redline | 05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0

Resubmissions

07-11-2023 17:52

231107-wf7nmacf6s 10

06-05-2023 22:41

230506-2l4rtadd95 10

Analysis

max time kernel
140s
max time network
163s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
Size

1.5MB
MD5

213724da16f36242e50dafa7d142bba0
SHA1

2172e5e403c1fbacb444d555acd2dbdd597e7a4b
SHA256

05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0
SHA512

dc47b66d3ed3f1bf322b693396094ae5f2d223fb1c49c947dbe13b618447536da865dcdd1627086936e6918cb10d1f9e8a2cd44a22f3dfc268e8a258cde3a9d4
SSDEEP

24576:TyGku0Brki1KmZHmQW6fkS1gXSspfpFYrusyKelLQCnoH4cHvMi1wxZA7BIwnhpU:mNQjQWxOm9pfvnP5QCnq/PhwxZA95n

Score

10^/10

redline most infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i97602730.exei47041688.exei52140104.exei82794194.exea62984866.exe

pid process

2004 i97602730.exe
3028 i47041688.exe
2568 i52140104.exe
2632 i82794194.exe
2932 a62984866.exe

pid	process
2004	i97602730.exe
3028	i47041688.exe
2568	i52140104.exe
2632	i82794194.exe
2932	a62984866.exe

Loads dropped DLL 10 IoCs

Processes:

05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exei97602730.exei47041688.exei52140104.exei82794194.exea62984866.exe

pid	process
1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
2004	i97602730.exe
2004	i97602730.exe
3028	i47041688.exe
3028	i47041688.exe
2568	i52140104.exe
2568	i52140104.exe
2632	i82794194.exe
2632	i82794194.exe
2932	a62984866.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

i47041688.exei52140104.exei82794194.exe05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exei97602730.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i47041688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i52140104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i82794194.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i97602730.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exei97602730.exei47041688.exei52140104.exei82794194.exe

description	pid	process	target process
PID 1756 wrote to memory of 2004	1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe	i97602730.exe
PID 1756 wrote to memory of 2004	1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe	i97602730.exe
PID 1756 wrote to memory of 2004	1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe	i97602730.exe
PID 1756 wrote to memory of 2004	1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe	i97602730.exe
PID 1756 wrote to memory of 2004	1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe	i97602730.exe
PID 1756 wrote to memory of 2004	1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe	i97602730.exe
PID 1756 wrote to memory of 2004	1756	05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe	i97602730.exe
PID 2004 wrote to memory of 3028	2004	i97602730.exe	i47041688.exe
PID 2004 wrote to memory of 3028	2004	i97602730.exe	i47041688.exe
PID 2004 wrote to memory of 3028	2004	i97602730.exe	i47041688.exe
PID 2004 wrote to memory of 3028	2004	i97602730.exe	i47041688.exe
PID 2004 wrote to memory of 3028	2004	i97602730.exe	i47041688.exe
PID 2004 wrote to memory of 3028	2004	i97602730.exe	i47041688.exe
PID 2004 wrote to memory of 3028	2004	i97602730.exe	i47041688.exe
PID 3028 wrote to memory of 2568	3028	i47041688.exe	i52140104.exe
PID 3028 wrote to memory of 2568	3028	i47041688.exe	i52140104.exe
PID 3028 wrote to memory of 2568	3028	i47041688.exe	i52140104.exe
PID 3028 wrote to memory of 2568	3028	i47041688.exe	i52140104.exe
PID 3028 wrote to memory of 2568	3028	i47041688.exe	i52140104.exe
PID 3028 wrote to memory of 2568	3028	i47041688.exe	i52140104.exe
PID 3028 wrote to memory of 2568	3028	i47041688.exe	i52140104.exe
PID 2568 wrote to memory of 2632	2568	i52140104.exe	i82794194.exe
PID 2568 wrote to memory of 2632	2568	i52140104.exe	i82794194.exe
PID 2568 wrote to memory of 2632	2568	i52140104.exe	i82794194.exe
PID 2568 wrote to memory of 2632	2568	i52140104.exe	i82794194.exe
PID 2568 wrote to memory of 2632	2568	i52140104.exe	i82794194.exe
PID 2568 wrote to memory of 2632	2568	i52140104.exe	i82794194.exe
PID 2568 wrote to memory of 2632	2568	i52140104.exe	i82794194.exe
PID 2632 wrote to memory of 2932	2632	i82794194.exe	a62984866.exe
PID 2632 wrote to memory of 2932	2632	i82794194.exe	a62984866.exe
PID 2632 wrote to memory of 2932	2632	i82794194.exe	a62984866.exe
PID 2632 wrote to memory of 2932	2632	i82794194.exe	a62984866.exe
PID 2632 wrote to memory of 2932	2632	i82794194.exe	a62984866.exe
PID 2632 wrote to memory of 2932	2632	i82794194.exe	a62984866.exe
PID 2632 wrote to memory of 2932	2632	i82794194.exe	a62984866.exe

C:\Users\Admin\AppData\Local\Temp\05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe
"C:\Users\Admin\AppData\Local\Temp\05d00a8fe7a135a76e633e780fe166690fbc24c81b7e92147d4720132883bcc0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exe
Filesize
1.3MB

MD5
08f44ad67e6c3f45dd5722b6ac7b0bff

SHA1
7a607210adc252586152b9db03eec1926f625c2b

SHA256
4b52fec53b41632f5e03f5cdc601227da51082995111760af754370a535c6e00

SHA512
f08a5d772a6085af217a312d35752036832d59cfa0a61edbacad80e73ed227b540abce0e1f24bb48baddcd1a895f923320fc5318e46b4bd862a91a45207ab24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exe
Filesize
1.3MB

MD5
08f44ad67e6c3f45dd5722b6ac7b0bff

SHA1
7a607210adc252586152b9db03eec1926f625c2b

SHA256
4b52fec53b41632f5e03f5cdc601227da51082995111760af754370a535c6e00

SHA512
f08a5d772a6085af217a312d35752036832d59cfa0a61edbacad80e73ed227b540abce0e1f24bb48baddcd1a895f923320fc5318e46b4bd862a91a45207ab24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exe
Filesize
1015KB

MD5
1eb8ce540f25218c5ad2cd13c1de0f95

SHA1
0a830367b491640c0b3668184b2fb743bf962341

SHA256
a9530b01570a936aa99b84f1cf557f8bff74bd0233726407b0d75e27db887dd8

SHA512
18b3b38b236987ad95baf4a367984f31226cf706a974661d7500b24fc253fe401c8fa608075d10b4945efb9c8efd443d9af5357eb4eca45f2cb99c08addb869f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exe
Filesize
1015KB

MD5
1eb8ce540f25218c5ad2cd13c1de0f95

SHA1
0a830367b491640c0b3668184b2fb743bf962341

SHA256
a9530b01570a936aa99b84f1cf557f8bff74bd0233726407b0d75e27db887dd8

SHA512
18b3b38b236987ad95baf4a367984f31226cf706a974661d7500b24fc253fe401c8fa608075d10b4945efb9c8efd443d9af5357eb4eca45f2cb99c08addb869f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exe
Filesize
843KB

MD5
285dba2edeac627e730574a01009a1f4

SHA1
648cf268cf65450f23f6210b8b1709788100b491

SHA256
cce4fce89219707c95276b0491e56c8db7b929834e6f123fc29801ecc8a00de4

SHA512
025e4e90bd1f4fbe71d5e187b5879467ead58507f64e9e1ff9dec28948c0632996daa8fabe0d62cbed39ad44d35d436ae375dc85595af5769ce2db9fc6008f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exe
Filesize
843KB

MD5
285dba2edeac627e730574a01009a1f4

SHA1
648cf268cf65450f23f6210b8b1709788100b491

SHA256
cce4fce89219707c95276b0491e56c8db7b929834e6f123fc29801ecc8a00de4

SHA512
025e4e90bd1f4fbe71d5e187b5879467ead58507f64e9e1ff9dec28948c0632996daa8fabe0d62cbed39ad44d35d436ae375dc85595af5769ce2db9fc6008f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exe
Filesize
371KB

MD5
6c1f427979ad73239a8eb9e6e0e47088

SHA1
6c216ac5c1b5c06514ecd1dcd188aaea270f3709

SHA256
25eb0b75349a56ace309d640ee60fc93bebd2533ef699968638e47fb2b626848

SHA512
bc98f9ab19de262ecd12a38f75a3d6c98a6ca200b7ca4fd4f070b9e4a8170dd85fcd951b5d5d5e350e8b367a8472fb5bbee485a1bb0084bdf45bcca8549e268f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exe
Filesize
371KB

MD5
6c1f427979ad73239a8eb9e6e0e47088

SHA1
6c216ac5c1b5c06514ecd1dcd188aaea270f3709

SHA256
25eb0b75349a56ace309d640ee60fc93bebd2533ef699968638e47fb2b626848

SHA512
bc98f9ab19de262ecd12a38f75a3d6c98a6ca200b7ca4fd4f070b9e4a8170dd85fcd951b5d5d5e350e8b367a8472fb5bbee485a1bb0084bdf45bcca8549e268f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exe
Filesize
169KB

MD5
de7389ac7b0bece4d8398bdea8515bf7

SHA1
b3d182dcba4f9be20385976b63166f944769a8e1

SHA256
4f1b4c5e0a123f79bd88becdc22dd7ad133340291a69e348d556b7f201595cf9

SHA512
89aeacfead680fbeab21969a11a7681cd151f25cfd4e105a08bc04c98854792bdf65d91883acd832d15f10f3c1ec3ec76e4f88141ce26ff1b99f0405468982dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exe
Filesize
169KB

MD5
de7389ac7b0bece4d8398bdea8515bf7

SHA1
b3d182dcba4f9be20385976b63166f944769a8e1

SHA256
4f1b4c5e0a123f79bd88becdc22dd7ad133340291a69e348d556b7f201595cf9

SHA512
89aeacfead680fbeab21969a11a7681cd151f25cfd4e105a08bc04c98854792bdf65d91883acd832d15f10f3c1ec3ec76e4f88141ce26ff1b99f0405468982dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exe
Filesize
1.3MB

MD5
08f44ad67e6c3f45dd5722b6ac7b0bff

SHA1
7a607210adc252586152b9db03eec1926f625c2b

SHA256
4b52fec53b41632f5e03f5cdc601227da51082995111760af754370a535c6e00

SHA512
f08a5d772a6085af217a312d35752036832d59cfa0a61edbacad80e73ed227b540abce0e1f24bb48baddcd1a895f923320fc5318e46b4bd862a91a45207ab24c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97602730.exe
Filesize
1.3MB

MD5
08f44ad67e6c3f45dd5722b6ac7b0bff

SHA1
7a607210adc252586152b9db03eec1926f625c2b

SHA256
4b52fec53b41632f5e03f5cdc601227da51082995111760af754370a535c6e00

SHA512
f08a5d772a6085af217a312d35752036832d59cfa0a61edbacad80e73ed227b540abce0e1f24bb48baddcd1a895f923320fc5318e46b4bd862a91a45207ab24c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exe
Filesize
1015KB

MD5
1eb8ce540f25218c5ad2cd13c1de0f95

SHA1
0a830367b491640c0b3668184b2fb743bf962341

SHA256
a9530b01570a936aa99b84f1cf557f8bff74bd0233726407b0d75e27db887dd8

SHA512
18b3b38b236987ad95baf4a367984f31226cf706a974661d7500b24fc253fe401c8fa608075d10b4945efb9c8efd443d9af5357eb4eca45f2cb99c08addb869f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47041688.exe
Filesize
1015KB

MD5
1eb8ce540f25218c5ad2cd13c1de0f95

SHA1
0a830367b491640c0b3668184b2fb743bf962341

SHA256
a9530b01570a936aa99b84f1cf557f8bff74bd0233726407b0d75e27db887dd8

SHA512
18b3b38b236987ad95baf4a367984f31226cf706a974661d7500b24fc253fe401c8fa608075d10b4945efb9c8efd443d9af5357eb4eca45f2cb99c08addb869f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exe
Filesize
843KB

MD5
285dba2edeac627e730574a01009a1f4

SHA1
648cf268cf65450f23f6210b8b1709788100b491

SHA256
cce4fce89219707c95276b0491e56c8db7b929834e6f123fc29801ecc8a00de4

SHA512
025e4e90bd1f4fbe71d5e187b5879467ead58507f64e9e1ff9dec28948c0632996daa8fabe0d62cbed39ad44d35d436ae375dc85595af5769ce2db9fc6008f88

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52140104.exe
Filesize
843KB

MD5
285dba2edeac627e730574a01009a1f4

SHA1
648cf268cf65450f23f6210b8b1709788100b491

SHA256
cce4fce89219707c95276b0491e56c8db7b929834e6f123fc29801ecc8a00de4

SHA512
025e4e90bd1f4fbe71d5e187b5879467ead58507f64e9e1ff9dec28948c0632996daa8fabe0d62cbed39ad44d35d436ae375dc85595af5769ce2db9fc6008f88

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exe
Filesize
371KB

MD5
6c1f427979ad73239a8eb9e6e0e47088

SHA1
6c216ac5c1b5c06514ecd1dcd188aaea270f3709

SHA256
25eb0b75349a56ace309d640ee60fc93bebd2533ef699968638e47fb2b626848

SHA512
bc98f9ab19de262ecd12a38f75a3d6c98a6ca200b7ca4fd4f070b9e4a8170dd85fcd951b5d5d5e350e8b367a8472fb5bbee485a1bb0084bdf45bcca8549e268f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82794194.exe
Filesize
371KB

MD5
6c1f427979ad73239a8eb9e6e0e47088

SHA1
6c216ac5c1b5c06514ecd1dcd188aaea270f3709

SHA256
25eb0b75349a56ace309d640ee60fc93bebd2533ef699968638e47fb2b626848

SHA512
bc98f9ab19de262ecd12a38f75a3d6c98a6ca200b7ca4fd4f070b9e4a8170dd85fcd951b5d5d5e350e8b367a8472fb5bbee485a1bb0084bdf45bcca8549e268f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exe
Filesize
169KB

MD5
de7389ac7b0bece4d8398bdea8515bf7

SHA1
b3d182dcba4f9be20385976b63166f944769a8e1

SHA256
4f1b4c5e0a123f79bd88becdc22dd7ad133340291a69e348d556b7f201595cf9

SHA512
89aeacfead680fbeab21969a11a7681cd151f25cfd4e105a08bc04c98854792bdf65d91883acd832d15f10f3c1ec3ec76e4f88141ce26ff1b99f0405468982dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a62984866.exe
Filesize
169KB

MD5
de7389ac7b0bece4d8398bdea8515bf7

SHA1
b3d182dcba4f9be20385976b63166f944769a8e1

SHA256
4f1b4c5e0a123f79bd88becdc22dd7ad133340291a69e348d556b7f201595cf9

SHA512
89aeacfead680fbeab21969a11a7681cd151f25cfd4e105a08bc04c98854792bdf65d91883acd832d15f10f3c1ec3ec76e4f88141ce26ff1b99f0405468982dd

Download Submit
memory/2932-50-0x0000000001280000-0x00000000012B0000-memory.dmp

Filesize
192KB

Download
memory/2932-51-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download