redline | 1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4

Analysis

max time kernel
134s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 07:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe
Size

786KB
MD5

adaa77ab5345876ec6edaee2d86b51e8
SHA1

65eec4bcdd12b106fd36e43b4cad12a328cad9af
SHA256

1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4
SHA512

f0ae6dce7c867455f25555c93dc08ca6c31dcd7a560e2e003d17aac4c27a265cd3f361c00e7245ca79b92f154f470bb8a5fc26c7ec66107d2ce616b9b8d3e965
SSDEEP

12288:ZMrLy90vRMGnc0miXx5kJ8tKNuWG6yyFQG99kcRTAcvEeos7QROwHD4q:WyHgOiXxGaVlgMKAcvEAQROSDZ

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3056	x3585100.exe
2644	x4457712.exe
2848	h1347258.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe
3056	x3585100.exe
3056	x3585100.exe
2644	x4457712.exe
2644	x4457712.exe
2848	h1347258.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3585100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4457712.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3056	2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe	28
PID 2696 wrote to memory of 3056	2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe	28
PID 2696 wrote to memory of 3056	2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe	28
PID 2696 wrote to memory of 3056	2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe	28
PID 2696 wrote to memory of 3056	2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe	28
PID 2696 wrote to memory of 3056	2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe	28
PID 2696 wrote to memory of 3056	2696	1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe	28
PID 3056 wrote to memory of 2644	3056	x3585100.exe	29
PID 3056 wrote to memory of 2644	3056	x3585100.exe	29
PID 3056 wrote to memory of 2644	3056	x3585100.exe	29
PID 3056 wrote to memory of 2644	3056	x3585100.exe	29
PID 3056 wrote to memory of 2644	3056	x3585100.exe	29
PID 3056 wrote to memory of 2644	3056	x3585100.exe	29
PID 3056 wrote to memory of 2644	3056	x3585100.exe	29
PID 2644 wrote to memory of 2848	2644	x4457712.exe	30
PID 2644 wrote to memory of 2848	2644	x4457712.exe	30
PID 2644 wrote to memory of 2848	2644	x4457712.exe	30
PID 2644 wrote to memory of 2848	2644	x4457712.exe	30
PID 2644 wrote to memory of 2848	2644	x4457712.exe	30
PID 2644 wrote to memory of 2848	2644	x4457712.exe	30
PID 2644 wrote to memory of 2848	2644	x4457712.exe	30

C:\Users\Admin\AppData\Local\Temp\1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe
"C:\Users\Admin\AppData\Local\Temp\1454972d34fc307860af1a1cc42082bf8715c3cc5b881045b06565efbd87f7b4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3585100.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3585100.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4457712.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4457712.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1347258.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1347258.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3585100.exe

Filesize
684KB

MD5
e558f921c8dd8bffda926c3871021cc2

SHA1
fbba2290117a24c65a0de4d347a18026433acc51

SHA256
40029e6a606df920fbb8faf5b2ecf010710358d7ae4cc95ec8ff9668cad766e2

SHA512
f7e0ad89c4489d1c45e49638af6a0ae07161ecbccee23755a3bc6794b0c9f6e7d62483e9f07116264732787fce50236455ecd1254e7581f152769fc3b541ba81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3585100.exe

Filesize
684KB

MD5
e558f921c8dd8bffda926c3871021cc2

SHA1
fbba2290117a24c65a0de4d347a18026433acc51

SHA256
40029e6a606df920fbb8faf5b2ecf010710358d7ae4cc95ec8ff9668cad766e2

SHA512
f7e0ad89c4489d1c45e49638af6a0ae07161ecbccee23755a3bc6794b0c9f6e7d62483e9f07116264732787fce50236455ecd1254e7581f152769fc3b541ba81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4457712.exe

Filesize
292KB

MD5
f7412657c52be0b52ad5c68d590ba289

SHA1
1af669b03f9a5afbd946451b0e0dded36f225882

SHA256
701f21c86ef02cb92a8286518ff95d633106e5c97a3ff45d5d6f6370a0309554

SHA512
a6d17d5e15f456f8df0f5fd815ce298ff48f75a9758e4b200c713656234a9e2a87920871199d58ae1d9687e8718e12319b3b3709af8d27c017462797163e023f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4457712.exe

Filesize
292KB

MD5
f7412657c52be0b52ad5c68d590ba289

SHA1
1af669b03f9a5afbd946451b0e0dded36f225882

SHA256
701f21c86ef02cb92a8286518ff95d633106e5c97a3ff45d5d6f6370a0309554

SHA512
a6d17d5e15f456f8df0f5fd815ce298ff48f75a9758e4b200c713656234a9e2a87920871199d58ae1d9687e8718e12319b3b3709af8d27c017462797163e023f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1347258.exe

Filesize
174KB

MD5
f5dce10fc07e324fc1789d3bf5f29b8f

SHA1
454e7978385023d371593c49faf6b9a7d6ff01b9

SHA256
21e8d3a1e026185f419db64f4425e56f006cfa034b85bc4cb3282d16a8112f46

SHA512
b207a232368550897aeec0fa402917698a45733b67ac77c34bc2bb820d1d4dc7d00b51236d505484dc95c99985c6dc4306583c80ef5b9b59e27c916ee59f7b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1347258.exe

Filesize
174KB

MD5
f5dce10fc07e324fc1789d3bf5f29b8f

SHA1
454e7978385023d371593c49faf6b9a7d6ff01b9

SHA256
21e8d3a1e026185f419db64f4425e56f006cfa034b85bc4cb3282d16a8112f46

SHA512
b207a232368550897aeec0fa402917698a45733b67ac77c34bc2bb820d1d4dc7d00b51236d505484dc95c99985c6dc4306583c80ef5b9b59e27c916ee59f7b08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3585100.exe

Filesize
684KB

MD5
e558f921c8dd8bffda926c3871021cc2

SHA1
fbba2290117a24c65a0de4d347a18026433acc51

SHA256
40029e6a606df920fbb8faf5b2ecf010710358d7ae4cc95ec8ff9668cad766e2

SHA512
f7e0ad89c4489d1c45e49638af6a0ae07161ecbccee23755a3bc6794b0c9f6e7d62483e9f07116264732787fce50236455ecd1254e7581f152769fc3b541ba81

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3585100.exe

Filesize
684KB

MD5
e558f921c8dd8bffda926c3871021cc2

SHA1
fbba2290117a24c65a0de4d347a18026433acc51

SHA256
40029e6a606df920fbb8faf5b2ecf010710358d7ae4cc95ec8ff9668cad766e2

SHA512
f7e0ad89c4489d1c45e49638af6a0ae07161ecbccee23755a3bc6794b0c9f6e7d62483e9f07116264732787fce50236455ecd1254e7581f152769fc3b541ba81

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4457712.exe

Filesize
292KB

MD5
f7412657c52be0b52ad5c68d590ba289

SHA1
1af669b03f9a5afbd946451b0e0dded36f225882

SHA256
701f21c86ef02cb92a8286518ff95d633106e5c97a3ff45d5d6f6370a0309554

SHA512
a6d17d5e15f456f8df0f5fd815ce298ff48f75a9758e4b200c713656234a9e2a87920871199d58ae1d9687e8718e12319b3b3709af8d27c017462797163e023f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4457712.exe

Filesize
292KB

MD5
f7412657c52be0b52ad5c68d590ba289

SHA1
1af669b03f9a5afbd946451b0e0dded36f225882

SHA256
701f21c86ef02cb92a8286518ff95d633106e5c97a3ff45d5d6f6370a0309554

SHA512
a6d17d5e15f456f8df0f5fd815ce298ff48f75a9758e4b200c713656234a9e2a87920871199d58ae1d9687e8718e12319b3b3709af8d27c017462797163e023f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1347258.exe

Filesize
174KB

MD5
f5dce10fc07e324fc1789d3bf5f29b8f

SHA1
454e7978385023d371593c49faf6b9a7d6ff01b9

SHA256
21e8d3a1e026185f419db64f4425e56f006cfa034b85bc4cb3282d16a8112f46

SHA512
b207a232368550897aeec0fa402917698a45733b67ac77c34bc2bb820d1d4dc7d00b51236d505484dc95c99985c6dc4306583c80ef5b9b59e27c916ee59f7b08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1347258.exe

Filesize
174KB

MD5
f5dce10fc07e324fc1789d3bf5f29b8f

SHA1
454e7978385023d371593c49faf6b9a7d6ff01b9

SHA256
21e8d3a1e026185f419db64f4425e56f006cfa034b85bc4cb3282d16a8112f46

SHA512
b207a232368550897aeec0fa402917698a45733b67ac77c34bc2bb820d1d4dc7d00b51236d505484dc95c99985c6dc4306583c80ef5b9b59e27c916ee59f7b08

Download Submit
memory/2848-30-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/2848-31-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads