Analysis
-
max time kernel
146s -
max time network
186s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 06:16
Static task
static1
Behavioral task
behavioral1
Sample
629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe
Resource
win10v2004-20230915-en
General
-
Target
629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe
-
Size
696KB
-
MD5
a889b2f797c2175310e7d372def8d22d
-
SHA1
8b2b3c8e861b5ab0b20204bc6d064409e66da7f6
-
SHA256
629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9
-
SHA512
60fb9fe93dc0131a5f90122f438ba0cb8414228a8321a12b834df8d9bcca5f581b4bcceff48cf0c3ebbab41d0798dc656502a64267c7fd65ef78e89347e591e6
-
SSDEEP
12288:YMrXy90GwkKvjQaQ8Yf/a+Hil+HXkdzHmAt7IO56en6lzYwgd:vyDovjQaY/ziKeHmLeeYPd
Malware Config
Extracted
redline
tuxiu
77.91.124.82:19071
-
auth_value
29610cdad07e7187eec70685a04b89fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/files/0x0008000000016338-24.dat family_redline behavioral1/files/0x0008000000016338-26.dat family_redline behavioral1/files/0x0008000000016338-29.dat family_redline behavioral1/files/0x0008000000016338-28.dat family_redline behavioral1/memory/2716-30-0x0000000000DE0000-0x0000000000E10000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 1296 x1129001.exe 2348 x6220429.exe 2716 h0102139.exe -
Loads dropped DLL 6 IoCs
pid Process 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 1296 x1129001.exe 1296 x1129001.exe 2348 x6220429.exe 2348 x6220429.exe 2716 h0102139.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1129001.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6220429.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2344 wrote to memory of 1296 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 27 PID 2344 wrote to memory of 1296 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 27 PID 2344 wrote to memory of 1296 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 27 PID 2344 wrote to memory of 1296 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 27 PID 2344 wrote to memory of 1296 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 27 PID 2344 wrote to memory of 1296 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 27 PID 2344 wrote to memory of 1296 2344 629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe 27 PID 1296 wrote to memory of 2348 1296 x1129001.exe 28 PID 1296 wrote to memory of 2348 1296 x1129001.exe 28 PID 1296 wrote to memory of 2348 1296 x1129001.exe 28 PID 1296 wrote to memory of 2348 1296 x1129001.exe 28 PID 1296 wrote to memory of 2348 1296 x1129001.exe 28 PID 1296 wrote to memory of 2348 1296 x1129001.exe 28 PID 1296 wrote to memory of 2348 1296 x1129001.exe 28 PID 2348 wrote to memory of 2716 2348 x6220429.exe 29 PID 2348 wrote to memory of 2716 2348 x6220429.exe 29 PID 2348 wrote to memory of 2716 2348 x6220429.exe 29 PID 2348 wrote to memory of 2716 2348 x6220429.exe 29 PID 2348 wrote to memory of 2716 2348 x6220429.exe 29 PID 2348 wrote to memory of 2716 2348 x6220429.exe 29 PID 2348 wrote to memory of 2716 2348 x6220429.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe"C:\Users\Admin\AppData\Local\Temp\629788252ac0fa88c0b07e70f6ffde2b0a9e5eaf8ee331fa4080dc2a3eee30b9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1129001.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1129001.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6220429.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6220429.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h0102139.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h0102139.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
595KB
MD552c99a9b02c39476c8f5f3354a85f761
SHA131d004f1a7122248adf3b1a430b1cd7c18ee0da3
SHA2565ee423e614279aee8fb0e581b80fc178fdd1f7c97c837934e30c222a13754037
SHA51269f6efc87688e54020f0a61973e425f819c51c76a2c50302af59d8123f68c1486768a251c344d4263fa317556135956e9a59b7bc3d65742c907adef6be2a882c
-
Filesize
595KB
MD552c99a9b02c39476c8f5f3354a85f761
SHA131d004f1a7122248adf3b1a430b1cd7c18ee0da3
SHA2565ee423e614279aee8fb0e581b80fc178fdd1f7c97c837934e30c222a13754037
SHA51269f6efc87688e54020f0a61973e425f819c51c76a2c50302af59d8123f68c1486768a251c344d4263fa317556135956e9a59b7bc3d65742c907adef6be2a882c
-
Filesize
292KB
MD55b15c706e1cada2e6ae5b224602aed83
SHA1390b402e94e95e8d6ccf5c411348858f43bcdeba
SHA256bdfc72ed7e9d6bba7e446ea0b75793d08dd57e0f058a77ad49cb602cc1a7a797
SHA512d29b2bacd024d72680a97a327a857ebc483519198d783458c2ce2853c9d5f5d90e6cf8ae9294cb55c6f5b19a0c4770f9868c0e899725d0d8efe541b56d1d42a0
-
Filesize
292KB
MD55b15c706e1cada2e6ae5b224602aed83
SHA1390b402e94e95e8d6ccf5c411348858f43bcdeba
SHA256bdfc72ed7e9d6bba7e446ea0b75793d08dd57e0f058a77ad49cb602cc1a7a797
SHA512d29b2bacd024d72680a97a327a857ebc483519198d783458c2ce2853c9d5f5d90e6cf8ae9294cb55c6f5b19a0c4770f9868c0e899725d0d8efe541b56d1d42a0
-
Filesize
174KB
MD52eb2cc980f6c71d3cb10f7abc1adbecb
SHA17e06551a195e11a88a03d0a88a82270e81638d97
SHA25693bfc8ba65ffe845ff31659cfe8d93cb3ecd6e24e699f84cd56f5a5abe554613
SHA512a79fc7f474d06af732d5c8d3e5a4d1f594930a62ea2a839a05ef00d682aa667c75ff21199670331b56e8b05ff92286456218d4045c4a210aef075b4a909505d8
-
Filesize
174KB
MD52eb2cc980f6c71d3cb10f7abc1adbecb
SHA17e06551a195e11a88a03d0a88a82270e81638d97
SHA25693bfc8ba65ffe845ff31659cfe8d93cb3ecd6e24e699f84cd56f5a5abe554613
SHA512a79fc7f474d06af732d5c8d3e5a4d1f594930a62ea2a839a05ef00d682aa667c75ff21199670331b56e8b05ff92286456218d4045c4a210aef075b4a909505d8
-
Filesize
595KB
MD552c99a9b02c39476c8f5f3354a85f761
SHA131d004f1a7122248adf3b1a430b1cd7c18ee0da3
SHA2565ee423e614279aee8fb0e581b80fc178fdd1f7c97c837934e30c222a13754037
SHA51269f6efc87688e54020f0a61973e425f819c51c76a2c50302af59d8123f68c1486768a251c344d4263fa317556135956e9a59b7bc3d65742c907adef6be2a882c
-
Filesize
595KB
MD552c99a9b02c39476c8f5f3354a85f761
SHA131d004f1a7122248adf3b1a430b1cd7c18ee0da3
SHA2565ee423e614279aee8fb0e581b80fc178fdd1f7c97c837934e30c222a13754037
SHA51269f6efc87688e54020f0a61973e425f819c51c76a2c50302af59d8123f68c1486768a251c344d4263fa317556135956e9a59b7bc3d65742c907adef6be2a882c
-
Filesize
292KB
MD55b15c706e1cada2e6ae5b224602aed83
SHA1390b402e94e95e8d6ccf5c411348858f43bcdeba
SHA256bdfc72ed7e9d6bba7e446ea0b75793d08dd57e0f058a77ad49cb602cc1a7a797
SHA512d29b2bacd024d72680a97a327a857ebc483519198d783458c2ce2853c9d5f5d90e6cf8ae9294cb55c6f5b19a0c4770f9868c0e899725d0d8efe541b56d1d42a0
-
Filesize
292KB
MD55b15c706e1cada2e6ae5b224602aed83
SHA1390b402e94e95e8d6ccf5c411348858f43bcdeba
SHA256bdfc72ed7e9d6bba7e446ea0b75793d08dd57e0f058a77ad49cb602cc1a7a797
SHA512d29b2bacd024d72680a97a327a857ebc483519198d783458c2ce2853c9d5f5d90e6cf8ae9294cb55c6f5b19a0c4770f9868c0e899725d0d8efe541b56d1d42a0
-
Filesize
174KB
MD52eb2cc980f6c71d3cb10f7abc1adbecb
SHA17e06551a195e11a88a03d0a88a82270e81638d97
SHA25693bfc8ba65ffe845ff31659cfe8d93cb3ecd6e24e699f84cd56f5a5abe554613
SHA512a79fc7f474d06af732d5c8d3e5a4d1f594930a62ea2a839a05ef00d682aa667c75ff21199670331b56e8b05ff92286456218d4045c4a210aef075b4a909505d8
-
Filesize
174KB
MD52eb2cc980f6c71d3cb10f7abc1adbecb
SHA17e06551a195e11a88a03d0a88a82270e81638d97
SHA25693bfc8ba65ffe845ff31659cfe8d93cb3ecd6e24e699f84cd56f5a5abe554613
SHA512a79fc7f474d06af732d5c8d3e5a4d1f594930a62ea2a839a05ef00d682aa667c75ff21199670331b56e8b05ff92286456218d4045c4a210aef075b4a909505d8