redline | 39974f6796095f842c2a6f254aaa50447c9dea3c16ccb24c7fc86afe0b9d8df9

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2023, 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5be1fddb167e40e5bc924a6f2d52d6d.exe
Size

831KB
MD5

a5be1fddb167e40e5bc924a6f2d52d6d
SHA1

70f8bc3d2773766bad9bc03f4832c8d47e14cd9d
SHA256

39974f6796095f842c2a6f254aaa50447c9dea3c16ccb24c7fc86afe0b9d8df9
SHA512

ce93826704f460294850bd77f5bcc6c6876e156b97b92e373379f35cf7811124a0b0333eb632e2f724770a96e98dba054ed6fc2848ddb791143a8561052f5d04
SSDEEP

24576:ayBfCX9CDTsU/Y11JF9fnAmH+MEcy0/I:hB1DT9/YP9/ACQG

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3668	z1220246.exe
3992	z3291237.exe
2804	z7713020.exe
2220	r6860294.exe
3272	s8181829.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7713020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5be1fddb167e40e5bc924a6f2d52d6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1220246.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3291237.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 3668	4732	a5be1fddb167e40e5bc924a6f2d52d6d.exe	82
PID 4732 wrote to memory of 3668	4732	a5be1fddb167e40e5bc924a6f2d52d6d.exe	82
PID 4732 wrote to memory of 3668	4732	a5be1fddb167e40e5bc924a6f2d52d6d.exe	82
PID 3668 wrote to memory of 3992	3668	z1220246.exe	83
PID 3668 wrote to memory of 3992	3668	z1220246.exe	83
PID 3668 wrote to memory of 3992	3668	z1220246.exe	83
PID 3992 wrote to memory of 2804	3992	z3291237.exe	84
PID 3992 wrote to memory of 2804	3992	z3291237.exe	84
PID 3992 wrote to memory of 2804	3992	z3291237.exe	84
PID 2804 wrote to memory of 2220	2804	z7713020.exe	85
PID 2804 wrote to memory of 2220	2804	z7713020.exe	85
PID 2804 wrote to memory of 2220	2804	z7713020.exe	85
PID 2804 wrote to memory of 3272	2804	z7713020.exe	86
PID 2804 wrote to memory of 3272	2804	z7713020.exe	86
PID 2804 wrote to memory of 3272	2804	z7713020.exe	86

C:\Users\Admin\AppData\Local\Temp\a5be1fddb167e40e5bc924a6f2d52d6d.exe
"C:\Users\Admin\AppData\Local\Temp\a5be1fddb167e40e5bc924a6f2d52d6d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1220246.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1220246.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3291237.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3291237.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7713020.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7713020.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6860294.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6860294.exe
        5⤵
        Executes dropped EXE
        
        PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8181829.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8181829.exe
        5⤵
        Executes dropped EXE
        
        PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1220246.exe

Filesize
598KB

MD5
9bd9fba9c521df263909accf3f32da77

SHA1
12aeddeb7d12a3ab3e29b64177d950ffa5495393

SHA256
9ae26bf1ef7e72514fc00ec9a7f7b043a861bdc163346db1723c95cee1f483fa

SHA512
35e8f37cf2140ac608e5b08412b6f4cb403259dbfd7146e277decc47652f176d761783bd83e5b97fbc5949804523890aa876aa7dd928bf5ee22bdd892af4a30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1220246.exe

Filesize
598KB

MD5
9bd9fba9c521df263909accf3f32da77

SHA1
12aeddeb7d12a3ab3e29b64177d950ffa5495393

SHA256
9ae26bf1ef7e72514fc00ec9a7f7b043a861bdc163346db1723c95cee1f483fa

SHA512
35e8f37cf2140ac608e5b08412b6f4cb403259dbfd7146e277decc47652f176d761783bd83e5b97fbc5949804523890aa876aa7dd928bf5ee22bdd892af4a30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3291237.exe

Filesize
372KB

MD5
10d0dc0621a930f737cbea3b349188e6

SHA1
3a68cbecb6e389178234b08ba867ae40b692b4e0

SHA256
44725d39b9e11955ba660b2d0cf6b5e8a4040ebcb3ccdfe1d8ae6796dd35e6f4

SHA512
a327950aa858d79e31e075d7eec7f441461c207a6573ee409d42f151f65a190c3c85affe6afb344d9b06b7858be8e4a72aa91cdd512ae7c2b1e3a4d45083d155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3291237.exe

Filesize
372KB

MD5
10d0dc0621a930f737cbea3b349188e6

SHA1
3a68cbecb6e389178234b08ba867ae40b692b4e0

SHA256
44725d39b9e11955ba660b2d0cf6b5e8a4040ebcb3ccdfe1d8ae6796dd35e6f4

SHA512
a327950aa858d79e31e075d7eec7f441461c207a6573ee409d42f151f65a190c3c85affe6afb344d9b06b7858be8e4a72aa91cdd512ae7c2b1e3a4d45083d155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7713020.exe

Filesize
271KB

MD5
24af7615fe7e516267f0286e93899058

SHA1
bfa272ff7a338300f93ee4a2416ef30e24c2b9ec

SHA256
566e383609c85f57642232a5e94150fd3fb9c2d8e9e56a27964f7a3e3c42b02f

SHA512
f255b16680c09539391e61bd2416a5ada3b2704327baecb9c34ecbc2f5f648331b3f06ea8c83a277edee78a3deb38087e883ee7d8c3012aebd8e34fa52cec64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7713020.exe

Filesize
271KB

MD5
24af7615fe7e516267f0286e93899058

SHA1
bfa272ff7a338300f93ee4a2416ef30e24c2b9ec

SHA256
566e383609c85f57642232a5e94150fd3fb9c2d8e9e56a27964f7a3e3c42b02f

SHA512
f255b16680c09539391e61bd2416a5ada3b2704327baecb9c34ecbc2f5f648331b3f06ea8c83a277edee78a3deb38087e883ee7d8c3012aebd8e34fa52cec64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6860294.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6860294.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8181829.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8181829.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/3272-164-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/3272-165-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/3272-166-0x00000000055E0000-0x0000000005BF8000-memory.dmp

Filesize
6.1MB

Download
memory/3272-167-0x00000000050D0000-0x00000000051DA000-memory.dmp

Filesize
1.0MB

Download
memory/3272-168-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3272-169-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/3272-170-0x0000000005040000-0x000000000507C000-memory.dmp

Filesize
240KB

Download
memory/3272-171-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/3272-172-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads