x0000000005A7B000-memory.dmp

Filesize
300KB

Download
memory/2100-166-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads