redline | 2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2023 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1.exe
Size

714KB
MD5

e77fb7cd586e00041500a195d80853a1
SHA1

e645be832033e59892afd4117b191badacf46bb2
SHA256

2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1
SHA512

f074995e8ee38fd56beb23355c3cbaee89c1e6305ac91fa8dead6599e53bd74993fc8aabd8effd94b8807bc79cc0645fc2cdb38b35f78e06052c39552a055794
SSDEEP

12288:rMrRy902Vko5h3Fom6tALSa3YGsiQR4mvNOFdrgKWDKD+:CyfP5Ram6tAdYGslR4mvoFdsKWDKD+

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3228	z7631026.exe
4488	z4672403.exe
4708	z7948115.exe
2388	r7003328.exe
4088	s4665036.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7948115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7631026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4672403.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 3228	3316	2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1.exe	81
PID 3316 wrote to memory of 3228	3316	2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1.exe	81
PID 3316 wrote to memory of 3228	3316	2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1.exe	81
PID 3228 wrote to memory of 4488	3228	z7631026.exe	82
PID 3228 wrote to memory of 4488	3228	z7631026.exe	82
PID 3228 wrote to memory of 4488	3228	z7631026.exe	82
PID 4488 wrote to memory of 4708	4488	z4672403.exe	83
PID 4488 wrote to memory of 4708	4488	z4672403.exe	83
PID 4488 wrote to memory of 4708	4488	z4672403.exe	83
PID 4708 wrote to memory of 2388	4708	z7948115.exe	84
PID 4708 wrote to memory of 2388	4708	z7948115.exe	84
PID 4708 wrote to memory of 2388	4708	z7948115.exe	84
PID 4708 wrote to memory of 4088	4708	z7948115.exe	85
PID 4708 wrote to memory of 4088	4708	z7948115.exe	85
PID 4708 wrote to memory of 4088	4708	z7948115.exe	85

C:\Users\Admin\AppData\Local\Temp\2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1.exe
"C:\Users\Admin\AppData\Local\Temp\2a5cf64dbcb336f9dd77d153f67e72c58c08ffe50190b1e2c9f370c3741380b1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7631026.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7631026.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4672403.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4672403.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7948115.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7948115.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7003328.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7003328.exe
        5⤵
        Executes dropped EXE
        
        PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4665036.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4665036.exe
        5⤵
        Executes dropped EXE
        
        PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7631026.exe

Filesize
598KB

MD5
c9504bb82fdb3ca71fc1d6ec05c6fab4

SHA1
25f55b1ef46cb954f61f6929c95fa45bee1e449b

SHA256
d7f2aa09a797287f2822cdde7eb7cfaaed351d3433afd7ea34c997a782119f88

SHA512
4e2cf2ab5d82d102550f37bf12c37fd521cee74cebd31aafb16fdaaa59cc82b23a76a7653c203831b1f1b6075769a7ce9660f7b09425153dca1c0cec7dec6dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7631026.exe

Filesize
598KB

MD5
c9504bb82fdb3ca71fc1d6ec05c6fab4

SHA1
25f55b1ef46cb954f61f6929c95fa45bee1e449b

SHA256
d7f2aa09a797287f2822cdde7eb7cfaaed351d3433afd7ea34c997a782119f88

SHA512
4e2cf2ab5d82d102550f37bf12c37fd521cee74cebd31aafb16fdaaa59cc82b23a76a7653c203831b1f1b6075769a7ce9660f7b09425153dca1c0cec7dec6dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4672403.exe

Filesize
372KB

MD5
a0847329193473aa56697a82646795c0

SHA1
31e0b5c3347b321eab8b2a0eea564715a4b44c8e

SHA256
ed0e8560bf97176dd5d76e2b5a7166c1a199a3e6e3bf51fdb5a2a104e5037161

SHA512
c03e885add27852caa773997596bd2c816d4dbd34ca056d77aacbe113e936b22220040ced333a1cc7dd9e64e011c938a5b7696577dc42b3e30dc11d8dda0a8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4672403.exe

Filesize
372KB

MD5
a0847329193473aa56697a82646795c0

SHA1
31e0b5c3347b321eab8b2a0eea564715a4b44c8e

SHA256
ed0e8560bf97176dd5d76e2b5a7166c1a199a3e6e3bf51fdb5a2a104e5037161

SHA512
c03e885add27852caa773997596bd2c816d4dbd34ca056d77aacbe113e936b22220040ced333a1cc7dd9e64e011c938a5b7696577dc42b3e30dc11d8dda0a8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7948115.exe

Filesize
271KB

MD5
6923c42c2802a897227c81282a6b3ace

SHA1
aa7a07eb93a7e80ee1e39b3c523e018d1a2e87a5

SHA256
7183985e5068679bb718f200b71ff4d0225a8e6c1e50fc785b19fe5d0a282407

SHA512
343fd69fa1afce3e38f9a53b2a271729aaf94778f2ea981103a8cf0bfaa6fb72bb4d2338f736a165ee0ae29b77c5f39e696ef40178170488582ae74a53514363

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7948115.exe

Filesize
271KB

MD5
6923c42c2802a897227c81282a6b3ace

SHA1
aa7a07eb93a7e80ee1e39b3c523e018d1a2e87a5

SHA256
7183985e5068679bb718f200b71ff4d0225a8e6c1e50fc785b19fe5d0a282407

SHA512
343fd69fa1afce3e38f9a53b2a271729aaf94778f2ea981103a8cf0bfaa6fb72bb4d2338f736a165ee0ae29b77c5f39e696ef40178170488582ae74a53514363

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7003328.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r7003328.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4665036.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4665036.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/4088-164-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/4088-165-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4088-166-0x00000000055A0000-0x0000000005BB8000-memory.dmp

Filesize
6.1MB

Download
memory/4088-167-0x0000000005090000-0x000000000519A000-memory.dmp

Filesize
1.0MB

Download
memory/4088-169-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/4088-168-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4088-170-0x0000000005000000-0x000000000503C000-memory.dmp

Filesize
240KB

Download
memory/4088-171-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4088-172-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads