redline | 2f1978fda2c1cc3f69c04c2012ee448e1c853680c60161a1fe4219e836b47d66

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2023 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

505183add5a3aaebfc97dab3c1a149c0.exe
Size

855KB
MD5

505183add5a3aaebfc97dab3c1a149c0
SHA1

3703a59ebe5f167de9d9caafc9c8aa3f0a6b6b4c
SHA256

2f1978fda2c1cc3f69c04c2012ee448e1c853680c60161a1fe4219e836b47d66
SHA512

a0f956f09fd2c4a30fdc01c0c71b3595fa911a4944bfe53cf5ff821aa154871d4b4e5ba258d7e541dcf50dfd71dfa270eed5f00575242410bbe096538abdf10a
SSDEEP

24576:oyPwLg9jdzjozwANnvahQgJBMmtoHjtXJMr:vILgJRo7vahFq

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3720	v0181725.exe
1400	v8238982.exe
1584	v2086590.exe
764	v2265365.exe
2884	a2699214.exe
916	b8865256.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	505183add5a3aaebfc97dab3c1a149c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0181725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8238982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2086590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2265365.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 3720	5100	505183add5a3aaebfc97dab3c1a149c0.exe	82
PID 5100 wrote to memory of 3720	5100	505183add5a3aaebfc97dab3c1a149c0.exe	82
PID 5100 wrote to memory of 3720	5100	505183add5a3aaebfc97dab3c1a149c0.exe	82
PID 3720 wrote to memory of 1400	3720	v0181725.exe	83
PID 3720 wrote to memory of 1400	3720	v0181725.exe	83
PID 3720 wrote to memory of 1400	3720	v0181725.exe	83
PID 1400 wrote to memory of 1584	1400	v8238982.exe	84
PID 1400 wrote to memory of 1584	1400	v8238982.exe	84
PID 1400 wrote to memory of 1584	1400	v8238982.exe	84
PID 1584 wrote to memory of 764	1584	v2086590.exe	85
PID 1584 wrote to memory of 764	1584	v2086590.exe	85
PID 1584 wrote to memory of 764	1584	v2086590.exe	85
PID 764 wrote to memory of 2884	764	v2265365.exe	86
PID 764 wrote to memory of 2884	764	v2265365.exe	86
PID 764 wrote to memory of 2884	764	v2265365.exe	86
PID 764 wrote to memory of 916	764	v2265365.exe	87
PID 764 wrote to memory of 916	764	v2265365.exe	87
PID 764 wrote to memory of 916	764	v2265365.exe	87

C:\Users\Admin\AppData\Local\Temp\505183add5a3aaebfc97dab3c1a149c0.exe
"C:\Users\Admin\AppData\Local\Temp\505183add5a3aaebfc97dab3c1a149c0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0181725.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0181725.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8238982.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8238982.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2086590.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2086590.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2265365.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2265365.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2699214.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2699214.exe
        6⤵
        Executes dropped EXE
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8865256.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8865256.exe
        6⤵
        Executes dropped EXE
        
        PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0181725.exe

Filesize
723KB

MD5
bf0930d8cf7ca9f54ad77b5eac81d1e8

SHA1
5b771a753ace0932510d07b7c3d107ed00fa87e2

SHA256
72bb6a2fe52abe3e4765252618e841638288ece6b3eb335219c8e9b25d263b24

SHA512
a7fd0e18b3fd775aa5a3a11b0eac6e4d79609509c4d027a1b01a5e5ce614449870f837f731261bd506603753fcd1dd3230e7e02b6f876bc761e10751dae246b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0181725.exe

Filesize
723KB

MD5
bf0930d8cf7ca9f54ad77b5eac81d1e8

SHA1
5b771a753ace0932510d07b7c3d107ed00fa87e2

SHA256
72bb6a2fe52abe3e4765252618e841638288ece6b3eb335219c8e9b25d263b24

SHA512
a7fd0e18b3fd775aa5a3a11b0eac6e4d79609509c4d027a1b01a5e5ce614449870f837f731261bd506603753fcd1dd3230e7e02b6f876bc761e10751dae246b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8238982.exe

Filesize
598KB

MD5
da758f80d48c36077ecebf03f3e6b246

SHA1
65edc7f6ff8d4dabf00dd32918123be98a379b04

SHA256
5bd9895efdc5eeffba11ce3065f2aeb018f744c492cca44655067bee4964d1a9

SHA512
ce94de6faee96be0b826c8d8153550526fe1c332e365410b6a22e335f27930c4098a8e85a5310cc02242925e4bf29a3c19e88e3ce57058f450b7fa8bed37a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8238982.exe

Filesize
598KB

MD5
da758f80d48c36077ecebf03f3e6b246

SHA1
65edc7f6ff8d4dabf00dd32918123be98a379b04

SHA256
5bd9895efdc5eeffba11ce3065f2aeb018f744c492cca44655067bee4964d1a9

SHA512
ce94de6faee96be0b826c8d8153550526fe1c332e365410b6a22e335f27930c4098a8e85a5310cc02242925e4bf29a3c19e88e3ce57058f450b7fa8bed37a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2086590.exe

Filesize
372KB

MD5
9576646ec8d1b0b4294e3f041f2606fb

SHA1
d6505a422f610af9fb4c2c5ec60a58483db0a057

SHA256
19df21979dc0a23275ab56eff1fa252af98c33ac730d44f8f1dfe4947aa0346e

SHA512
60cf8f24a127141cdb00e5a63d373764af662b1d2b1d120a9a91c0a4c1d9132cab3c81c9de33ce7ec4a11f66f8817e2fdf46730b43130211eecc2d28381d8c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2086590.exe

Filesize
372KB

MD5
9576646ec8d1b0b4294e3f041f2606fb

SHA1
d6505a422f610af9fb4c2c5ec60a58483db0a057

SHA256
19df21979dc0a23275ab56eff1fa252af98c33ac730d44f8f1dfe4947aa0346e

SHA512
60cf8f24a127141cdb00e5a63d373764af662b1d2b1d120a9a91c0a4c1d9132cab3c81c9de33ce7ec4a11f66f8817e2fdf46730b43130211eecc2d28381d8c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2265365.exe

Filesize
271KB

MD5
a08932264c7ad16bf49ff31a40baab1d

SHA1
2581cd4f715f3ef19ae85b8a2401d8f8969010ea

SHA256
79e99ace83822ea81922fb94819df90c8df21060082600d878133675fc25de5a

SHA512
15bd77903c6d967ec9fce17abedd44a46cecc37d8a6135fc24e59fd1e38cb003da42ffb58e1c4ac88298ba6ea33fda676000592005d8b8590e00b3f36fe5fe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2265365.exe

Filesize
271KB

MD5
a08932264c7ad16bf49ff31a40baab1d

SHA1
2581cd4f715f3ef19ae85b8a2401d8f8969010ea

SHA256
79e99ace83822ea81922fb94819df90c8df21060082600d878133675fc25de5a

SHA512
15bd77903c6d967ec9fce17abedd44a46cecc37d8a6135fc24e59fd1e38cb003da42ffb58e1c4ac88298ba6ea33fda676000592005d8b8590e00b3f36fe5fe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2699214.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2699214.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8865256.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8865256.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/916-171-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download
memory/916-172-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/916-173-0x000000000B060000-0x000000000B678000-memory.dmp

Filesize
6.1MB

Download
memory/916-174-0x000000000AB90000-0x000000000AC9A000-memory.dmp

Filesize
1.0MB

Download
memory/916-175-0x000000000AAD0000-0x000000000AAE2000-memory.dmp

Filesize
72KB

Download
memory/916-176-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/916-177-0x000000000AB30000-0x000000000AB6C000-memory.dmp

Filesize
240KB

Download
memory/916-178-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/916-179-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads