redline | b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae

Analysis

max time kernel
126s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe
Size

831KB
MD5

650bb84be58ede733ed023e1f86c9f30
SHA1

0a1e433dde0ac3882392dd49356b1f54dc6d139b
SHA256

b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae
SHA512

624c48e4cbf2ce1500c5a009554bb45a2eeddce466e7e66609d7891876d14108389794571a43f9314214896aff0d8c00c35d5ceca40ea41c1d45ccdde98c3b67
SSDEEP

12288:OMrxy90XtDkDoqWfg5omLWx6N+PpPrx4Vn5pP9lrkO1Xzh2oelBJEVFSEcnFjn:nyDWY5WUNit415pPN1Yl3jxnVn

Score

10^/10

redline dugin infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

dugin

77.91.124.73:19071

Attributes

auth_value
7c3e46e091100fd26a6076996d374c28

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2436	z4385040.exe
4568	z3721239.exe
4292	z9526513.exe
952	r6791331.exe
1368	s0749182.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4385040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3721239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9526513.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2436	1780	b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe	84
PID 1780 wrote to memory of 2436	1780	b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe	84
PID 1780 wrote to memory of 2436	1780	b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe	84
PID 2436 wrote to memory of 4568	2436	z4385040.exe	85
PID 2436 wrote to memory of 4568	2436	z4385040.exe	85
PID 2436 wrote to memory of 4568	2436	z4385040.exe	85
PID 4568 wrote to memory of 4292	4568	z3721239.exe	86
PID 4568 wrote to memory of 4292	4568	z3721239.exe	86
PID 4568 wrote to memory of 4292	4568	z3721239.exe	86
PID 4292 wrote to memory of 952	4292	z9526513.exe	87
PID 4292 wrote to memory of 952	4292	z9526513.exe	87
PID 4292 wrote to memory of 952	4292	z9526513.exe	87
PID 4292 wrote to memory of 1368	4292	z9526513.exe	88
PID 4292 wrote to memory of 1368	4292	z9526513.exe	88
PID 4292 wrote to memory of 1368	4292	z9526513.exe	88

C:\Users\Admin\AppData\Local\Temp\b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b8ee2960aab380f5665e2e85c5b58606daa563339a528be856e6640dd6f36bae_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4385040.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4385040.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3721239.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3721239.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9526513.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9526513.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6791331.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6791331.exe
        5⤵
        Executes dropped EXE
        
        PID:952
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0749182.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0749182.exe
        5⤵
        Executes dropped EXE
        
        PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4385040.exe

Filesize
598KB

MD5
a90af1091bbb3c62fd3a0d6a4cf0de22

SHA1
b0d929ab1482db306047cb43a84a16abf988205b

SHA256
519d160e2d2731c7e2a9a339a114efa0147bb9a29fe516f5ab2cb8e17273827c

SHA512
5611383e94dcf6acb8c47d3758e69362c7348e15cf877b60bff09e1533a6e85ebb2e09ec68b356f5bed90894297d7a61a494017538be823209fa64720327af8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4385040.exe

Filesize
598KB

MD5
a90af1091bbb3c62fd3a0d6a4cf0de22

SHA1
b0d929ab1482db306047cb43a84a16abf988205b

SHA256
519d160e2d2731c7e2a9a339a114efa0147bb9a29fe516f5ab2cb8e17273827c

SHA512
5611383e94dcf6acb8c47d3758e69362c7348e15cf877b60bff09e1533a6e85ebb2e09ec68b356f5bed90894297d7a61a494017538be823209fa64720327af8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3721239.exe

Filesize
372KB

MD5
25b3c79c4c64ef5594778c5934c66cca

SHA1
934dd0aff1a87527467bf5c827f124195c558eef

SHA256
e789da652b9ebd714349e98164d18df23153eddcb10bd8f61cd36963a9b61323

SHA512
16f3edc2b0b651dbd3c9ae3e64d0207ef21ef5677b586f7e29faba1dbc956f6716bdbd12de7cf0c61ccfd6d0b614830e9cdc21d2e1d8f3d09bedba491e2a4a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3721239.exe

Filesize
372KB

MD5
25b3c79c4c64ef5594778c5934c66cca

SHA1
934dd0aff1a87527467bf5c827f124195c558eef

SHA256
e789da652b9ebd714349e98164d18df23153eddcb10bd8f61cd36963a9b61323

SHA512
16f3edc2b0b651dbd3c9ae3e64d0207ef21ef5677b586f7e29faba1dbc956f6716bdbd12de7cf0c61ccfd6d0b614830e9cdc21d2e1d8f3d09bedba491e2a4a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9526513.exe

Filesize
271KB

MD5
bcd39d8bdaf1dfa8b69717a3bfc1d8fb

SHA1
f182c0c8342f12f0f9a16ef4b717f90ced267d86

SHA256
56098882c2d32e64370b6cf8bd5b6abc5ae9abbb565bfedfe07ebf3ec401bf04

SHA512
b64516da316b19d5a44e3d60abc9b6f3de32a112600648a5177f2f8da7aa4c2b15e811999667d032b033cf45c0d776ba583f68aaca7e339cf65841f77d49dd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9526513.exe

Filesize
271KB

MD5
bcd39d8bdaf1dfa8b69717a3bfc1d8fb

SHA1
f182c0c8342f12f0f9a16ef4b717f90ced267d86

SHA256
56098882c2d32e64370b6cf8bd5b6abc5ae9abbb565bfedfe07ebf3ec401bf04

SHA512
b64516da316b19d5a44e3d60abc9b6f3de32a112600648a5177f2f8da7aa4c2b15e811999667d032b033cf45c0d776ba583f68aaca7e339cf65841f77d49dd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6791331.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6791331.exe

Filesize
140KB

MD5
77a93a6afb1d7fa81c674cbecbee8531

SHA1
fbd5275cea45278e48c3306c5e069619cdf038b3

SHA256
0fcb9c3965ee7f2c36d232a624e0769542916f207ab4118a1e6d56fabffb3675

SHA512
dc09b69e4ba62ccbb61310d39d185ad06e3e74759cfeb193a0d626ee36f35f27dd51f22425985884dd88143c5c24cbbb1da74e105c0adcc33a3a53e9b898d40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0749182.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0749182.exe

Filesize
173KB

MD5
d5f3785f09b0b4ddb516cb1bba85a36d

SHA1
978b0c33233c9ab63a596cbb282473f1e99b07d4

SHA256
64b6558c24af070e047262ad247dc64b968f8d919a5c9bb2b5c279931ef38db0

SHA512
40f87989963ef21438f1378eb4b8f4d736bf7de67d2a12670faa6f94ab221dfb475eed8cec99208539e0a06e61ef987f8a7a5cb759442fc79583200b393611fb

Download Submit
memory/1368-31-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1368-32-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/1368-33-0x00000000055C0000-0x0000000005BD8000-memory.dmp

Filesize
6.1MB

Download
memory/1368-34-0x00000000050B0000-0x00000000051BA000-memory.dmp

Filesize
1.0MB

Download
memory/1368-35-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1368-36-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/1368-37-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/1368-38-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1368-39-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads