redline | e68da44dfeb30629cab8a0f2861ee86e81ec3824be9015c4ab3b7ccb30385544

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932.exe
Size

955KB
MD5

75bef14f14930d7f5638ac7a6638e7ff
SHA1

51fc8ad634ec3646570d43e667620bead9596067
SHA256

27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932
SHA512

21d617b95d1c9c4c6493535fe5a73d3d057d5148525fc2ee8b7e8a9cdeb0cb2b37e47d2c97fe03ce63399764104579c65b301a42a0cf94875c6d271eedaeca43
SSDEEP

24576:1y7YsEGi0s4gFmYZua0murkf7mIylOFYW73KyrqkS:QEsa0vgQYJkI4OFYsjr

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1448	v9549250.exe
4968	v1743823.exe
4292	v3142548.exe
2116	v2033156.exe
4176	a7953000.exe
4576	b8025777.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9549250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1743823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3142548.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2033156.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1448	3596	27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932.exe	82
PID 3596 wrote to memory of 1448	3596	27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932.exe	82
PID 3596 wrote to memory of 1448	3596	27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932.exe	82
PID 1448 wrote to memory of 4968	1448	v9549250.exe	83
PID 1448 wrote to memory of 4968	1448	v9549250.exe	83
PID 1448 wrote to memory of 4968	1448	v9549250.exe	83
PID 4968 wrote to memory of 4292	4968	v1743823.exe	84
PID 4968 wrote to memory of 4292	4968	v1743823.exe	84
PID 4968 wrote to memory of 4292	4968	v1743823.exe	84
PID 4292 wrote to memory of 2116	4292	v3142548.exe	85
PID 4292 wrote to memory of 2116	4292	v3142548.exe	85
PID 4292 wrote to memory of 2116	4292	v3142548.exe	85
PID 2116 wrote to memory of 4176	2116	v2033156.exe	86
PID 2116 wrote to memory of 4176	2116	v2033156.exe	86
PID 2116 wrote to memory of 4176	2116	v2033156.exe	86
PID 2116 wrote to memory of 4576	2116	v2033156.exe	87
PID 2116 wrote to memory of 4576	2116	v2033156.exe	87
PID 2116 wrote to memory of 4576	2116	v2033156.exe	87

C:\Users\Admin\AppData\Local\Temp\27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932.exe
"C:\Users\Admin\AppData\Local\Temp\27b81615ae48be70fd70e2b8318aac210637f2b4e43c427b60044788a9918932.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9549250.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9549250.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1743823.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1743823.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3142548.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3142548.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2033156.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2033156.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7953000.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7953000.exe
        6⤵
        Executes dropped EXE
        
        PID:4176
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8025777.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8025777.exe
        6⤵
        Executes dropped EXE
        
        PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9549250.exe

Filesize
723KB

MD5
1c1e0a7adf9118c92d4ca71e3cdf498d

SHA1
c91a1d5f9f8f06a9dde14ef50d4fbbe3e7c92796

SHA256
4a2e5251b4250e51057db40114e00a6cc7378c3078af53b831c0cf32f0b7be0f

SHA512
a57346fa7faad369f8087186efb11d3fcd66f315f0efe701248882b39a616f5b60ce219e9c7c2c0dd293f0cc16271011292a1b6fa96b15ff224f7208cb069274

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9549250.exe

Filesize
723KB

MD5
1c1e0a7adf9118c92d4ca71e3cdf498d

SHA1
c91a1d5f9f8f06a9dde14ef50d4fbbe3e7c92796

SHA256
4a2e5251b4250e51057db40114e00a6cc7378c3078af53b831c0cf32f0b7be0f

SHA512
a57346fa7faad369f8087186efb11d3fcd66f315f0efe701248882b39a616f5b60ce219e9c7c2c0dd293f0cc16271011292a1b6fa96b15ff224f7208cb069274

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1743823.exe

Filesize
598KB

MD5
734e7c237be1accd2d00722a96b742ee

SHA1
377462bd972af366961aec280c77b19ae9165ffb

SHA256
481d6dfd98560807353ccf065b677399e5873d62a2bbbf702dadf6603709cb16

SHA512
902f7afb079e8c050babe6a3eb9ab64d9620ce4bd91202856edcecdaa009ec65ef11f928b84a0274431dcf755b935fc3ddc17097f258267c026495e09293a7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1743823.exe

Filesize
598KB

MD5
734e7c237be1accd2d00722a96b742ee

SHA1
377462bd972af366961aec280c77b19ae9165ffb

SHA256
481d6dfd98560807353ccf065b677399e5873d62a2bbbf702dadf6603709cb16

SHA512
902f7afb079e8c050babe6a3eb9ab64d9620ce4bd91202856edcecdaa009ec65ef11f928b84a0274431dcf755b935fc3ddc17097f258267c026495e09293a7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3142548.exe

Filesize
372KB

MD5
8a4496d20d51be81669b94877fe05ac5

SHA1
ac271a096228beab356612d9ab4dc2ed3c1115c2

SHA256
65c2e715c3684e0240ee7113f1aa57e31f57abe0bb131d891ef71ba5734432c8

SHA512
8e9f9d19919c48d9da421f98475c84e24a03d5827bf90ed4e6283087fb938decbde58584ded01e96928ba4026c27aecd5c838d62c9284803c807e51bed3a3162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3142548.exe

Filesize
372KB

MD5
8a4496d20d51be81669b94877fe05ac5

SHA1
ac271a096228beab356612d9ab4dc2ed3c1115c2

SHA256
65c2e715c3684e0240ee7113f1aa57e31f57abe0bb131d891ef71ba5734432c8

SHA512
8e9f9d19919c48d9da421f98475c84e24a03d5827bf90ed4e6283087fb938decbde58584ded01e96928ba4026c27aecd5c838d62c9284803c807e51bed3a3162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2033156.exe

Filesize
271KB

MD5
02b0c7f9ff6f09530185c31c24ab6098

SHA1
b7cfc189a15ce6e5d159cd0860fa04d4759cef9e

SHA256
c13438384c541e718214121767ed2bb1c74fbc1f52f45514f7cac050b55036fa

SHA512
e1580c0412c9133cf7143fbe4c1cf89c049b5e6bc33730dde1fc94115f0da7e6c840a1e34c24743b5a612fb193205c4c02117a8eb000e766c7bd4299a30a42e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2033156.exe

Filesize
271KB

MD5
02b0c7f9ff6f09530185c31c24ab6098

SHA1
b7cfc189a15ce6e5d159cd0860fa04d4759cef9e

SHA256
c13438384c541e718214121767ed2bb1c74fbc1f52f45514f7cac050b55036fa

SHA512
e1580c0412c9133cf7143fbe4c1cf89c049b5e6bc33730dde1fc94115f0da7e6c840a1e34c24743b5a612fb193205c4c02117a8eb000e766c7bd4299a30a42e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7953000.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7953000.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8025777.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8025777.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/4576-171-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

Filesize
192KB

Download
memory/4576-172-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4576-173-0x000000000AFF0000-0x000000000B608000-memory.dmp

Filesize
6.1MB

Download
memory/4576-174-0x000000000AB70000-0x000000000AC7A000-memory.dmp

Filesize
1.0MB

Download
memory/4576-176-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/4576-175-0x000000000AAB0000-0x000000000AAC2000-memory.dmp

Filesize
72KB

Download
memory/4576-177-0x000000000AB10000-0x000000000AB4C000-memory.dmp

Filesize
240KB

Download
memory/4576-178-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4576-179-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads