Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
19/08/2023, 04:36
Static task
static1
Behavioral task
behavioral1
Sample
ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe
Resource
win10-20230703-en
General
-
Target
ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe
-
Size
944KB
-
MD5
6b47dd82516af7976a126f4c624e3fce
-
SHA1
06d497ac28d37bf8c62c5752bf5d0686569dec76
-
SHA256
ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba
-
SHA512
bbc70f4beb5ef1e3949a7bb404223319830775b66481508c9731d3486a081724d81a1fdf028137a2f49637f9f8dc2aefa88ceef9178e9d30047832505c90e81c
-
SSDEEP
12288:QMriy90TTmYn7VQhBp/Jp7dRltkOVcDzdN54EYobHFGw0IgEf+CaUNemxaokzBxP:iyYD7g/7ROzd8EB0IgY+NUJPkCNXA
Malware Config
Extracted
redline
dugin
77.91.124.73:19071
-
auth_value
7c3e46e091100fd26a6076996d374c28
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 2212 v1618359.exe 2124 v6485955.exe 652 v8128457.exe 4152 v5479150.exe 4272 a9409323.exe 3532 b5437281.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6485955.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8128457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v5479150.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1618359.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3720 wrote to memory of 2212 3720 ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe 70 PID 3720 wrote to memory of 2212 3720 ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe 70 PID 3720 wrote to memory of 2212 3720 ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe 70 PID 2212 wrote to memory of 2124 2212 v1618359.exe 71 PID 2212 wrote to memory of 2124 2212 v1618359.exe 71 PID 2212 wrote to memory of 2124 2212 v1618359.exe 71 PID 2124 wrote to memory of 652 2124 v6485955.exe 72 PID 2124 wrote to memory of 652 2124 v6485955.exe 72 PID 2124 wrote to memory of 652 2124 v6485955.exe 72 PID 652 wrote to memory of 4152 652 v8128457.exe 73 PID 652 wrote to memory of 4152 652 v8128457.exe 73 PID 652 wrote to memory of 4152 652 v8128457.exe 73 PID 4152 wrote to memory of 4272 4152 v5479150.exe 74 PID 4152 wrote to memory of 4272 4152 v5479150.exe 74 PID 4152 wrote to memory of 4272 4152 v5479150.exe 74 PID 4152 wrote to memory of 3532 4152 v5479150.exe 75 PID 4152 wrote to memory of 3532 4152 v5479150.exe 75 PID 4152 wrote to memory of 3532 4152 v5479150.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe"C:\Users\Admin\AppData\Local\Temp\ca8e648840b1d9f62168a0d6cab0ea8e1151f7eda316d7ed549c77c85744d6ba.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1618359.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1618359.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6485955.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6485955.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8128457.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8128457.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5479150.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5479150.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9409323.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9409323.exe6⤵
- Executes dropped EXE
PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5437281.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5437281.exe6⤵
- Executes dropped EXE
PID:3532
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711KB
MD591516e9de2e5ebee646a7f7cdcbb03a7
SHA1739f7665b274f79976d133c7354ceaa1eb51776f
SHA2567857176f59204ec62af2e26dc0c3a941d7204d8f92bd4383a2d16638da5211aa
SHA512ff9188c7b43df2137e1940faf5251b12c2899e12a5626bab3406bc964b56caa287624cb3e84879d7e84c2356fc9c7a04edeb1303b90abe2889a8f31e63a361c3
-
Filesize
711KB
MD591516e9de2e5ebee646a7f7cdcbb03a7
SHA1739f7665b274f79976d133c7354ceaa1eb51776f
SHA2567857176f59204ec62af2e26dc0c3a941d7204d8f92bd4383a2d16638da5211aa
SHA512ff9188c7b43df2137e1940faf5251b12c2899e12a5626bab3406bc964b56caa287624cb3e84879d7e84c2356fc9c7a04edeb1303b90abe2889a8f31e63a361c3
-
Filesize
598KB
MD53f7e39d651f6e2deb93388bd1dcad7f3
SHA1673c36c74fcacbfa0c955837b71d2fea1cbe5e95
SHA256629fbaf8e40bb924eb74748a8627b34224383952181aa02694fa8f4281579d4b
SHA512c712fbc58ff896850f987d161377e6a46b36b945150f261679c371f696266c379b3484a99406b252c6d94f12c191c2c91f5077e347c2b92f1d771fc004c031e8
-
Filesize
598KB
MD53f7e39d651f6e2deb93388bd1dcad7f3
SHA1673c36c74fcacbfa0c955837b71d2fea1cbe5e95
SHA256629fbaf8e40bb924eb74748a8627b34224383952181aa02694fa8f4281579d4b
SHA512c712fbc58ff896850f987d161377e6a46b36b945150f261679c371f696266c379b3484a99406b252c6d94f12c191c2c91f5077e347c2b92f1d771fc004c031e8
-
Filesize
372KB
MD58f50567ef3e83a75e519c18206e82344
SHA1fb41fc610578eb9d65f381d22d7e6e2835070cce
SHA256e0c1d8182ef7a9240662f3081cad4deab2865f6ac543fab0169b935f541d4252
SHA512625bd850795dcfceb515ba3346832ca47d43dcf79288e10beaf272e80d5bb7d7b471cc34efee76c5e8ef931b6ed8b68d4c4e8be9db5805d7ad93011a89d335bc
-
Filesize
372KB
MD58f50567ef3e83a75e519c18206e82344
SHA1fb41fc610578eb9d65f381d22d7e6e2835070cce
SHA256e0c1d8182ef7a9240662f3081cad4deab2865f6ac543fab0169b935f541d4252
SHA512625bd850795dcfceb515ba3346832ca47d43dcf79288e10beaf272e80d5bb7d7b471cc34efee76c5e8ef931b6ed8b68d4c4e8be9db5805d7ad93011a89d335bc
-
Filesize
271KB
MD5f3b2635b1722ac23e8bc0145686ce892
SHA19f8f08302b459ce86d2df90e3ce7f86f2c59bd85
SHA25621845dae44156b511e381d9523666a32bc11499971c0912013488ad70b4738b8
SHA512c993989c43be1450ecb31aa401668d38fd68f9a48cb042b9bad27804f9b235ebbe6d34966b0795484f360dbce9d98e2ea8ab37aaed9f3bb170f92e5ede18b417
-
Filesize
271KB
MD5f3b2635b1722ac23e8bc0145686ce892
SHA19f8f08302b459ce86d2df90e3ce7f86f2c59bd85
SHA25621845dae44156b511e381d9523666a32bc11499971c0912013488ad70b4738b8
SHA512c993989c43be1450ecb31aa401668d38fd68f9a48cb042b9bad27804f9b235ebbe6d34966b0795484f360dbce9d98e2ea8ab37aaed9f3bb170f92e5ede18b417
-
Filesize
140KB
MD577a93a6afb1d7fa81c674cbecbee8531
SHA1fbd5275cea45278e48c3306c5e069619cdf038b3
SHA2560fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675
SHA512dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e
-
Filesize
140KB
MD577a93a6afb1d7fa81c674cbecbee8531
SHA1fbd5275cea45278e48c3306c5e069619cdf038b3
SHA2560fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675
SHA512dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e
-
Filesize
173KB
MD5d5f3785f09b0b4ddb516cb1bba85a36d
SHA1978b0c33233c9ab63a596cbb282473f1e99b07d4
SHA25664b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0
SHA51240f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb
-
Filesize
173KB
MD5d5f3785f09b0b4ddb516cb1bba85a36d
SHA1978b0c33233c9ab63a596cbb282473f1e99b07d4
SHA25664b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0
SHA51240f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb