redline | c44c1e7f26b17b74b3650e6e728d02d4c1540fb9343ba49449bccc24d414a232

Analysis

max time kernel
2s
max time network
23s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe
Size

20.9MB
MD5

2e501240ec8b9aab46d76a6504e44882
SHA1

1a97d7662e66502faa5a7718565bb362eb6f27bd
SHA256

582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00
SHA512

eae4aacbfcee43ad8f9b2acbddb1b3b71c2aec0064bc6605107eb8b254614361c77984d09e7eabb91fc26634822ac448d8be884dd8f174021c52979690c2f97b
SSDEEP

98304:Kj1ZAxOCU3yUetDvB6ti3FOU8jRdqY9d2omTt20+NVZ:mAxOCU3yUetDvB6ti1aOTtlcVZ

Score

10^/10

redline gg infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

67.203.7.148:2909

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\WinNet\gg.exe	family_redline
C:\ProgramData\WinNet\gg.exe	family_redline
behavioral1/memory/2144-51-0x00000000000E0000-0x0000000000130000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

embedded.exegg.exeAnyDesk.exe

pid process

2700 embedded.exe
2144 gg.exe
2620 AnyDesk.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2964 cmd.exe

pid	process
2700	embedded.exe
2144	gg.exe
2620	AnyDesk.exe

pid	process
2964	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Repository = "C:\\ProgramData\\WinNet\\gg.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Repository = "C:\\ProgramData\\WinNet\\gg.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exe

pid process

1648 REG.exe
2388 REG.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

AnyDesk.exe

pid process

2620 AnyDesk.exe

pid	process
1648	REG.exe
2388	REG.exe

pid	process
2620	AnyDesk.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.execmd.execmd.exeembedded.exeWScript.execmd.exe

description	pid	process	target process
PID 2476 wrote to memory of 1648	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	REG.exe
PID 2476 wrote to memory of 1648	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	REG.exe
PID 2476 wrote to memory of 1648	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	REG.exe
PID 2476 wrote to memory of 2964	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	cmd.exe
PID 2476 wrote to memory of 2964	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	cmd.exe
PID 2476 wrote to memory of 2964	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	cmd.exe
PID 2476 wrote to memory of 2528	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	cmd.exe
PID 2476 wrote to memory of 2528	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	cmd.exe
PID 2476 wrote to memory of 2528	2476	582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe	cmd.exe
PID 2964 wrote to memory of 2700	2964	cmd.exe	embedded.exe
PID 2964 wrote to memory of 2700	2964	cmd.exe	embedded.exe
PID 2964 wrote to memory of 2700	2964	cmd.exe	embedded.exe
PID 2528 wrote to memory of 2768	2528	cmd.exe	WScript.exe
PID 2528 wrote to memory of 2768	2528	cmd.exe	WScript.exe
PID 2528 wrote to memory of 2768	2528	cmd.exe	WScript.exe
PID 2700 wrote to memory of 2388	2700	embedded.exe	REG.exe
PID 2700 wrote to memory of 2388	2700	embedded.exe	REG.exe
PID 2700 wrote to memory of 2388	2700	embedded.exe	REG.exe
PID 2700 wrote to memory of 2152	2700	embedded.exe	cmd.exe
PID 2700 wrote to memory of 2152	2700	embedded.exe	cmd.exe
PID 2700 wrote to memory of 2152	2700	embedded.exe	cmd.exe
PID 2700 wrote to memory of 2904	2700	embedded.exe	cmd.exe
PID 2700 wrote to memory of 2904	2700	embedded.exe	cmd.exe
PID 2700 wrote to memory of 2904	2700	embedded.exe	cmd.exe
PID 2768 wrote to memory of 2144	2768	WScript.exe	gg.exe
PID 2768 wrote to memory of 2144	2768	WScript.exe	gg.exe
PID 2768 wrote to memory of 2144	2768	WScript.exe	gg.exe
PID 2768 wrote to memory of 2144	2768	WScript.exe	gg.exe
PID 2152 wrote to memory of 2620	2152	cmd.exe	AnyDesk.exe
PID 2152 wrote to memory of 2620	2152	cmd.exe	AnyDesk.exe
PID 2152 wrote to memory of 2620	2152	cmd.exe	AnyDesk.exe
PID 2152 wrote to memory of 2620	2152	cmd.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe
"C:\Users\Admin\AppData\Local\Temp\582cf0470ba0d2c2ef2c3fee83442db0e345656f7d7c46ee5b613998fdd6ee00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\REG.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Repository /t REG_SZ /F /D C:\ProgramData\WinNet\gg.exe
2⤵
- Adds Run key to start application
- Modifies registry key
PID:1648

C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\WinNet\embedded.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964

C:\ProgramData\WinNet\embedded.exe
C:\ProgramData\WinNet\embedded.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\REG.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Repository /t REG_SZ /F /D C:\ProgramData\WinNet\gg.exe
4⤵
- Adds Run key to start application
- Modifies registry key
PID:2388

C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\WinNet\AnyDesk.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\ProgramData\WinNet\AnyDesk.exe
C:\ProgramData\WinNet\AnyDesk.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2620

C:\ProgramData\WinNet\AnyDesk.exe
"C:\ProgramData\WinNet\AnyDesk.exe" --local-service
6⤵
PID:1660

C:\ProgramData\WinNet\AnyDesk.exe
"C:\ProgramData\WinNet\AnyDesk.exe" --local-control
6⤵
PID:1460

C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\WinNet\p.vbs
4⤵
PID:2904

C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\WinNet\p.vbs
2⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\WinNet\p.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\ProgramData\WinNet\gg.exe
"C:\ProgramData\WinNet\gg.exe"
4⤵
- Executes dropped EXE
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinNet\AnyDesk.exe
Filesize
5.0MB

MD5
a21768190f3b9feae33aaef660cb7a83

SHA1
24780657328783ef50ae0964b23288e68841a421

SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62

Download Submit
C:\ProgramData\WinNet\AnyDesk.exe
Filesize
1.7MB

MD5
96732f4887e69445fef7def898144909

SHA1
e454ba9dbab9ada3b2f415219e5a5d9b8c36c3dd

SHA256
f01e56bdf79a541d4f4a2d27d4d879b2bb48bb31aefa89a8c80e04fd90c11856

SHA512
1491bf44f36e1c7b10a5a526195edbce9332f3afa6d1b133ee5a4a7b8c40b6ee95f00dcc2eb8cabc3ac1a0237789dba291fbfe10176902b598d8fdf77985425d

Download Submit
C:\ProgramData\WinNet\AnyDesk.exe
Filesize
2.2MB

MD5
6acec2c366db8de6e70c2815ee3ff16f

SHA1
969fe2249d95fea769a01445190cb280e2b8e0a9

SHA256
46bcc354ac574804bb7490c56b9fdef0334840344928813715db9b0430bd1f43

SHA512
97fe824ed2af002c9f377e74fcf36fd2cf9867eead6e50dd17ce42228848ab5bef78172e7b8d84d1b3775671c1c31fbb7155d46a161bccc1e6fc085a502ef9de

Download Submit
C:\ProgramData\WinNet\embedded.exe
Filesize
1.9MB

MD5
a7100bd42a9f183af51cf569ab8d2834

SHA1
ef25a1336d2c1853af965c27308ce410511e78c5

SHA256
c7398d4c823f3466c870e5157a6ee44ce662daa07592ed3bc262e50166584eed

SHA512
3eda8c39101b0f08eae8152fef87c8435b055417d3ff70a187d91e59f3be864e7f7ac13dcb89ebe9f1c20b2f0a25dc3caecd5374d6d0db100d00eba89cbc5cbc

Download Submit
C:\ProgramData\WinNet\gg.exe
Filesize
297KB

MD5
20ab063f206eb8115fde1479e05c245e

SHA1
2088f3c51a5ad9e11da999a7114623274cc69692

SHA256
5ec4818da47f24ac8762bf73d0395662639142f86b930db138e586c2eb91b29e

SHA512
2dc3181d57ee616c1bb5860d0007d06c04ba1a693064fe7044d9f07939e99e54e8b2864ebbb7268118784a691037dad6756532bd149c74aeedc993d0d0e4a0c5

Download Submit
C:\ProgramData\WinNet\gg.exe
Filesize
263KB

MD5
31081cce3c034582c1b261f5d8546f34

SHA1
e20ac11266b5627a875066c4355e5150677e2b66

SHA256
9f4a344557809031bdcffca2578ab21850c53fab6229d6287b08979dce8a49a1

SHA512
87fe2803d7ddce440db7675012352a28ce9481dc805c7d63685634b9b94242e116792a2b7993bf29302dc809102456a1562157ab53319d32a8a157f9cc32a0f5

Download Submit
C:\ProgramData\WinNet\p.vbs
Filesize
170B

MD5
3ba4cebb444685d48f8b0dfd67c8390d

SHA1
8b84e1821c39ec8658e603e498b07e08dda2e6d1

SHA256
7f2bb84f63b47f35ee7eb70a35d35b81b63a7bcd39029cfb918fb6839f45a70c

SHA512
42b8271cd6343f7d75f4d5398370ed7d614c2250ea43531a9f19e80e5f0a339f6cc5ec565326cc6911b33bf872cef9b860d72d8887573d92d5c7661c580a232e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
5KB

MD5
4a64f99b0cd510a9217baa839cda332d

SHA1
f0c3ca63fd7df2f0dcb43399387a0484ed13a550

SHA256
08da0ab7e3b059bf940cc9e27a73fde2fba98b676d913bfabe02b82953913978

SHA512
a74e2f51cf4dc5044b7a18237a6aec30a4f03905e30a69d62b92ebd5be3ae6b3f660f279dc350d1f005fdae4f5cbcdc333bf27db5f03c38e0f04aa493e38fd45

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
6KB

MD5
5db4016586af0d09097ac43012a63ac6

SHA1
52a3492f90936d982178e0c606170eb0e4a009c6

SHA256
dbd913741ffb04148d76932415a66974e7a5540b60dc532a7d85aa37af23d2fc

SHA512
8fd14ec400d3ab1bce985ce950afd1cb60fcbec71d54b8aa1ea5dbe9e310e26ff21793026fc4c37418e4e046f5aea6c251df23e8b3046ab49eea321213c230d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
367B

MD5
4bb99c81557361654addc59a4bab1cc4

SHA1
a85bf6cb42b184f9a3cbfde1e5167baaf337454e

SHA256
67fbe1d88eb2057c1b93fb6fc2701f3d5c7463201939635548e2edb62f701ef7

SHA512
7c89482dff2aeaeb52290c994e99824a8c6f4e1251671bbbeed831e4e174387e9c512e9358d406cd9435fa963eaf9516e1478bb93aa7c5f6acb17247b73d4154

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
336979002dfccea2706ed67d13995416

SHA1
bc8f295a6e5b20df14caaacdf5d0a901efe9e8ad

SHA256
038a4d28a0d124ce69a1ba3677053e4a2a70202ed000fa92430c223b3555be13

SHA512
8c73cc473e2c4d7d82bf661e5bedf4f74fee6c18944b94674efe129d1f77b36b3d40e166b8df886f61fa4beadeda0fa107b3dd45a1f7558a14cfdb75f2bfadda

Download Submit
\ProgramData\WinNet\embedded.exe
Filesize
2.2MB

MD5
c396f16fbe803fc3ed28fb1cc279ae96

SHA1
e7bdb333a279d8b45062e2392aa39fc4716abcb4

SHA256
82f5dec1f6ae6058f14ceb9e192b53a458d22cc7a55161fa5ca67af76c6d2bed

SHA512
32f5d3cb27516e70eb93f89d42b466133f30ad0c89b8955a7d96db58db67dd7a8de7d350129da1f7e52539cb14da372d9462100ec2fcccaa01cd571ea80442aa

Download Submit
memory/1460-70-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/1460-71-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/1660-68-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/1660-67-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/1660-86-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1660-96-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/2144-51-0x00000000000E0000-0x0000000000130000-memory.dmp

Filesize
320KB

Download
memory/2144-58-0x0000000004F90000-0x0000000004FD0000-memory.dmp

Filesize
256KB

Download
memory/2144-55-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-4-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2476-5-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2476-1-0x00000000032E0000-0x00000000043B5000-memory.dmp

Filesize
16.8MB

Download
memory/2476-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2476-2-0x00000000032E0000-0x00000000043B5000-memory.dmp

Filesize
16.8MB

Download
memory/2476-3-0x00000000032E0000-0x00000000043B5000-memory.dmp

Filesize
16.8MB

Download
memory/2620-52-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/2620-78-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2620-80-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2620-57-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/2620-87-0x00000000009D0000-0x0000000002107000-memory.dmp

Filesize
23.2MB

Download
memory/2620-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2700-27-0x0000000002BC0000-0x000000000337D000-memory.dmp

Filesize
7.7MB

Download
memory/2700-25-0x0000000002BC0000-0x000000000337D000-memory.dmp

Filesize
7.7MB

Download
memory/2700-24-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2700-33-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2700-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2700-29-0x0000000002BC0000-0x000000000337D000-memory.dmp

Filesize
7.7MB

Download