redline | 532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5.exe
Size

714KB
MD5

be3b966665a999e5a9a222e45bae6e2d
SHA1

d0dc05c8489dee4f4d35abc1b24646840307cca1
SHA256

532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5
SHA512

ee6f80ed8a86dfb04298a0c06de48786e3ef0534577024f9777a0e251f56b4611d1ad9a079c42310b477521d49bed89d0c8bcc59eb1c30a553499710626c4f9d
SSDEEP

12288:2Mr0y90DnX+jkJPOCBveWbSo3ZUGNHQ58kAz6K661gIdd1Tqyi+Pvm0Q5t5lm:SyPj2BLQZrK6JI3w4200tm

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3912	z2688426.exe
3840	z3149867.exe
4492	z8132656.exe
4880	r2718238.exe
220	s9642775.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2688426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3149867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8132656.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 3912	540	532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5.exe	81
PID 540 wrote to memory of 3912	540	532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5.exe	81
PID 540 wrote to memory of 3912	540	532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5.exe	81
PID 3912 wrote to memory of 3840	3912	z2688426.exe	82
PID 3912 wrote to memory of 3840	3912	z2688426.exe	82
PID 3912 wrote to memory of 3840	3912	z2688426.exe	82
PID 3840 wrote to memory of 4492	3840	z3149867.exe	83
PID 3840 wrote to memory of 4492	3840	z3149867.exe	83
PID 3840 wrote to memory of 4492	3840	z3149867.exe	83
PID 4492 wrote to memory of 4880	4492	z8132656.exe	84
PID 4492 wrote to memory of 4880	4492	z8132656.exe	84
PID 4492 wrote to memory of 4880	4492	z8132656.exe	84
PID 4492 wrote to memory of 220	4492	z8132656.exe	85
PID 4492 wrote to memory of 220	4492	z8132656.exe	85
PID 4492 wrote to memory of 220	4492	z8132656.exe	85

C:\Users\Admin\AppData\Local\Temp\532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5.exe
"C:\Users\Admin\AppData\Local\Temp\532f0bd98bfb3b495280a2296274b7f34791f73ee973205373309ae690490fa5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2688426.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2688426.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3149867.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3149867.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8132656.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8132656.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2718238.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2718238.exe
        5⤵
        Executes dropped EXE
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9642775.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9642775.exe
        5⤵
        Executes dropped EXE
        
        PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2688426.exe

Filesize
598KB

MD5
76b039951290f0b5ace107b0e3e7b9e2

SHA1
278ec09551e0636df7dd3a9bcb5030d212acbd26

SHA256
fe7fba6fd20a38ceced411e0738ffd10daab7e47fb42a504bfcf47258346918c

SHA512
e5c0b8e1ad6b7e74aff42408cfe033d076316db63b9515772cba53473b0132e315dabead00f0ba708e37f1d489f803bc884826507c379f907f06e85921f88d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2688426.exe

Filesize
598KB

MD5
76b039951290f0b5ace107b0e3e7b9e2

SHA1
278ec09551e0636df7dd3a9bcb5030d212acbd26

SHA256
fe7fba6fd20a38ceced411e0738ffd10daab7e47fb42a504bfcf47258346918c

SHA512
e5c0b8e1ad6b7e74aff42408cfe033d076316db63b9515772cba53473b0132e315dabead00f0ba708e37f1d489f803bc884826507c379f907f06e85921f88d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3149867.exe

Filesize
372KB

MD5
25e64c198343b31994813a41cb79bd56

SHA1
d0314ff4d5f0a715338c67bdfc9a058d78bddcee

SHA256
7712b6bedda184f4ac1458db0bfe7cf13664eda8dc7317e95c7b8c0cb4dfc20e

SHA512
e462758968b0a1b435a0c564a75559a59b782f9bf0752b944ca6892e351cc10621244882c784c2e9bc6f3daddead63bab7817561b4e03149397c40178cbadf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3149867.exe

Filesize
372KB

MD5
25e64c198343b31994813a41cb79bd56

SHA1
d0314ff4d5f0a715338c67bdfc9a058d78bddcee

SHA256
7712b6bedda184f4ac1458db0bfe7cf13664eda8dc7317e95c7b8c0cb4dfc20e

SHA512
e462758968b0a1b435a0c564a75559a59b782f9bf0752b944ca6892e351cc10621244882c784c2e9bc6f3daddead63bab7817561b4e03149397c40178cbadf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8132656.exe

Filesize
271KB

MD5
d5b72c3843df86dea4332d8eaa833c45

SHA1
425bb6606fe48c51312602c58e8bdf712b326124

SHA256
39cf9a7ccf1d62c81e7546157bc2715e36ccf9c3d9bd7d537a134a4cf9cbf74d

SHA512
476e37179173adf1170a10e2f3be00491c18e20c72f1aa395cd03f93fee16b16d385ce9140b04ff80aad56e2032cc4edd569d22b31f99d7327a3f1360cd173b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8132656.exe

Filesize
271KB

MD5
d5b72c3843df86dea4332d8eaa833c45

SHA1
425bb6606fe48c51312602c58e8bdf712b326124

SHA256
39cf9a7ccf1d62c81e7546157bc2715e36ccf9c3d9bd7d537a134a4cf9cbf74d

SHA512
476e37179173adf1170a10e2f3be00491c18e20c72f1aa395cd03f93fee16b16d385ce9140b04ff80aad56e2032cc4edd569d22b31f99d7327a3f1360cd173b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2718238.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2718238.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9642775.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9642775.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/220-164-0x0000000000C70000-0x0000000000CA0000-memory.dmp

Filesize
192KB

Download
memory/220-165-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/220-166-0x0000000005D40000-0x0000000006358000-memory.dmp

Filesize
6.1MB

Download
memory/220-167-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/220-168-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/220-169-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/220-170-0x00000000057A0000-0x00000000057DC000-memory.dmp

Filesize
240KB

Download
memory/220-171-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/220-172-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads