redline | 41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19

Analysis

max time kernel
135s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
18-08-2023 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19.exe
Size

713KB
MD5

06e39dc2b0dda0e430ac1f48f4bab9a9
SHA1

d379aee432b469e3ad8881509097fca20c819afe
SHA256

41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19
SHA512

fcc2d3ea751c54d2ffc78e4f95e6a3c93c15581a4cf5b42190db80799851d6921b0d56923b1b98436413ffb292bd1837d24562bb7f0aefa8beebb1f88eb0c640
SSDEEP

12288:QMrfy90T7qN8yz5EEhcIdqCyp5Fa04CN2ueJ9pP1VtSUIE5i5p+kflODH9T3:fy6U8kLhDq3ys2lDlfgUv5i5dsJ

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4908	z1515424.exe
3888	z5537701.exe
4720	z3161570.exe
4732	r6786576.exe
164	s5100454.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1515424.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5537701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3161570.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4908	4972	41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19.exe	69
PID 4972 wrote to memory of 4908	4972	41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19.exe	69
PID 4972 wrote to memory of 4908	4972	41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19.exe	69
PID 4908 wrote to memory of 3888	4908	z1515424.exe	70
PID 4908 wrote to memory of 3888	4908	z1515424.exe	70
PID 4908 wrote to memory of 3888	4908	z1515424.exe	70
PID 3888 wrote to memory of 4720	3888	z5537701.exe	71
PID 3888 wrote to memory of 4720	3888	z5537701.exe	71
PID 3888 wrote to memory of 4720	3888	z5537701.exe	71
PID 4720 wrote to memory of 4732	4720	z3161570.exe	72
PID 4720 wrote to memory of 4732	4720	z3161570.exe	72
PID 4720 wrote to memory of 4732	4720	z3161570.exe	72
PID 4720 wrote to memory of 164	4720	z3161570.exe	73
PID 4720 wrote to memory of 164	4720	z3161570.exe	73
PID 4720 wrote to memory of 164	4720	z3161570.exe	73

C:\Users\Admin\AppData\Local\Temp\41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19.exe
"C:\Users\Admin\AppData\Local\Temp\41619d9ec3347057f6b84d9a53b0bdf94c56e7eb5c8975d280e8e74b77e38f19.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1515424.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1515424.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5537701.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5537701.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3161570.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3161570.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6786576.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6786576.exe
        5⤵
        Executes dropped EXE
        
        PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5100454.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5100454.exe
        5⤵
        Executes dropped EXE
        
        PID:164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1515424.exe

Filesize
597KB

MD5
050074c83daf79293c77e2735fdde6a2

SHA1
bd56a424f6eabc2ebac14436f73348c4d987529e

SHA256
7d561029c7dcf87d96afad330534d67ef66f87e453a351fb3256aa6d71d28e22

SHA512
9820879b6d8ea96c9d56fac55afe7c549514403bb60c928a4b4b7e2cf6471ec8930db980aac71e4456c4fb63fbc461c50c7f7048ac650510695c1c5036897c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1515424.exe

Filesize
597KB

MD5
050074c83daf79293c77e2735fdde6a2

SHA1
bd56a424f6eabc2ebac14436f73348c4d987529e

SHA256
7d561029c7dcf87d96afad330534d67ef66f87e453a351fb3256aa6d71d28e22

SHA512
9820879b6d8ea96c9d56fac55afe7c549514403bb60c928a4b4b7e2cf6471ec8930db980aac71e4456c4fb63fbc461c50c7f7048ac650510695c1c5036897c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5537701.exe

Filesize
372KB

MD5
e6566e0e7432d0764a1dfb53d1331ef1

SHA1
b94141b6f4ec421a4f13f02c1b79decd0e2e51bc

SHA256
89a585886aef17a9ca54bbf6b631e879afb38237d645c84f4d3351a89e9ad515

SHA512
b9a931347bb601fdc56bd320a4a9a541bd7596cfdc4647d8f781c68ab7136ff501467517878e206a5564ee12ccefff9e7051a3f67497675aab04532da327fccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5537701.exe

Filesize
372KB

MD5
e6566e0e7432d0764a1dfb53d1331ef1

SHA1
b94141b6f4ec421a4f13f02c1b79decd0e2e51bc

SHA256
89a585886aef17a9ca54bbf6b631e879afb38237d645c84f4d3351a89e9ad515

SHA512
b9a931347bb601fdc56bd320a4a9a541bd7596cfdc4647d8f781c68ab7136ff501467517878e206a5564ee12ccefff9e7051a3f67497675aab04532da327fccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3161570.exe

Filesize
271KB

MD5
dcc740d55aa6e93b30b7bdb9e114a117

SHA1
710c70da18d17f8cbe266a096813c3b423dbb7b6

SHA256
ef3f61a4b9ba3c221b6cff7a01030b5ef4aafc6017f6b9630438c5bcd4fbbfd0

SHA512
a554b235add77395969c3dca8435d69a5310aef348b787c0e28480460f30dc139412ad060a51a9209c2c28c8a14cace804853a15b8c4c0d669b796197f2e57ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3161570.exe

Filesize
271KB

MD5
dcc740d55aa6e93b30b7bdb9e114a117

SHA1
710c70da18d17f8cbe266a096813c3b423dbb7b6

SHA256
ef3f61a4b9ba3c221b6cff7a01030b5ef4aafc6017f6b9630438c5bcd4fbbfd0

SHA512
a554b235add77395969c3dca8435d69a5310aef348b787c0e28480460f30dc139412ad060a51a9209c2c28c8a14cace804853a15b8c4c0d669b796197f2e57ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6786576.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6786576.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5100454.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5100454.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/164-149-0x00000000000A0000-0x00000000000D0000-memory.dmp

Filesize
192KB

Download
memory/164-150-0x0000000073690000-0x0000000073D7E000-memory.dmp

Filesize
6.9MB

Download
memory/164-151-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/164-152-0x000000000A390000-0x000000000A996000-memory.dmp

Filesize
6.0MB

Download
memory/164-153-0x0000000009EB0000-0x0000000009FBA000-memory.dmp

Filesize
1.0MB

Download
memory/164-154-0x0000000009DE0000-0x0000000009DF2000-memory.dmp

Filesize
72KB

Download
memory/164-155-0x0000000009E40000-0x0000000009E7E000-memory.dmp

Filesize
248KB

Download
memory/164-156-0x0000000009FC0000-0x000000000A00B000-memory.dmp

Filesize
300KB

Download
memory/164-157-0x0000000073690000-0x0000000073D7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads