redline | e494faf13a3dc85b8afd8425956f63de5530a83c6e856a397b4c62808e96fd94

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2023 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4df77cc14f57bdd1e0d927d56cc75f49.exe
Size

854KB
MD5

4df77cc14f57bdd1e0d927d56cc75f49
SHA1

9b20638e0c006ca5ad5726fd425de091723b2662
SHA256

e494faf13a3dc85b8afd8425956f63de5530a83c6e856a397b4c62808e96fd94
SHA512

0507a0e573906093a4ecbe61bbf6d7ed50c95bffac3024e6c8df893bfe54e2446ec591004e7992fb32b9436f0b5d9da853d63c24cb8962908adc51afc8590c78
SSDEEP

12288:bMrdy90PtHKIX53vFtifW0VsDTg6LwaC3nkwqVLYef43nXiddIgBanqdnAE8L7Lt:qyORVX1UW0VcMXbHiPnmqNAVLbQvN1k

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1740	v5923313.exe
3592	v5552161.exe
5032	v6810603.exe
4636	v3650810.exe
4944	a9873338.exe
972	b8428164.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3650810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4df77cc14f57bdd1e0d927d56cc75f49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5923313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5552161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6810603.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1740	3612	4df77cc14f57bdd1e0d927d56cc75f49.exe	80
PID 3612 wrote to memory of 1740	3612	4df77cc14f57bdd1e0d927d56cc75f49.exe	80
PID 3612 wrote to memory of 1740	3612	4df77cc14f57bdd1e0d927d56cc75f49.exe	80
PID 1740 wrote to memory of 3592	1740	v5923313.exe	81
PID 1740 wrote to memory of 3592	1740	v5923313.exe	81
PID 1740 wrote to memory of 3592	1740	v5923313.exe	81
PID 3592 wrote to memory of 5032	3592	v5552161.exe	82
PID 3592 wrote to memory of 5032	3592	v5552161.exe	82
PID 3592 wrote to memory of 5032	3592	v5552161.exe	82
PID 5032 wrote to memory of 4636	5032	v6810603.exe	83
PID 5032 wrote to memory of 4636	5032	v6810603.exe	83
PID 5032 wrote to memory of 4636	5032	v6810603.exe	83
PID 4636 wrote to memory of 4944	4636	v3650810.exe	84
PID 4636 wrote to memory of 4944	4636	v3650810.exe	84
PID 4636 wrote to memory of 4944	4636	v3650810.exe	84
PID 4636 wrote to memory of 972	4636	v3650810.exe	85
PID 4636 wrote to memory of 972	4636	v3650810.exe	85
PID 4636 wrote to memory of 972	4636	v3650810.exe	85

C:\Users\Admin\AppData\Local\Temp\4df77cc14f57bdd1e0d927d56cc75f49.exe
"C:\Users\Admin\AppData\Local\Temp\4df77cc14f57bdd1e0d927d56cc75f49.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5923313.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5923313.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5552161.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5552161.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6810603.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6810603.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3650810.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3650810.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9873338.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9873338.exe
        6⤵
        Executes dropped EXE
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8428164.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8428164.exe
        6⤵
        Executes dropped EXE
        
        PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5923313.exe

Filesize
722KB

MD5
f7679b9cab87cc715c34029b1d4a4555

SHA1
f9dc960842d2ab09a6afbd263241d7bb1869c247

SHA256
cd8f63bba012e5a9b2d316fe916078842815b759faf6d521951ad9853a31dfa2

SHA512
f048fb264a876ee6b8029fca391878eaa0a26b4334016c26caa1e70281827440f0a9187b493c5cbbaabf247546497a3d21e148d1de59497d1d05368cd978a96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5923313.exe

Filesize
722KB

MD5
f7679b9cab87cc715c34029b1d4a4555

SHA1
f9dc960842d2ab09a6afbd263241d7bb1869c247

SHA256
cd8f63bba012e5a9b2d316fe916078842815b759faf6d521951ad9853a31dfa2

SHA512
f048fb264a876ee6b8029fca391878eaa0a26b4334016c26caa1e70281827440f0a9187b493c5cbbaabf247546497a3d21e148d1de59497d1d05368cd978a96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5552161.exe

Filesize
598KB

MD5
f01b799cd5c592658291bd6412679fb3

SHA1
5c95ee7724aff4e768b21d7eb52627bc426ffd81

SHA256
89bea7a7f0531ea3c7ab2df03bce482b1c4ac19e9711207881dbeef78eff8cae

SHA512
7e291367b94c16aa60956e700ca392fbc4122103018de562261053c0b750149203a9b606077671789bf512346e6b0ff6342b357527b08f478efafce40373d2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5552161.exe

Filesize
598KB

MD5
f01b799cd5c592658291bd6412679fb3

SHA1
5c95ee7724aff4e768b21d7eb52627bc426ffd81

SHA256
89bea7a7f0531ea3c7ab2df03bce482b1c4ac19e9711207881dbeef78eff8cae

SHA512
7e291367b94c16aa60956e700ca392fbc4122103018de562261053c0b750149203a9b606077671789bf512346e6b0ff6342b357527b08f478efafce40373d2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6810603.exe

Filesize
372KB

MD5
2d6a8533ab595dfdcef26760c12e9808

SHA1
513f1501b5f197b88ca926ceef6d2f75592f4647

SHA256
b5a4c499eb8dc22a2bc98ea6114052fafdf9e8c752c41e816944c820a7e208b0

SHA512
dabf5cca8b7416c6a3b1e6e8c7daf6c48cc352266fee6492d313a497430d33e5e9ba96b572fc7ad833143626397a187cf58bd3bc433044e837bc76f9fa445a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6810603.exe

Filesize
372KB

MD5
2d6a8533ab595dfdcef26760c12e9808

SHA1
513f1501b5f197b88ca926ceef6d2f75592f4647

SHA256
b5a4c499eb8dc22a2bc98ea6114052fafdf9e8c752c41e816944c820a7e208b0

SHA512
dabf5cca8b7416c6a3b1e6e8c7daf6c48cc352266fee6492d313a497430d33e5e9ba96b572fc7ad833143626397a187cf58bd3bc433044e837bc76f9fa445a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3650810.exe

Filesize
271KB

MD5
94b1be1183bdf6c8338ec9aa96a281c9

SHA1
2fff149508c9ee4fb0e05e7769660a5a44be7cc5

SHA256
3f057f30e8684c82107e6bcc1b1f66f9af1b7e0edf641fffad76ccb7d64c8b4f

SHA512
d382eb4e94a14edb7990dcab53236e6ae8ec427ae40f54274d719d103789dc767bf8bebcb7ec62ddcb787a858de22c2aa7a22cd846ab97e46eb312a2d389f696

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3650810.exe

Filesize
271KB

MD5
94b1be1183bdf6c8338ec9aa96a281c9

SHA1
2fff149508c9ee4fb0e05e7769660a5a44be7cc5

SHA256
3f057f30e8684c82107e6bcc1b1f66f9af1b7e0edf641fffad76ccb7d64c8b4f

SHA512
d382eb4e94a14edb7990dcab53236e6ae8ec427ae40f54274d719d103789dc767bf8bebcb7ec62ddcb787a858de22c2aa7a22cd846ab97e46eb312a2d389f696

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9873338.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9873338.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8428164.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8428164.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/972-171-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/972-172-0x0000000000500000-0x0000000000530000-memory.dmp

Filesize
192KB

Download
memory/972-173-0x000000000A820000-0x000000000AE38000-memory.dmp

Filesize
6.1MB

Download
memory/972-174-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/972-175-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/972-176-0x000000000A2B0000-0x000000000A2C2000-memory.dmp

Filesize
72KB

Download
memory/972-177-0x000000000A310000-0x000000000A34C000-memory.dmp

Filesize
240KB

Download
memory/972-178-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/972-179-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads