redline | 035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e

Analysis

max time kernel
137s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 07:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe
Size

784KB
MD5

5fb986657858f401d995c141ed736be6
SHA1

fcb369bc935fced9e2122937592e58775b39202f
SHA256

035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e
SHA512

f84b554b31863537af679d6327d67e7817ca8b5ab804dc814f95a5c355b5d0dd848fd75beaaa2a69c2ded94e5b31547bcca9d6e4b51094f8bc04d7dd549bf056
SSDEEP

12288:rMrny90DdlBY4yCCnt1N7Foibe1vGQXdaW3bC1PDMfA:cymBY4yCCn57GibeNNthLo

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2888	x5223231.exe
2652	x8591680.exe
2808	h5728316.exe

Loads dropped DLL 6 IoCs

pid	Process
1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe
2888	x5223231.exe
2888	x5223231.exe
2652	x8591680.exe
2652	x8591680.exe
2808	h5728316.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5223231.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8591680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2888	1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe	28
PID 1728 wrote to memory of 2888	1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe	28
PID 1728 wrote to memory of 2888	1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe	28
PID 1728 wrote to memory of 2888	1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe	28
PID 1728 wrote to memory of 2888	1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe	28
PID 1728 wrote to memory of 2888	1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe	28
PID 1728 wrote to memory of 2888	1728	035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe	28
PID 2888 wrote to memory of 2652	2888	x5223231.exe	29
PID 2888 wrote to memory of 2652	2888	x5223231.exe	29
PID 2888 wrote to memory of 2652	2888	x5223231.exe	29
PID 2888 wrote to memory of 2652	2888	x5223231.exe	29
PID 2888 wrote to memory of 2652	2888	x5223231.exe	29
PID 2888 wrote to memory of 2652	2888	x5223231.exe	29
PID 2888 wrote to memory of 2652	2888	x5223231.exe	29
PID 2652 wrote to memory of 2808	2652	x8591680.exe	30
PID 2652 wrote to memory of 2808	2652	x8591680.exe	30
PID 2652 wrote to memory of 2808	2652	x8591680.exe	30
PID 2652 wrote to memory of 2808	2652	x8591680.exe	30
PID 2652 wrote to memory of 2808	2652	x8591680.exe	30
PID 2652 wrote to memory of 2808	2652	x8591680.exe	30
PID 2652 wrote to memory of 2808	2652	x8591680.exe	30

C:\Users\Admin\AppData\Local\Temp\035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe
"C:\Users\Admin\AppData\Local\Temp\035731cbc9eec212f39a71a0331ab24f6d6d8418b54d7c0585a818db709f211e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5223231.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5223231.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8591680.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8591680.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5728316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5728316.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5223231.exe

Filesize
683KB

MD5
08f4c5b04a627860ba1f3e5b3a4a3eef

SHA1
f90cf899c56b3fe71a8d019ed9a87dc06b7c038e

SHA256
208abfa78253241b015d7c23cf1e238a850bb680bc34fe2b5877dd8352f17ce4

SHA512
0c2c6fb64285c862d7ff4fa934551c48f0a066184b4027ad01e1c4aca28b3f66debed6f8edfacacbf5aed2f6371d04dc9874b3ff16de5d1906b2e549f3500bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5223231.exe

Filesize
683KB

MD5
08f4c5b04a627860ba1f3e5b3a4a3eef

SHA1
f90cf899c56b3fe71a8d019ed9a87dc06b7c038e

SHA256
208abfa78253241b015d7c23cf1e238a850bb680bc34fe2b5877dd8352f17ce4

SHA512
0c2c6fb64285c862d7ff4fa934551c48f0a066184b4027ad01e1c4aca28b3f66debed6f8edfacacbf5aed2f6371d04dc9874b3ff16de5d1906b2e549f3500bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8591680.exe

Filesize
292KB

MD5
eb2cc437c2a42fbaabfa6f9966de3d59

SHA1
d0cc5f90f98d1734017ffd5e92c884a148f20cbb

SHA256
32a158e9c17bd4947d0c5ca6e64baa791942a03d16d125c59b50b7605c5d2e07

SHA512
2249d0f290d9bc44b45d3b9808f28dfdecb0ba594f361436e0a0672ff374bd8d81817a539ebb4a25fb55070efc87e03a52f3ee47a6311de9baeaa51014572b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8591680.exe

Filesize
292KB

MD5
eb2cc437c2a42fbaabfa6f9966de3d59

SHA1
d0cc5f90f98d1734017ffd5e92c884a148f20cbb

SHA256
32a158e9c17bd4947d0c5ca6e64baa791942a03d16d125c59b50b7605c5d2e07

SHA512
2249d0f290d9bc44b45d3b9808f28dfdecb0ba594f361436e0a0672ff374bd8d81817a539ebb4a25fb55070efc87e03a52f3ee47a6311de9baeaa51014572b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5728316.exe

Filesize
174KB

MD5
c205d5f117d2e207fac5e86e3168a905

SHA1
dc11d0c7d69bdb3cbacbd6760b3aba88f1f552ec

SHA256
6233d6b1fdfd2250cdc8c6d1d363f9cd9f9bad6f9228553fbd1d76d4912e1905

SHA512
6aaa8dec202b76d16b3dfd9a412dd16f39bc6321ae04e05a5b79ff8681c145a4f2d082ffd3be48913ba0aec1d49b34c1d6b6b779e4d7a30a125d456a1663e440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5728316.exe

Filesize
174KB

MD5
c205d5f117d2e207fac5e86e3168a905

SHA1
dc11d0c7d69bdb3cbacbd6760b3aba88f1f552ec

SHA256
6233d6b1fdfd2250cdc8c6d1d363f9cd9f9bad6f9228553fbd1d76d4912e1905

SHA512
6aaa8dec202b76d16b3dfd9a412dd16f39bc6321ae04e05a5b79ff8681c145a4f2d082ffd3be48913ba0aec1d49b34c1d6b6b779e4d7a30a125d456a1663e440

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5223231.exe

Filesize
683KB

MD5
08f4c5b04a627860ba1f3e5b3a4a3eef

SHA1
f90cf899c56b3fe71a8d019ed9a87dc06b7c038e

SHA256
208abfa78253241b015d7c23cf1e238a850bb680bc34fe2b5877dd8352f17ce4

SHA512
0c2c6fb64285c862d7ff4fa934551c48f0a066184b4027ad01e1c4aca28b3f66debed6f8edfacacbf5aed2f6371d04dc9874b3ff16de5d1906b2e549f3500bec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5223231.exe

Filesize
683KB

MD5
08f4c5b04a627860ba1f3e5b3a4a3eef

SHA1
f90cf899c56b3fe71a8d019ed9a87dc06b7c038e

SHA256
208abfa78253241b015d7c23cf1e238a850bb680bc34fe2b5877dd8352f17ce4

SHA512
0c2c6fb64285c862d7ff4fa934551c48f0a066184b4027ad01e1c4aca28b3f66debed6f8edfacacbf5aed2f6371d04dc9874b3ff16de5d1906b2e549f3500bec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8591680.exe

Filesize
292KB

MD5
eb2cc437c2a42fbaabfa6f9966de3d59

SHA1
d0cc5f90f98d1734017ffd5e92c884a148f20cbb

SHA256
32a158e9c17bd4947d0c5ca6e64baa791942a03d16d125c59b50b7605c5d2e07

SHA512
2249d0f290d9bc44b45d3b9808f28dfdecb0ba594f361436e0a0672ff374bd8d81817a539ebb4a25fb55070efc87e03a52f3ee47a6311de9baeaa51014572b35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8591680.exe

Filesize
292KB

MD5
eb2cc437c2a42fbaabfa6f9966de3d59

SHA1
d0cc5f90f98d1734017ffd5e92c884a148f20cbb

SHA256
32a158e9c17bd4947d0c5ca6e64baa791942a03d16d125c59b50b7605c5d2e07

SHA512
2249d0f290d9bc44b45d3b9808f28dfdecb0ba594f361436e0a0672ff374bd8d81817a539ebb4a25fb55070efc87e03a52f3ee47a6311de9baeaa51014572b35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5728316.exe

Filesize
174KB

MD5
c205d5f117d2e207fac5e86e3168a905

SHA1
dc11d0c7d69bdb3cbacbd6760b3aba88f1f552ec

SHA256
6233d6b1fdfd2250cdc8c6d1d363f9cd9f9bad6f9228553fbd1d76d4912e1905

SHA512
6aaa8dec202b76d16b3dfd9a412dd16f39bc6321ae04e05a5b79ff8681c145a4f2d082ffd3be48913ba0aec1d49b34c1d6b6b779e4d7a30a125d456a1663e440

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5728316.exe

Filesize
174KB

MD5
c205d5f117d2e207fac5e86e3168a905

SHA1
dc11d0c7d69bdb3cbacbd6760b3aba88f1f552ec

SHA256
6233d6b1fdfd2250cdc8c6d1d363f9cd9f9bad6f9228553fbd1d76d4912e1905

SHA512
6aaa8dec202b76d16b3dfd9a412dd16f39bc6321ae04e05a5b79ff8681c145a4f2d082ffd3be48913ba0aec1d49b34c1d6b6b779e4d7a30a125d456a1663e440

Download Submit
memory/2808-30-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/2808-31-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads