redline | 462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe

Analysis

max time kernel
138s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
18-08-2023 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe.exe
Size

713KB
MD5

1da62613ed5dcab72539c4bb40a58381
SHA1

c0e3a4f0ab530c5d577562da6b3e9f0cbdc3673c
SHA256

462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe
SHA512

ea1ca40e73c3ef29003f371aa7a3f036b0cd2282725f84b6d5328fccf37b9eebcbd98ec3b67941eacd3100795f9532d301142ef8203fcc2e1ad4b8f26ffda94c
SSDEEP

12288:oMrvy90WhaCFmMo8rArYYnj7DTaHnInZ8HZm6j8y7zj0czcEni:HyvaCFUuBO7uIZaZZV7zowzi

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
824	z3163724.exe
4568	z9333385.exe
984	z5255619.exe
756	r1570673.exe
4024	s9389742.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3163724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9333385.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5255619.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 824	2872	462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe.exe	70
PID 2872 wrote to memory of 824	2872	462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe.exe	70
PID 2872 wrote to memory of 824	2872	462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe.exe	70
PID 824 wrote to memory of 4568	824	z3163724.exe	71
PID 824 wrote to memory of 4568	824	z3163724.exe	71
PID 824 wrote to memory of 4568	824	z3163724.exe	71
PID 4568 wrote to memory of 984	4568	z9333385.exe	72
PID 4568 wrote to memory of 984	4568	z9333385.exe	72
PID 4568 wrote to memory of 984	4568	z9333385.exe	72
PID 984 wrote to memory of 756	984	z5255619.exe	73
PID 984 wrote to memory of 756	984	z5255619.exe	73
PID 984 wrote to memory of 756	984	z5255619.exe	73
PID 984 wrote to memory of 4024	984	z5255619.exe	74
PID 984 wrote to memory of 4024	984	z5255619.exe	74
PID 984 wrote to memory of 4024	984	z5255619.exe	74

C:\Users\Admin\AppData\Local\Temp\462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe.exe
"C:\Users\Admin\AppData\Local\Temp\462aec704480f6bd6549210d9fe9b47b623dacbddf4814c307ac805135f3f6fe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3163724.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3163724.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9333385.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9333385.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5255619.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5255619.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570673.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570673.exe
        5⤵
        Executes dropped EXE
        
        PID:756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9389742.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9389742.exe
        5⤵
        Executes dropped EXE
        
        PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3163724.exe

Filesize
598KB

MD5
ebcd7cf15cdbada65f1641c278e807c0

SHA1
5ba6c466da4c0c3178d26a90653e634b625459d4

SHA256
1db3bd4f462ec1ee07c7c264f233d0f9f61e7ca8f6a30b351ff7c8de34e99d8d

SHA512
df4dc9994ae35b935a7539164f5a84ecbf720a1495ea19226aec11d6fe368e429b145c78cc18f3fb20616734fe339f0b50e9caca6ac3bb2c3d908bd25e5591c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3163724.exe

Filesize
598KB

MD5
ebcd7cf15cdbada65f1641c278e807c0

SHA1
5ba6c466da4c0c3178d26a90653e634b625459d4

SHA256
1db3bd4f462ec1ee07c7c264f233d0f9f61e7ca8f6a30b351ff7c8de34e99d8d

SHA512
df4dc9994ae35b935a7539164f5a84ecbf720a1495ea19226aec11d6fe368e429b145c78cc18f3fb20616734fe339f0b50e9caca6ac3bb2c3d908bd25e5591c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9333385.exe

Filesize
372KB

MD5
035aec46e18ab4370f1e9e44c747dd52

SHA1
63f8f47c70e542aafe4446104e4dc66fbb8dc0da

SHA256
37311b88bb91b69acc6128f6538a8558795dfb0a5a77f11c0f5d692383006264

SHA512
51e8451180f9d3f5a24adf34ee93ff90f98e5b19fc6ace38f3407f8be1964f0f3c3a96711ad8b9b230694f99fec55033b99f9721ccdc55a508e1f6d479b892e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9333385.exe

Filesize
372KB

MD5
035aec46e18ab4370f1e9e44c747dd52

SHA1
63f8f47c70e542aafe4446104e4dc66fbb8dc0da

SHA256
37311b88bb91b69acc6128f6538a8558795dfb0a5a77f11c0f5d692383006264

SHA512
51e8451180f9d3f5a24adf34ee93ff90f98e5b19fc6ace38f3407f8be1964f0f3c3a96711ad8b9b230694f99fec55033b99f9721ccdc55a508e1f6d479b892e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5255619.exe

Filesize
271KB

MD5
41c5c8c7c2c6fd431e450eb5019f0125

SHA1
aba52dd03efc9c5383a6f79169de70bc6f7aee9e

SHA256
a7e61a8cd205e75b427115deb4667ae12275c0a1b293882a0960782ff125ca1b

SHA512
2ffd4f3052151c76e9464116fd1ec65496c15a78b703a7d5fa41b54175153cb7bac96edfadaa5bcaad36f5b607b81a1953b5f41903e440f1a6f6f9288016e3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5255619.exe

Filesize
271KB

MD5
41c5c8c7c2c6fd431e450eb5019f0125

SHA1
aba52dd03efc9c5383a6f79169de70bc6f7aee9e

SHA256
a7e61a8cd205e75b427115deb4667ae12275c0a1b293882a0960782ff125ca1b

SHA512
2ffd4f3052151c76e9464116fd1ec65496c15a78b703a7d5fa41b54175153cb7bac96edfadaa5bcaad36f5b607b81a1953b5f41903e440f1a6f6f9288016e3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570673.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r1570673.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9389742.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9389742.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/4024-149-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/4024-150-0x0000000073040000-0x000000007372E000-memory.dmp

Filesize
6.9MB

Download
memory/4024-151-0x0000000002940000-0x0000000002946000-memory.dmp

Filesize
24KB

Download
memory/4024-152-0x000000000AAE0000-0x000000000B0E6000-memory.dmp

Filesize
6.0MB

Download
memory/4024-153-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

Filesize
1.0MB

Download
memory/4024-154-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/4024-155-0x000000000A510000-0x000000000A54E000-memory.dmp

Filesize
248KB

Download
memory/4024-156-0x000000000A560000-0x000000000A5AB000-memory.dmp

Filesize
300KB

Download
memory/4024-157-0x0000000073040000-0x000000007372E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads