redline | 17427d60f67c1db3215a48151a43c99e6b2d8f9c714029aa0043991d4d54dd38

Analysis

max time kernel
133s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-09-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

786KB
MD5

29954aec91aaebd7bf6a95e929284e18
SHA1

4a203896fc8863d379910e8d75fa7e39023910d1
SHA256

17427d60f67c1db3215a48151a43c99e6b2d8f9c714029aa0043991d4d54dd38
SHA512

bf13beb6f55937139df41b1195f20ee8480bddad92c08d3e21bcc47f81b52410098f01111a161923a129591f47912f118d981b82071f86bd620bb1d40182bad1
SSDEEP

12288:pMrqy90A9j5ftoBhG1Lh6Q2U+sx3EQq7ZGaPrU1JU+uRLERWPpgWxbkJhWL/x:fy99jV4ouf83m7ZXjU1adRNbhkHy/x

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1420	x5246327.exe
2968	x3944500.exe
3012	h4521914.exe

Loads dropped DLL 6 IoCs

pid	Process
2956	tmp.exe
1420	x5246327.exe
1420	x5246327.exe
2968	x3944500.exe
2968	x3944500.exe
3012	h4521914.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5246327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3944500.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1420	2956	tmp.exe	28
PID 2956 wrote to memory of 1420	2956	tmp.exe	28
PID 2956 wrote to memory of 1420	2956	tmp.exe	28
PID 2956 wrote to memory of 1420	2956	tmp.exe	28
PID 2956 wrote to memory of 1420	2956	tmp.exe	28
PID 2956 wrote to memory of 1420	2956	tmp.exe	28
PID 2956 wrote to memory of 1420	2956	tmp.exe	28
PID 1420 wrote to memory of 2968	1420	x5246327.exe	29
PID 1420 wrote to memory of 2968	1420	x5246327.exe	29
PID 1420 wrote to memory of 2968	1420	x5246327.exe	29
PID 1420 wrote to memory of 2968	1420	x5246327.exe	29
PID 1420 wrote to memory of 2968	1420	x5246327.exe	29
PID 1420 wrote to memory of 2968	1420	x5246327.exe	29
PID 1420 wrote to memory of 2968	1420	x5246327.exe	29
PID 2968 wrote to memory of 3012	2968	x3944500.exe	30
PID 2968 wrote to memory of 3012	2968	x3944500.exe	30
PID 2968 wrote to memory of 3012	2968	x3944500.exe	30
PID 2968 wrote to memory of 3012	2968	x3944500.exe	30
PID 2968 wrote to memory of 3012	2968	x3944500.exe	30
PID 2968 wrote to memory of 3012	2968	x3944500.exe	30
PID 2968 wrote to memory of 3012	2968	x3944500.exe	30

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5246327.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5246327.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3944500.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3944500.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4521914.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4521914.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5246327.exe

Filesize
684KB

MD5
4bbc7cea411782550b102f448ab85569

SHA1
667e75bdc3703ddaec70ab844e610a7cfa9dc07f

SHA256
a027b05275674c11b25f7dc65e33f5d5f84ab4458254f5fe83aebce195ec638c

SHA512
ce592d9474b108474b392103882255640cf29cbaaa7d32e6cf74ecac78948e0be4520e3f6deca8e7a7de205e2fc864670fe74741510d69d3da8e5e6590b136a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5246327.exe

Filesize
684KB

MD5
4bbc7cea411782550b102f448ab85569

SHA1
667e75bdc3703ddaec70ab844e610a7cfa9dc07f

SHA256
a027b05275674c11b25f7dc65e33f5d5f84ab4458254f5fe83aebce195ec638c

SHA512
ce592d9474b108474b392103882255640cf29cbaaa7d32e6cf74ecac78948e0be4520e3f6deca8e7a7de205e2fc864670fe74741510d69d3da8e5e6590b136a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3944500.exe

Filesize
292KB

MD5
e24d7ef09c0d1d5276ffd97562321fbb

SHA1
257404a9de7d67c03987932e57e6aaceedb0f294

SHA256
5d73986ec62453ef81000a245d3483fc9d6f588f87158e8e23544134f71dfa41

SHA512
3e2c1a6ff527a0e276b8de459377cfd792bd4b565a3c8f89beda437df7aca7b65c9e40d1794af2a0b6b5155ad9f89a42f121d0010a759c2cbd9c459f19344aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3944500.exe

Filesize
292KB

MD5
e24d7ef09c0d1d5276ffd97562321fbb

SHA1
257404a9de7d67c03987932e57e6aaceedb0f294

SHA256
5d73986ec62453ef81000a245d3483fc9d6f588f87158e8e23544134f71dfa41

SHA512
3e2c1a6ff527a0e276b8de459377cfd792bd4b565a3c8f89beda437df7aca7b65c9e40d1794af2a0b6b5155ad9f89a42f121d0010a759c2cbd9c459f19344aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4521914.exe

Filesize
174KB

MD5
864ff05326c33af3ee39758d1f9d07bd

SHA1
0792e9327b364a412c7cc8cf98e51db38e06f1ca

SHA256
6d98f8f9be66635df930d2b1dc5f507b37868e23a046def8bb04d1f706114018

SHA512
9bb0a71bea7adc12a980ee7f94aac4f8962f8f289b0c331fe06dab4a1872cd7dbba361cb97b195d0ef8a89e9a234b3c652947450a4652f44290e8d8437912a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4521914.exe

Filesize
174KB

MD5
864ff05326c33af3ee39758d1f9d07bd

SHA1
0792e9327b364a412c7cc8cf98e51db38e06f1ca

SHA256
6d98f8f9be66635df930d2b1dc5f507b37868e23a046def8bb04d1f706114018

SHA512
9bb0a71bea7adc12a980ee7f94aac4f8962f8f289b0c331fe06dab4a1872cd7dbba361cb97b195d0ef8a89e9a234b3c652947450a4652f44290e8d8437912a1a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5246327.exe

Filesize
684KB

MD5
4bbc7cea411782550b102f448ab85569

SHA1
667e75bdc3703ddaec70ab844e610a7cfa9dc07f

SHA256
a027b05275674c11b25f7dc65e33f5d5f84ab4458254f5fe83aebce195ec638c

SHA512
ce592d9474b108474b392103882255640cf29cbaaa7d32e6cf74ecac78948e0be4520e3f6deca8e7a7de205e2fc864670fe74741510d69d3da8e5e6590b136a3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5246327.exe

Filesize
684KB

MD5
4bbc7cea411782550b102f448ab85569

SHA1
667e75bdc3703ddaec70ab844e610a7cfa9dc07f

SHA256
a027b05275674c11b25f7dc65e33f5d5f84ab4458254f5fe83aebce195ec638c

SHA512
ce592d9474b108474b392103882255640cf29cbaaa7d32e6cf74ecac78948e0be4520e3f6deca8e7a7de205e2fc864670fe74741510d69d3da8e5e6590b136a3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3944500.exe

Filesize
292KB

MD5
e24d7ef09c0d1d5276ffd97562321fbb

SHA1
257404a9de7d67c03987932e57e6aaceedb0f294

SHA256
5d73986ec62453ef81000a245d3483fc9d6f588f87158e8e23544134f71dfa41

SHA512
3e2c1a6ff527a0e276b8de459377cfd792bd4b565a3c8f89beda437df7aca7b65c9e40d1794af2a0b6b5155ad9f89a42f121d0010a759c2cbd9c459f19344aba

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3944500.exe

Filesize
292KB

MD5
e24d7ef09c0d1d5276ffd97562321fbb

SHA1
257404a9de7d67c03987932e57e6aaceedb0f294

SHA256
5d73986ec62453ef81000a245d3483fc9d6f588f87158e8e23544134f71dfa41

SHA512
3e2c1a6ff527a0e276b8de459377cfd792bd4b565a3c8f89beda437df7aca7b65c9e40d1794af2a0b6b5155ad9f89a42f121d0010a759c2cbd9c459f19344aba

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4521914.exe

Filesize
174KB

MD5
864ff05326c33af3ee39758d1f9d07bd

SHA1
0792e9327b364a412c7cc8cf98e51db38e06f1ca

SHA256
6d98f8f9be66635df930d2b1dc5f507b37868e23a046def8bb04d1f706114018

SHA512
9bb0a71bea7adc12a980ee7f94aac4f8962f8f289b0c331fe06dab4a1872cd7dbba361cb97b195d0ef8a89e9a234b3c652947450a4652f44290e8d8437912a1a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4521914.exe

Filesize
174KB

MD5
864ff05326c33af3ee39758d1f9d07bd

SHA1
0792e9327b364a412c7cc8cf98e51db38e06f1ca

SHA256
6d98f8f9be66635df930d2b1dc5f507b37868e23a046def8bb04d1f706114018

SHA512
9bb0a71bea7adc12a980ee7f94aac4f8962f8f289b0c331fe06dab4a1872cd7dbba361cb97b195d0ef8a89e9a234b3c652947450a4652f44290e8d8437912a1a

Download Submit
memory/3012-30-0x0000000000FE0000-0x0000000001010000-memory.dmp

Filesize
192KB

Download
memory/3012-31-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads