redline | ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba

Analysis

max time kernel
135s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
19/08/2023, 04:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe
Size

944KB
MD5

6b47dd82516af7976a126f4c624e3fce
SHA1

06d497ac28d37bf8c62c5752bf5d0686569dec76
SHA256

ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba
SHA512

bbc70f4beb5ef1e3949a7bb404223319830775b66481508c9731d3486a081724d81a1fdf028137a2f49637f9f8dc2aefa88ceef9178e9d30047832505c90e81c
SSDEEP

12288:QMriy90TTmYn7VQhBp/Jp7dRltkOVcDzdN54EYobHFGw0IgEf+CaUNemxaokzBxP:iyYD7g/7ROzd8EB0IgY+NUJPkCNXA

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2212	v1618359.exe
2124	v6485955.exe
652	v8128457.exe
4152	v5479150.exe
4272	a9409323.exe
3532	b5437281.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6485955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8128457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5479150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1618359.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2212	3720	ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe	70
PID 3720 wrote to memory of 2212	3720	ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe	70
PID 3720 wrote to memory of 2212	3720	ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe	70
PID 2212 wrote to memory of 2124	2212	v1618359.exe	71
PID 2212 wrote to memory of 2124	2212	v1618359.exe	71
PID 2212 wrote to memory of 2124	2212	v1618359.exe	71
PID 2124 wrote to memory of 652	2124	v6485955.exe	72
PID 2124 wrote to memory of 652	2124	v6485955.exe	72
PID 2124 wrote to memory of 652	2124	v6485955.exe	72
PID 652 wrote to memory of 4152	652	v8128457.exe	73
PID 652 wrote to memory of 4152	652	v8128457.exe	73
PID 652 wrote to memory of 4152	652	v8128457.exe	73
PID 4152 wrote to memory of 4272	4152	v5479150.exe	74
PID 4152 wrote to memory of 4272	4152	v5479150.exe	74
PID 4152 wrote to memory of 4272	4152	v5479150.exe	74
PID 4152 wrote to memory of 3532	4152	v5479150.exe	75
PID 4152 wrote to memory of 3532	4152	v5479150.exe	75
PID 4152 wrote to memory of 3532	4152	v5479150.exe	75

C:\Users\Admin\AppData\Local\Temp\ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe
"C:\Users\Admin\AppData\Local\Temp\ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1618359.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1618359.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6485955.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6485955.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8128457.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8128457.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5479150.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5479150.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9409323.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9409323.exe
        6⤵
        Executes dropped EXE
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5437281.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5437281.exe
        6⤵
        Executes dropped EXE
        
        PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1618359.exe

Filesize
711KB

MD5
91516e9de2e5ebee646a7f7cdcbb03a7

SHA1
739f7665b274f79976d133c7354ceaa1eb51776f

SHA256
7857176f59204ec62af2e26dc0c3a941d7204d8f92bd4383a2d16638da5211aa

SHA512
ff9188c7b43df2137e1940faf5251b12c2899e12a5626bab3406bc964b56caa287624cb3e84879d7e84c2356fc9c7a04edeb1303b90abe2889a8f31e63a361c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1618359.exe

Filesize
711KB

MD5
91516e9de2e5ebee646a7f7cdcbb03a7

SHA1
739f7665b274f79976d133c7354ceaa1eb51776f

SHA256
7857176f59204ec62af2e26dc0c3a941d7204d8f92bd4383a2d16638da5211aa

SHA512
ff9188c7b43df2137e1940faf5251b12c2899e12a5626bab3406bc964b56caa287624cb3e84879d7e84c2356fc9c7a04edeb1303b90abe2889a8f31e63a361c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6485955.exe

Filesize
598KB

MD5
3f7e39d651f6e2deb93388bd1dcad7f3

SHA1
673c36c74fcacbfa0c955837b71d2fea1cbe5e95

SHA256
629fbaf8e40bb924eb74748a8627b34224383952181aa02694fa8f4281579d4b

SHA512
c712fbc58ff896850f987d161377e6a46b36b945150f261679c371f696266c379b3484a99406b252c6d94f12c191c2c91f5077e347c2b92f1d771fc004c031e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6485955.exe

Filesize
598KB

MD5
3f7e39d651f6e2deb93388bd1dcad7f3

SHA1
673c36c74fcacbfa0c955837b71d2fea1cbe5e95

SHA256
629fbaf8e40bb924eb74748a8627b34224383952181aa02694fa8f4281579d4b

SHA512
c712fbc58ff896850f987d161377e6a46b36b945150f261679c371f696266c379b3484a99406b252c6d94f12c191c2c91f5077e347c2b92f1d771fc004c031e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8128457.exe

Filesize
372KB

MD5
8f50567ef3e83a75e519c18206e82344

SHA1
fb41fc610578eb9d65f381d22d7e6e2835070cce

SHA256
e0c1d8182ef7a9240662f3081cad4deab2865f6ac543fab0169b935f541d4252

SHA512
625bd850795dcfceb515ba3346832ca47d43dcf79288e10beaf272e80d5bb7d7b471cc34efee76c5e8ef931b6ed8b68d4c4e8be9db5805d7ad93011a89d335bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8128457.exe

Filesize
372KB

MD5
8f50567ef3e83a75e519c18206e82344

SHA1
fb41fc610578eb9d65f381d22d7e6e2835070cce

SHA256
e0c1d8182ef7a9240662f3081cad4deab2865f6ac543fab0169b935f541d4252

SHA512
625bd850795dcfceb515ba3346832ca47d43dcf79288e10beaf272e80d5bb7d7b471cc34efee76c5e8ef931b6ed8b68d4c4e8be9db5805d7ad93011a89d335bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5479150.exe

Filesize
271KB

MD5
f3b2635b1722ac23e8bc0145686ce892

SHA1
9f8f08302b459ce86d2df90e3ce7f86f2c59bd85

SHA256
21845dae44156b511e381d9523666a32bc11499971c0912013488ad70b4738b8

SHA512
c993989c43be1450ecb31aa401668d38fd68f9a48cb042b9bad27804f9b235ebbe6d34966b0795484f360dbce9d98e2ea8ab37aaed9f3bb170f92e5ede18b417

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5479150.exe

Filesize
271KB

MD5
f3b2635b1722ac23e8bc0145686ce892

SHA1
9f8f08302b459ce86d2df90e3ce7f86f2c59bd85

SHA256
21845dae44156b511e381d9523666a32bc11499971c0912013488ad70b4738b8

SHA512
c993989c43be1450ecb31aa401668d38fd68f9a48cb042b9bad27804f9b235ebbe6d34966b0795484f360dbce9d98e2ea8ab37aaed9f3bb170f92e5ede18b417

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9409323.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9409323.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5437281.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5437281.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/3532-155-0x0000000000A40000-0x0000000000A70000-memory.dmp

Filesize
192KB

Download
memory/3532-156-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3532-157-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

Filesize
24KB

Download
memory/3532-158-0x000000000AE60000-0x000000000B466000-memory.dmp

Filesize
6.0MB

Download
memory/3532-159-0x000000000A990000-0x000000000AA9A000-memory.dmp

Filesize
1.0MB

Download
memory/3532-160-0x000000000A8C0000-0x000000000A8D2000-memory.dmp

Filesize
72KB

Download
memory/3532-161-0x000000000A920000-0x000000000A95E000-memory.dmp

Filesize
248KB

Download
memory/3532-162-0x000000000AAA0000-0x000000000AAEB000-memory.dmp

Filesize
300KB

Download
memory/3532-163-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads