redline | 4257603f3ebc986c59d5dd7ca93f69d52a4c673c1eae2c2e53eb7060cb15336c

Analysis

max time kernel
160s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19e430ece606b3c7a85856d2d0597482.exe
Size

855KB
MD5

19e430ece606b3c7a85856d2d0597482
SHA1

86cc5abe88800f485c32391bda6fec463b01296a
SHA256

4257603f3ebc986c59d5dd7ca93f69d52a4c673c1eae2c2e53eb7060cb15336c
SHA512

5d1e38429bf663e9dec44a81b05c0fc80379d6a48fa513ae895154e9ac2aeb214a1ada8da6ab08ac6df03cab2a4c1f86a4b811f71bdb6d69da77441d85463d07
SSDEEP

12288:dMriy905dxAiRWDcc9QsaeCxm46NTtGMxC7PotBzkYHEJ1Atg7Z8Fulh:vywxA/4OpJNtk8tFkPAt2Z8U3

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
904	v1877852.exe
5092	v8901907.exe
1932	v5651983.exe
4856	v2884830.exe
2384	a5739051.exe
348	b6935053.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5651983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2884830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19e430ece606b3c7a85856d2d0597482.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1877852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8901907.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 904	2360	19e430ece606b3c7a85856d2d0597482.exe	82
PID 2360 wrote to memory of 904	2360	19e430ece606b3c7a85856d2d0597482.exe	82
PID 2360 wrote to memory of 904	2360	19e430ece606b3c7a85856d2d0597482.exe	82
PID 904 wrote to memory of 5092	904	v1877852.exe	83
PID 904 wrote to memory of 5092	904	v1877852.exe	83
PID 904 wrote to memory of 5092	904	v1877852.exe	83
PID 5092 wrote to memory of 1932	5092	v8901907.exe	84
PID 5092 wrote to memory of 1932	5092	v8901907.exe	84
PID 5092 wrote to memory of 1932	5092	v8901907.exe	84
PID 1932 wrote to memory of 4856	1932	v5651983.exe	85
PID 1932 wrote to memory of 4856	1932	v5651983.exe	85
PID 1932 wrote to memory of 4856	1932	v5651983.exe	85
PID 4856 wrote to memory of 2384	4856	v2884830.exe	86
PID 4856 wrote to memory of 2384	4856	v2884830.exe	86
PID 4856 wrote to memory of 2384	4856	v2884830.exe	86
PID 4856 wrote to memory of 348	4856	v2884830.exe	87
PID 4856 wrote to memory of 348	4856	v2884830.exe	87
PID 4856 wrote to memory of 348	4856	v2884830.exe	87

C:\Users\Admin\AppData\Local\Temp\19e430ece606b3c7a85856d2d0597482.exe
"C:\Users\Admin\AppData\Local\Temp\19e430ece606b3c7a85856d2d0597482.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1877852.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1877852.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8901907.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8901907.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5651983.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5651983.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2884830.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2884830.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5739051.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5739051.exe
        6⤵
        Executes dropped EXE
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6935053.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6935053.exe
        6⤵
        Executes dropped EXE
        
        PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1877852.exe

Filesize
723KB

MD5
9c9e65e0e480cffeb4ee7c339577323c

SHA1
cd8d4fb101e79afaf12eef43e5a889021d5324d9

SHA256
4448b8675cbf7bd0681edfdbc10bb94beccceb07955a7967935bdf9a1d10f592

SHA512
210ee20fc577d3dfab1f5023a100eb72e101dbe85e9852b677a43dfb97c262f096901ae19be85054b561295933e7e8744ce8ce9faa372b3781b24414ba98967d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1877852.exe

Filesize
723KB

MD5
9c9e65e0e480cffeb4ee7c339577323c

SHA1
cd8d4fb101e79afaf12eef43e5a889021d5324d9

SHA256
4448b8675cbf7bd0681edfdbc10bb94beccceb07955a7967935bdf9a1d10f592

SHA512
210ee20fc577d3dfab1f5023a100eb72e101dbe85e9852b677a43dfb97c262f096901ae19be85054b561295933e7e8744ce8ce9faa372b3781b24414ba98967d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8901907.exe

Filesize
598KB

MD5
cb1b446e52a43e19af04686e74e163f7

SHA1
b832db1c9ee21d981a73ff2bf69259e18f334eb9

SHA256
b4a1057fcc75a4ab278e5bef33c028936fde1e70cb7881b96d35cd32b42f9fa7

SHA512
8659f49c54d4fcd1170b37c9ed78f6a0be82f5512a6abfad7c96f21e20056debbe26015448ae4df1b6fa5422a77483dd54862583cc8bbdced76d90d20b5777ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8901907.exe

Filesize
598KB

MD5
cb1b446e52a43e19af04686e74e163f7

SHA1
b832db1c9ee21d981a73ff2bf69259e18f334eb9

SHA256
b4a1057fcc75a4ab278e5bef33c028936fde1e70cb7881b96d35cd32b42f9fa7

SHA512
8659f49c54d4fcd1170b37c9ed78f6a0be82f5512a6abfad7c96f21e20056debbe26015448ae4df1b6fa5422a77483dd54862583cc8bbdced76d90d20b5777ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5651983.exe

Filesize
372KB

MD5
b2a3553bad3a327a02c0aaaed5640bdb

SHA1
431991a0c681b720f8d136293862356c45c4ecaf

SHA256
831835e7a40c07514df98ba79d798894939aaa379345ef8a38bf372f1e52a9ba

SHA512
b273c14c209bbb7babf84cd0daf9f9d84ce2b66fcf5804bccf2b75e0d8c6f134875f50c4760aa4388d2a7d0dc41cf688244fb4b371752dce8dad339461e33db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5651983.exe

Filesize
372KB

MD5
b2a3553bad3a327a02c0aaaed5640bdb

SHA1
431991a0c681b720f8d136293862356c45c4ecaf

SHA256
831835e7a40c07514df98ba79d798894939aaa379345ef8a38bf372f1e52a9ba

SHA512
b273c14c209bbb7babf84cd0daf9f9d84ce2b66fcf5804bccf2b75e0d8c6f134875f50c4760aa4388d2a7d0dc41cf688244fb4b371752dce8dad339461e33db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2884830.exe

Filesize
271KB

MD5
176ddff5dd4899dc064ad5aff17192af

SHA1
aea89a9aa786cf516bdb078f44d5380c728b8c68

SHA256
107f6a8625badcb0327d20cec2642d3f7dfe85831a5c8dc8ee974f4220f40232

SHA512
5bb34016a095c6dca6c451c0da482f3e02763f8dfe7fcd9056076ccbb5830b6f86257ad5f92b32eb138a7a898f8212094d95d84b15c46f4cd5a5354e546ba893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2884830.exe

Filesize
271KB

MD5
176ddff5dd4899dc064ad5aff17192af

SHA1
aea89a9aa786cf516bdb078f44d5380c728b8c68

SHA256
107f6a8625badcb0327d20cec2642d3f7dfe85831a5c8dc8ee974f4220f40232

SHA512
5bb34016a095c6dca6c451c0da482f3e02763f8dfe7fcd9056076ccbb5830b6f86257ad5f92b32eb138a7a898f8212094d95d84b15c46f4cd5a5354e546ba893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5739051.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5739051.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6935053.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6935053.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/348-171-0x00000000008E0000-0x0000000000910000-memory.dmp

Filesize
192KB

Download
memory/348-172-0x0000000073D70000-0x0000000074520000-memory.dmp

Filesize
7.7MB

Download
memory/348-173-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/348-174-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/348-176-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/348-175-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/348-177-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download
memory/348-178-0x0000000073D70000-0x0000000074520000-memory.dmp

Filesize
7.7MB

Download
memory/348-179-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads