redline | 97e4c16365bf0983dd4a76145c98694563ef4df1cb5d80049e43ebe05837240e

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2023 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5e434f80008b367953aad7e9ee21c04.exe
Size

714KB
MD5

a5e434f80008b367953aad7e9ee21c04
SHA1

538d494c068ce7aa083dd4d88d1924e5747a118b
SHA256

97e4c16365bf0983dd4a76145c98694563ef4df1cb5d80049e43ebe05837240e
SHA512

c0ed3d35dcf7cb9908741606dc7100e72281b8dea2535bef4c9caedf0bdc88a666f65fb65c3eacdc5ed5d30a25ad3e9caa13d09a2343281747c09fb35f28457e
SSDEEP

12288:1Mrly90Xd1x+7eiWdWz2NPT2Gb4FFWyrH12V00k7/hhPgCvAFI/5AHkKNv:gy0xftWz2N71GE+ZjhhgsGTv

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2488	z5198903.exe
396	z5967661.exe
3236	z8532493.exe
3780	r9876540.exe
4308	s2983331.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5e434f80008b367953aad7e9ee21c04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5198903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5967661.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8532493.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 2488	3640	a5e434f80008b367953aad7e9ee21c04.exe	81
PID 3640 wrote to memory of 2488	3640	a5e434f80008b367953aad7e9ee21c04.exe	81
PID 3640 wrote to memory of 2488	3640	a5e434f80008b367953aad7e9ee21c04.exe	81
PID 2488 wrote to memory of 396	2488	z5198903.exe	82
PID 2488 wrote to memory of 396	2488	z5198903.exe	82
PID 2488 wrote to memory of 396	2488	z5198903.exe	82
PID 396 wrote to memory of 3236	396	z5967661.exe	83
PID 396 wrote to memory of 3236	396	z5967661.exe	83
PID 396 wrote to memory of 3236	396	z5967661.exe	83
PID 3236 wrote to memory of 3780	3236	z8532493.exe	84
PID 3236 wrote to memory of 3780	3236	z8532493.exe	84
PID 3236 wrote to memory of 3780	3236	z8532493.exe	84
PID 3236 wrote to memory of 4308	3236	z8532493.exe	85
PID 3236 wrote to memory of 4308	3236	z8532493.exe	85
PID 3236 wrote to memory of 4308	3236	z8532493.exe	85

C:\Users\Admin\AppData\Local\Temp\a5e434f80008b367953aad7e9ee21c04.exe
"C:\Users\Admin\AppData\Local\Temp\a5e434f80008b367953aad7e9ee21c04.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5198903.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5198903.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5967661.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5967661.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8532493.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8532493.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9876540.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9876540.exe
        5⤵
        Executes dropped EXE
        
        PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2983331.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2983331.exe
        5⤵
        Executes dropped EXE
        
        PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5198903.exe

Filesize
598KB

MD5
90bf770528416e1e7fb0bc1ac848634f

SHA1
bd0c5515d25fffabf67f4996fb284947aa5c43a1

SHA256
abc45f7107a3ef782d769890de09e3f93f17e450ab4fb799f1395ae89b8861fd

SHA512
a50ff4925afa3c595a2b74aba900355edb80a49c5b1f23055c4bb2b9bb7a506b143b0942c3485c0af221a011af6cceb311e4ab93c9f3dff126df0866a1b787ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5198903.exe

Filesize
598KB

MD5
90bf770528416e1e7fb0bc1ac848634f

SHA1
bd0c5515d25fffabf67f4996fb284947aa5c43a1

SHA256
abc45f7107a3ef782d769890de09e3f93f17e450ab4fb799f1395ae89b8861fd

SHA512
a50ff4925afa3c595a2b74aba900355edb80a49c5b1f23055c4bb2b9bb7a506b143b0942c3485c0af221a011af6cceb311e4ab93c9f3dff126df0866a1b787ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5967661.exe

Filesize
372KB

MD5
f9f12f8983e0db76afb048a174bc5649

SHA1
82c3bedcc8fb263fdee851e2fba58933a722e021

SHA256
3b5b248a7c5f581a99b6037c6718000aa036da15743b6c21b4748d26db102dff

SHA512
de5d56a9f49e348da0a0ec3c0b2b0ad2a412af782cc694e3d2830ca60a5e34da0ee063e63b44036b8527bac1e8ab245aef45a22c969dfac1a5d6e5a25ded6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5967661.exe

Filesize
372KB

MD5
f9f12f8983e0db76afb048a174bc5649

SHA1
82c3bedcc8fb263fdee851e2fba58933a722e021

SHA256
3b5b248a7c5f581a99b6037c6718000aa036da15743b6c21b4748d26db102dff

SHA512
de5d56a9f49e348da0a0ec3c0b2b0ad2a412af782cc694e3d2830ca60a5e34da0ee063e63b44036b8527bac1e8ab245aef45a22c969dfac1a5d6e5a25ded6da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8532493.exe

Filesize
271KB

MD5
38587f1e8b0013f1bb6bef1f8f3e3c4d

SHA1
e2379fbc6689a709101011652d2251115791bf9f

SHA256
fe80cf9328570bad0c2f14e967d5a373fe8928e6769757f9a3b14565e8ac18ba

SHA512
5fd74dbf54513daddf966ddcbc2cb2162e995545eb455d5338f1ba05c4ea0ca48f0e8af4102d4eb07a56db79ca5bb06eee6202f424146525115971197e11bdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8532493.exe

Filesize
271KB

MD5
38587f1e8b0013f1bb6bef1f8f3e3c4d

SHA1
e2379fbc6689a709101011652d2251115791bf9f

SHA256
fe80cf9328570bad0c2f14e967d5a373fe8928e6769757f9a3b14565e8ac18ba

SHA512
5fd74dbf54513daddf966ddcbc2cb2162e995545eb455d5338f1ba05c4ea0ca48f0e8af4102d4eb07a56db79ca5bb06eee6202f424146525115971197e11bdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9876540.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9876540.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2983331.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2983331.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/4308-164-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/4308-165-0x0000000000F60000-0x0000000000F90000-memory.dmp

Filesize
192KB

Download
memory/4308-166-0x000000000B3E0000-0x000000000B9F8000-memory.dmp

Filesize
6.1MB

Download
memory/4308-167-0x000000000AF10000-0x000000000B01A000-memory.dmp

Filesize
1.0MB

Download
memory/4308-168-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/4308-169-0x000000000AE50000-0x000000000AE62000-memory.dmp

Filesize
72KB

Download
memory/4308-170-0x000000000AEB0000-0x000000000AEEC000-memory.dmp

Filesize
240KB

Download
memory/4308-171-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/4308-172-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads