redline | 8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe
Size

785KB
MD5

49c1a6002864b9753fa8fff17984d2b1
SHA1

dee83397a5cf6bd4f826105b11ab02628a28efb5
SHA256

8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0
SHA512

8d1b5aa823a034c3801a76e246f9f626c73caeb7773f5ea2bf0bc13a99cb56ebe88ad457d30b51fd142df3571ffc087009628b8a71d6823b305ba102f179acd6
SSDEEP

12288:xMr8y90UCV5XOikVx5OwtWrCBNUDmo5tQ02QEVmt3oYdXTQVu5IgiE+dRD:lyM7XOimKrCBNUDUjRVmtYEKu5IYw

Score

10^/10

redline buben infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2072	x6285012.exe
2192	x0889584.exe
2236	h6794201.exe

Loads dropped DLL 6 IoCs

pid	Process
2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe
2072	x6285012.exe
2072	x6285012.exe
2192	x0889584.exe
2192	x0889584.exe
2236	h6794201.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6285012.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0889584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2072	2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe	29
PID 2068 wrote to memory of 2072	2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe	29
PID 2068 wrote to memory of 2072	2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe	29
PID 2068 wrote to memory of 2072	2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe	29
PID 2068 wrote to memory of 2072	2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe	29
PID 2068 wrote to memory of 2072	2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe	29
PID 2068 wrote to memory of 2072	2068	8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe	29
PID 2072 wrote to memory of 2192	2072	x6285012.exe	30
PID 2072 wrote to memory of 2192	2072	x6285012.exe	30
PID 2072 wrote to memory of 2192	2072	x6285012.exe	30
PID 2072 wrote to memory of 2192	2072	x6285012.exe	30
PID 2072 wrote to memory of 2192	2072	x6285012.exe	30
PID 2072 wrote to memory of 2192	2072	x6285012.exe	30
PID 2072 wrote to memory of 2192	2072	x6285012.exe	30
PID 2192 wrote to memory of 2236	2192	x0889584.exe	31
PID 2192 wrote to memory of 2236	2192	x0889584.exe	31
PID 2192 wrote to memory of 2236	2192	x0889584.exe	31
PID 2192 wrote to memory of 2236	2192	x0889584.exe	31
PID 2192 wrote to memory of 2236	2192	x0889584.exe	31
PID 2192 wrote to memory of 2236	2192	x0889584.exe	31
PID 2192 wrote to memory of 2236	2192	x0889584.exe	31

C:\Users\Admin\AppData\Local\Temp\8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe
"C:\Users\Admin\AppData\Local\Temp\8c997966a10b4c7af322c684eb3dc1fdff3c5d9d9dc31440365d20076e80dae0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6285012.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6285012.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0889584.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0889584.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6794201.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6794201.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6285012.exe

Filesize
683KB

MD5
9b73bd151739ea2513949071e185f4d1

SHA1
788b75d340595e915f134fa56020621b789cf5f1

SHA256
b5f3d28f122fa325c89cb715dba5015cc22b93c9a10f26810ffbc10c0009bb21

SHA512
e6e336c5ff92893717c2950cc1b965ba9b4acd71c2120bd20cf937f1a57c817e61039e2cfc5bbd5c6b71f373722b4e3a139cbb4d78a15999e161005b27cfebc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6285012.exe

Filesize
683KB

MD5
9b73bd151739ea2513949071e185f4d1

SHA1
788b75d340595e915f134fa56020621b789cf5f1

SHA256
b5f3d28f122fa325c89cb715dba5015cc22b93c9a10f26810ffbc10c0009bb21

SHA512
e6e336c5ff92893717c2950cc1b965ba9b4acd71c2120bd20cf937f1a57c817e61039e2cfc5bbd5c6b71f373722b4e3a139cbb4d78a15999e161005b27cfebc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0889584.exe

Filesize
292KB

MD5
4ca0e77c31f3e78013f8bb2704deaa4f

SHA1
f50bf658c8277f6b2dbac3201ea3f115c7299cea

SHA256
ab70dc2e36f232b4fe0d8106f3a59cbabf34820f14ac969e32d2175d28a7b0f5

SHA512
60153eba6b70493efff8dca9b87fcb4d4420805bf62f52a66e67ec9359173f0d35e71d1f7f9c0b52b866e207545673444dacda01e436633d102cdbb5175b4cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0889584.exe

Filesize
292KB

MD5
4ca0e77c31f3e78013f8bb2704deaa4f

SHA1
f50bf658c8277f6b2dbac3201ea3f115c7299cea

SHA256
ab70dc2e36f232b4fe0d8106f3a59cbabf34820f14ac969e32d2175d28a7b0f5

SHA512
60153eba6b70493efff8dca9b87fcb4d4420805bf62f52a66e67ec9359173f0d35e71d1f7f9c0b52b866e207545673444dacda01e436633d102cdbb5175b4cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6794201.exe

Filesize
174KB

MD5
9d64f14c5111cde3023a63f3e29951ff

SHA1
c560823c3ce07c01e4303b8745b550a6bd0ab4f3

SHA256
3d47deb2c8516b39d957a2013a3a383d553505b4c7eeffa02e791373f39072c0

SHA512
30234a5b0536135eafe4ed8d967ee9a35f60747ad7551be08cd7bf95d7c8fe6ea0dd84d373cde8a8642bb82a25b47cbe1c446c0f161f2c714e23f3ebaff3cd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6794201.exe

Filesize
174KB

MD5
9d64f14c5111cde3023a63f3e29951ff

SHA1
c560823c3ce07c01e4303b8745b550a6bd0ab4f3

SHA256
3d47deb2c8516b39d957a2013a3a383d553505b4c7eeffa02e791373f39072c0

SHA512
30234a5b0536135eafe4ed8d967ee9a35f60747ad7551be08cd7bf95d7c8fe6ea0dd84d373cde8a8642bb82a25b47cbe1c446c0f161f2c714e23f3ebaff3cd09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6285012.exe

Filesize
683KB

MD5
9b73bd151739ea2513949071e185f4d1

SHA1
788b75d340595e915f134fa56020621b789cf5f1

SHA256
b5f3d28f122fa325c89cb715dba5015cc22b93c9a10f26810ffbc10c0009bb21

SHA512
e6e336c5ff92893717c2950cc1b965ba9b4acd71c2120bd20cf937f1a57c817e61039e2cfc5bbd5c6b71f373722b4e3a139cbb4d78a15999e161005b27cfebc6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6285012.exe

Filesize
683KB

MD5
9b73bd151739ea2513949071e185f4d1

SHA1
788b75d340595e915f134fa56020621b789cf5f1

SHA256
b5f3d28f122fa325c89cb715dba5015cc22b93c9a10f26810ffbc10c0009bb21

SHA512
e6e336c5ff92893717c2950cc1b965ba9b4acd71c2120bd20cf937f1a57c817e61039e2cfc5bbd5c6b71f373722b4e3a139cbb4d78a15999e161005b27cfebc6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0889584.exe

Filesize
292KB

MD5
4ca0e77c31f3e78013f8bb2704deaa4f

SHA1
f50bf658c8277f6b2dbac3201ea3f115c7299cea

SHA256
ab70dc2e36f232b4fe0d8106f3a59cbabf34820f14ac969e32d2175d28a7b0f5

SHA512
60153eba6b70493efff8dca9b87fcb4d4420805bf62f52a66e67ec9359173f0d35e71d1f7f9c0b52b866e207545673444dacda01e436633d102cdbb5175b4cfc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0889584.exe

Filesize
292KB

MD5
4ca0e77c31f3e78013f8bb2704deaa4f

SHA1
f50bf658c8277f6b2dbac3201ea3f115c7299cea

SHA256
ab70dc2e36f232b4fe0d8106f3a59cbabf34820f14ac969e32d2175d28a7b0f5

SHA512
60153eba6b70493efff8dca9b87fcb4d4420805bf62f52a66e67ec9359173f0d35e71d1f7f9c0b52b866e207545673444dacda01e436633d102cdbb5175b4cfc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6794201.exe

Filesize
174KB

MD5
9d64f14c5111cde3023a63f3e29951ff

SHA1
c560823c3ce07c01e4303b8745b550a6bd0ab4f3

SHA256
3d47deb2c8516b39d957a2013a3a383d553505b4c7eeffa02e791373f39072c0

SHA512
30234a5b0536135eafe4ed8d967ee9a35f60747ad7551be08cd7bf95d7c8fe6ea0dd84d373cde8a8642bb82a25b47cbe1c446c0f161f2c714e23f3ebaff3cd09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6794201.exe

Filesize
174KB

MD5
9d64f14c5111cde3023a63f3e29951ff

SHA1
c560823c3ce07c01e4303b8745b550a6bd0ab4f3

SHA256
3d47deb2c8516b39d957a2013a3a383d553505b4c7eeffa02e791373f39072c0

SHA512
30234a5b0536135eafe4ed8d967ee9a35f60747ad7551be08cd7bf95d7c8fe6ea0dd84d373cde8a8642bb82a25b47cbe1c446c0f161f2c714e23f3ebaff3cd09

Download Submit
memory/2236-30-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/2236-31-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads